retoGe
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: VirusThanks. Ok, I am ot the hostel owner :-). I am just a frequent guest and have done the website for them, as a help.
Wordfence is working fine. 3 IP where blocked, as they tried to login the page. I will now put the time to block IP to 1 months.
Hey, the south of Argentina is realy a nice place to visit. Best time is Ocotber to December or March to May. December to February is toruist time and every hostel is much more expensive. Somteimes 3 times more expensive!
greetings
Patrick Reto BieriForum: Fixing WordPress
In reply to: VirusThank you,I have alredy done this things. Wordfense seems to be a very strong tool :-). Just I have some repords of google, that pages are hacked. But they are not more hacked. I tested it wird wordfense and the virusscanner from the hoster. I think I can solve this problem.
What you write about this shell, is interessting. Why tehy try someting like this, on a webside of a simple hostel? Maybe because of the situation in Argentina? The oposition (Kirchneristas) are fighting a lot against the president. And the family of the hostel are kirchnerists. Strange…and criminal, no?
greetings and thank you so much for your help
Patrick Reto BieriForum: Fixing WordPress
In reply to: VirusI will post you here the support ticket from 8. August. It is in spanish, but the google translation is quite good. Maybe you can tell me something about the infectet files? Who is Marvin phph?
Su sitio hosteltromen.com fue suspendido preventivamente debido a que estaba realizando envíos de SPAM.
Los envíos estaban siendo realizados desde un archivo que creemos fue subido de forma no autorizada a su sitio web aprovechando una vulnerabilidad de seguridad.
Hemos renombrado el directorio public_html por public_html_verificar para que no sea necesario suspender la cuenta completamente, pudiendo así utilizar el correo electrónico, y además tener la posibilidad de acceder a los archivos de su sitio web para resolver los problemas de seguridad.
—-
IMPORTANTE: Tenga en cuenta que en WIROOS somos muy estrictos en lo relacionado con SPAM y seguridad. Su servicio podría ser cancelado de manera definitiva en caso de que no sea cuidadoso con la seguridad de su servicio ya que Ud. es responsable por el mal uso del mismo.Por favor, no elimine simplemente los archivos que fueron subidos a su sitio, preocúpese por resolver el problema que permitió que esos archivos se suban, que es el problema de fondo.
No le reste importancia a este asunto. Considere las pérdidas económicas que sufriría su negocio si su servicio es suspendido o cancelado.
—-
—-
Colaboramos en la resolución de este problema compartiéndole el siguiente resultado de nuestro scan de virus y exploits:‘/home/hosteltr/public_html_verificar/Marvins.php’
# Known exploit = [Fingerprint Match] [PHP Shell Exploit]‘/home/hosteltr/public_html_verificar/Mkutps.php’
# Known exploit = [Fingerprint Match] [PHP Shell Exploit]‘/home/hosteltr/public_html_verificar/af1d89.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscated Exploit [P1070]]‘/home/hosteltr/public_html_verificar/eaiubnv3.php’
# (decoded file [advanced decoder: 14 (depth: 1)]) Known exploit = [Fingerprint Match] [PHP Obfuscated Exploit [P1070]]‘/home/hosteltr/public_html_verificar/gtde.php’
# Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]‘/home/hosteltr/public_html_verificar/index.php’
# Known exploit = [Fingerprint Match] [PHP Injection Attack [P1261]]‘/home/hosteltr/public_html_verificar/phqmv.php’
# Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]‘/home/hosteltr/public_html_verificar/wp-config.php’
# Known exploit = [Fingerprint Match] [PHP Injection Attack [P1261]]‘/home/hosteltr/public_html_verificar/wp-pols.php’
# Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]‘/home/hosteltr/public_html_verificar/cgi-bin/favicon_ea47a8.ico’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0803]]‘/home/hosteltr/public_html_verificar/wp-admin/css/colors/midnight/fuxemngl.php’
# Known exploit = [Fingerprint Match] [PHP COOKIE Exploit [P1037]]‘/home/hosteltr/public_html_verificar/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/static/plupload-2.1.1/Moxie.xap’
# (compressed file: Moxie.dll [depth: 1]) MS Windows Binary/Executable [application/x-winexec]‘/home/hosteltr/public_html_verificar/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_admin/templates/field_generator/nextgen_settings_field_width_and_unit.php’
# Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]‘/home/hosteltr/public_html_verificar/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_tagcloud/Mrcrtq.php’
