lend.php and hear.php getting created automaically

Home Forums Support Forum lend.php and hear.php getting created automaically

This topic contains 6 replies, has 2 voices, and was last updated by  Melwyn DSouza 5 months, 3 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #2043

    Hi -

    Thank you for this wonderful tool!

    The tool, however, does not detect the below issue…

    The file scanner I have installed shows that lend.php and  hear.php gets created in the root folder. I delete it, but it gets created again every 3-4 hours. I am unable to figure out what is causing these files to get created.

    lend.php ->  https://ufile.io/izttn — (30 day expiry)

    Also, please check this file; it looks very suspect -> evas.php – https://ufile.io/bntw0 — (30 day expiry)

    Your help with this is much appreciated.

    #2054

    Anti-Malware Admin
    Key Master

    Thanks for those files, I have added both of these to my definition updates.

    If the same infections are coming back then either your server is still infected (it may be another site on the sever) or there is a backdoor that is being overlooked. Check your servers raw access_log files to see what scripts are being accessed at the time of the infections (see the infection times in the Anti-Malware Quarantine.

    #2059

    Hi -

    I found some malicious looking code (base64 coded) in the CSS file. Please see attachment and let me know what you think.

    https://ufile.io/qy0k6 (exp. 30 days)

    #2060

    sorry… looks like a ttf file encoded as base 64… problem still continues on website with hear.php

    #2061

    Anti-Malware Admin
    Key Master

    can you send me this hear.php file too?

    #2062

    hear.php –> https://ufile.io/70g1b

     

    Also, I have seen files like this getting added (don’t have copies of these)

    /wp-content/wflogs/favicon_e85058.ico
    /wp-content/uploads/ithemes-security/hkncnabx.php

    #2063

    Some more bad files… including the .ico file which has php code in it.

    https://ufile.io/shyqj (zip files)

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Comments are closed.