quttera
Forum Replies Created
-
Hello, this is indeed false positive detection occurred due to the following lines
264 $logfile = fopen( plugin_dir_path( __FILE__ ) . $log_file_name, ‘rb’ );
265 if ( ! $logfile ) {
266 wp_die( ‘Can\’t open log file.’ );
267 }
268 header( ‘Content-Type: text/plain’ );
269 fpassthru( $logfile );
270 die;This issue will be fixed in the next plugin release.
Thank you for pointing this out!- This reply was modified 7 years, 4 months ago by James Huff.
- This reply was modified 7 years, 1 month ago by Jan Dembowski.
Forum: Plugins
In reply to: [Quttera ThreatSign – Web Malware Scanner for WordPress] interesting replyThank you pointing this out.
ed1d8c7474698b20abd3435801fa2463 will be whitelisted in next release.
Thank you for your review.
Can you please post md5 of the detected file and $wp_local value. The core files information retrieved directly from api.ww.wp.xz.cn and plugin just compare content of scanned directories against received data.
You right this is a core file thus we would like to investigate why this file had been detected.
Thank you for your help.
Thank you for the comment.
The internal scan performed through WordPress cron mechanism and uses one PHP worker for slices of 5 minutes.
If during internal scan your site is blocked it means that you have only one PHP worker allocated to serve HTTP requests addressed to your site.
Please check your PHP configuration and allocate one more PHP worker to server HTTP requests.
Forum: Fixing WordPress
In reply to: My Website got hacked and automatically redirected to another siteUnfortunately, I cannot point out which exact file is infected.
As I said, you need to install any malware scanner plugin that will scan your website internally and probably locate this infection.To access admin dashboard you don’t need access to ww.wp.xz.cn.
The dashboard could be accessed by <domain.name>/wp-login.phpIt is worth to upgrade WordPress to the latest version before you start with cleanup since upgrade itself can overwrite infected files and issue will be eliminated by itself.
At worst case, after the upgrade, you will have to install malware scanner plugin and perform full website audit.
Forum: Fixing WordPress
In reply to: My Website got hacked and automatically redirected to another siteOne more comment, the redirection URL (hxxp://cj4dsmwjx[.]gyumriserverns[.]info/) is broken and generates error 500 which means that meanwhile no ads or malware will be distributed from your site.
But you need to fix this redirection before the target link started to work properly.
Forum: Fixing WordPress
In reply to: My Website got hacked and automatically redirected to another siteThe redirection occurs due to ‘http-equiv=”refresh” content=”0;’ in following HTML tag
<div class=”content__inner”>
<p><meta http-equiv=”refresh” content=”0; URL=http://cj4dsmwjx.gyumriserverns.info”></p>
</div>To resolve this redirection issue you need to find and remove this tag from generated HTML.
This infection could present either in the backend database or in an obfuscated format in WordPress *.php files.
If you have access to WordPress admin dashboard, try to install any of security plugins providing internal website scan to identify and cure this infection.
I could suggest our plugin performing internal heuristic scan which could help you identify infection.
If you don’t have access to admin dashboard, you can dump website content and search for suspicious things manually.
The database could be dumped using phpmyadmin tool and website content could be download using FTP client.
If you going to search for this infection manually try to find module (php) file adding the following div to the generated HTML (<div class=”content__inner”>) instruction injecting malware redirection should come just after this.
Forum: Plugins
In reply to: [WooCommerce] security issue pishingIt is worth to investigate website access logs to find malicious/suspicious HTTP requests as the infection could be injected via some vulnerable module installed on your site.
To prevent such infection in future you need to setup WAF that will block such attacks.
Forum: Fixing WordPress
In reply to: Website HackedThe suspicious string “abcabcabc” injected before the first HTML tag
{{{
abcabcabc
<!DOCTYPE html>
<html lang=”en-US”>
<head>
….
}}}The infection should be either in WordPress files or in the backend database.
Try simply download website sources, dump the database and search for the injected string “abcabcabc”This looks like unsuccessful or kiddie attack but in any case, it is strongly recommended to update all used plugins, remove plugins that you don’t use run full webiste audit.
You can use our plugin to perform the internal and external investigation of your site
https://ww.wp.xz.cn/plugins/quttera-web-malware-scanner/Forum: Themes and Templates
In reply to: [Rookie] Popup AdsWe tested this site on Android, no pop-ups meanwhile.
Can you please post exact menu link leading to pop-up ads?
Thank you.
Forum: Reviews
In reply to: [Export All URLs] MalwareIs it possible to calculate MD5 of /var/www/vhosts/israeldojo.co.il/israeldojo.com/wp-content/plugins/export-all-urls/functions.php and compare it to the hash value of this file distributed with plugin sources?
Forum: Fixing WordPress
In reply to: Random Redirects of WebsiteAccording to the provided description, it looks like cookie-based redirection.
Once you visit any post on this site, your web browser store this cookie and site should continue to work properly until the expiration of this cookie.The infection could be injected into one of the WordPress files or into a backend database.
There is a need to perform internal (server side) scan of WordPress files as well content of WordPress post table.
[Q] – Is there an automated tool to check the database?
[A] – Try to review functionality of free available security plugins part of them scan database as well[Q] – can I do it manually?
[A] – Yes, try to search for “<script”, eval, base64, passthru stringsYou can try to keep wp-content directory and wp-config.php and replace the rest.
It should workEvery WordPress setup uses mysql (or mariadb) to keep all internally used data like users, plugins configuration and options, posts and the rest.
If attackers were able to inject PHP code into your file system they freely could access and change database content using WP database related PHP functions.
If this is well known infection I guess every antivirus should detect it, if not, it is better to review content of posts and opinions tables to be sure you are not going to migrate infection to a fresh setup.
You can download appropriate version of WordPress from WP archive and compare files.
All folders except wp_content should be identical to the original sources.The most customizable directories are wp_content/plugins and wp_content/themes containing third-party code for WordPress customization.
This code is not part of WP core package so it is better to install a free security plugin providing internal scan to locate malware in these directories.
You can use our plugin providing heuristic internal scan or any other providing internal scan capabilities.
Please note that apart of injected files the injected infection could also infect WordPress database.
It is better to dump WP database and scan it as well. It is very important to identify infection source and block it otherwise your sites will constantly reinfected.
Please be sure to make website backup before you doing any changes there or remove any files.
Any missing file can break website integrity.