# Known exploit = [Fingerprint Match] [PHP Shell Exploit]‘/home/hosteltr/public_html_verificar/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/fonts/Dcqdm.php’
# (decoded file [advanced decoder: 14 (depth: 1)]) Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0324]]‘/home/hosteltr/public_html_verificar/wp-content/plugins/qtranslate-x/comay.php’
# Known exploit = [Fingerprint Match] [PHP Exploit]‘/home/hosteltr/public_html_verificar/wp-content/plugins/qtranslate-x/qutofxpe.php’
# Known exploit = [Fingerprint Match] [PHP GLOBALS Exploit [P0923]]‘/home/hosteltr/public_html_verificar/wp-content/plugins/so-css/lib/codemirror/addon/fold/Dcqdm.php’
# (decoded file [advanced decoder: 14 (depth: 1)]) Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0324]]‘/home/hosteltr/public_html_verificar/wp-content/plugins/wp-google-maps/base/umezdvto.php’
# Known exploit = [Fingerprint Match] [PHP GLOBALS Exploit [P0923]]‘/home/hosteltr/public_html_verificar/wp-content/themes/sketch/404.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]‘/home/hosteltr/public_html_verificar/wp-content/themes/sketch/addon.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]‘/home/hosteltr/public_html_verificar/wp-content/themes/sketch/header.php’
# (decoded file [advanced decoder: 14 (depth: 1)]) Known exploit = [Fingerprint Match] [PHP WordPress Exploit [P0970]]‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/author-bio.php’
# Known exploit = [Fingerprint Match] [PHP POST Exploit [P0892]]‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/extension.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P1082]]‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/message.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P1082]]‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/messages.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/single.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]‘/home/hosteltr/public_html_verificar/wp-content/themes/twentysixteen/404.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]‘/home/hosteltr/public_html_verificar/wp-content/themes/twentysixteen/js/Mrcrtq.php’
# Known exploit = [Fingerprint Match] [PHP Shell Exploit]‘/home/hosteltr/public_html_verificar/wp-content/uploads/extension.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P1082]]‘/home/hosteltr/public_html_verificar/wp-content/uploads/message.php’
# Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P1082]]‘/home/hosteltr/public_html_verificar/wp-includes/Requests/IDNAEncoder.php’
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]‘/home/hosteltr/public_html_verificar/wp-includes/Requests/Exception/HTTP/401.php’
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]‘/home/hosteltr/public_html_verificar/wp-includes/Requests/Exception/HTTP/417.php’
# Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]‘/home/hosteltr/public_html_verificar/wp-includes/css/modules.php’
# Known exploit = [Fingerprint Match] [PHP Exploit]‘/home/hosteltr/public_html_verificar/wp-includes/js/jcrop/zcpghkcy.php’
# Known exploit = [Fingerprint Match] [PHP GLOBALS Exploit [P0923]]‘/home/hosteltr/public_html_verificar/wp-includes/js/swfupload/gfaahgsu.php’
# Known exploit = [Fingerprint Match] [PHP GLOBALS Exploit [P0923]]‘/home/hosteltr/public_html_verificar/wp-includes/random_compat/byte_safe_strings.php’
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]‘/home/hosteltr/public_html_verificar/wp-includes/random_compat/random_bytes_libsodium.php’
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]‘/home/hosteltr/public_html_verificar/wp-includes/rest-api/class-wp-rest-response.php’
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]‘/home/hosteltr/public_html_verificar/wp-snapshots/index.php’
# Known exploit = [Fingerprint Match] [PHP Injection Attack [P1261]]—-
Por favor háganos saber cuando el problema de seguridad fue resuelto para reactivar su sitio web.
Atte.,
El equipo de WIROOSForum: Fixing WordPress
In reply to: VirusThank you Jackie for this help.
I am trying to check the log file. I can see, that we have some IP, that are coming to the webside very often and send request every some seconds. Ok, I will try to find out, who this was.
After 8. August I think, all the request for our side got a 404. I asked the support to tell me, at what time exactly they dedect the virus and when they blocked the side.
If you have more information for me about the log file, please let me know. I am not very good in this things 🙂
greetings
Patrick