quttera
Forum Replies Created
-
The reason for such behavior probably cached data managed by chrome.
It is worth to clean browser cache.There is a need to install any free WordPress security plugin to perform internal audit of WordPress core files, other alien file and the database used by WordPress.
If your WordPress redirects due to injected malware code, such scan will be able to detect it.
Forum: Fixing WordPress
In reply to: CoinHive crypto-jacking malware hack!Multiple security vulnerabilities had been discovered recently in popular WordPress plugins.
It is worth to update/upgrade all used WordPress plugins and run internal website audit to detect all injected malicious files.
Without curing all infected/injected files reinfection will continue to impact your site(s).
Forum: Fixing WordPress
In reply to: Create automatically admin userPlease be aware that recently discovered multiple security vulnerabilities in multiple WordPress plugins allowing “Arbitrary Code Execution”. Or in other WORDS, bad guys can inject malicious code into your WordPress setup and take full control over it.
It is probably worth to restore your website from last good backup and upgrade all plugins to latest version to avoid infection/reinfection once again.
Forum: Fixing WordPress
In reply to: New hack with file “temp-crawl.php”@te_taipo here is the list of plugins we are using on our setups.
These are not live websites and mostly used for exploits verification and tests/regression of our security plugin (quttera-web-malware-scanner).
Not sure how this list will be useful… But here you go:ajax-search-lite
akismet
all-in-one-seo-pack
bbpress
buddypress
contact-form-7
duplicator
google-analytics-dashboard-for-wp
google-analytics-for-wordpress
jetpack
ml-slider
quttera-web-malware-scanner
regenerate-thumbnails
simple-social-buttons
theme-check
updraftplus
w3-total-cache
woocommerce
wp-crontrol
wp-slimstat
wp-super-cache
yeloni-free-exit-popupForum: Fixing WordPress
In reply to: Question about what to do after a hackChanging WordPress (and other website related) passwords is one of protection methods. You need to understand and locate how this infection was injected and close this hole otherwise reinfection will occur periodically.
As first steps you need to perform full website audit (check core files integrity, WordPress database and plugins/themes files).
The next step to upgrade all upgradable software (plugins and themes) used on your setup.
Once you done perform internal (server side) scan once again to verify all malware removed and website keeps clean.
Forum: Fixing WordPress
In reply to: New hack with file “temp-crawl.php”Try to investigate website access log to locate IP used to access temp-crawl.php.
Investigation of all previous HTTP requests from this IP may point on initially exploited file or vulnerability allowed drop of this code.
Yes, it looks like an infection.
First of all, the currently available content of ./ultimate-member/includes/core/um-filters-commenting.php does not have this code,The second very suspicious thing is following
eval/*ta41b49b6*/($a3ebc[$bedb[‘q3aa5906’][61]]);}exit();
The first comment is used to overcome pattern detection, and the last call to exit(); also look very suspicious.
I forward this sample to our lab for deobfuscation, will post here more details when available.
You are getting this notification because http[://]www.vonino[.]eu/tablets blacklisted by Google. (https://transparencyreport.google.com/safe-browsing/search?url=http:%2F%2Fwww.vonino.eu%2Ftablets&hl=en)
You may want to investigate website access log for suspicious HTTP requests that may lead to this reinfection.
Optionally (if infection getting via theme) you may want temporary to switch to another theme (removing directory hosting current theme).
If with the alternative theme the reinfection won’t occur, you found the source of reinfection.
Do you have other websites under the same hosting account?
Did you run internal (server side) scan?Forum: Fixing WordPress
In reply to: Locating file on hacked websiteThis is infection indeed.
We cannot provide you concrete details where cure infection as it requires internal (server side) investigation of website/WordPress.
The injected JavaScript firstly going to https[://]pr[.]uustoughtonma[.]org/d.js which downloads https://stat[.]uustoughtonma.org/stats%5B.%5Djs?f=pr that finally loads cookie based redirection malware (firing every 8 hours) redirecting to
http[://]konado[.]space/?h=475053016_949e154f16a_100&h_l=&h_5=sub_id_2&h_2=def_sub
You have to perform a full internal website audit to locate and remove the malicious code injecting this malware.
Malware infection could be injected in four ways
1 – using fake WordPress admin user credentials
2 – via a vulnerable plugin(s) installed on your system
3 – via previously installed malicious shell used to reinfect other
4 – In the case of shared hosting or multiple sites on the same hosting account, the infection may come from other sites as wellIt is worth to
1 – reset all WordPress password and review/remove all suspicious uses
2 – investigate your WordPress setup with other security plugins
3 – investigate website access log to locate what exactly exploited on your sideForum: Plugins
In reply to: [Variation Swatches for WooCommerce] malware warningURL: http://www.vonino.eu/tablets is currently blacklisted by Google thus you getting such alerts.
Forum: Fixing WordPress
In reply to: Automatic creation of user “Administrator”One more comment,
1 – please take a care to update all your plugins since there is a big chance the code injection going via one of the installed plugins
2 – reset all passwords you are using to manage this website (cPanel, WordPress admin and FTP passwords)
Forum: Fixing WordPress
In reply to: Automatic creation of user “Administrator”This seems to be an active attack on WordPress setups since there other people claiming on the same.
The new user setup could be done via vulnerable plugin allowing remote code injection.
It is worth to scan WordPress files (file system) to verify there is no malware infection in PHP files and well try to investigate website access logs for suspicious HTTP requests.
You can install audit log plugin and wait for next reinfection. Hopefully, this plugin will catch reinfection source.