Hi Eli!
Just one info for you. Namely, I scanned one of the sites with your fantastic plugin and for the following line in the wp-config.php file I got just warningthat it is a Potential Threat and in fact it is is real threat/backdoor script:
if(isset($_GET[w5838t])){ $auth_pass=”";$color=”#df5″;$default_action=”FilesMan”;$default_use_ajax=true;$default_charset=”Windows-1251″;exit; }
Can you change this in the GOTML so it recognize this php line as Known threat or similar so GOTML can clean it?
Thx, Ivica
Hi Ivica,
Thanks for that code snippet but I’ll need more info to add this to my definition update.
This looks like only part of the threat with the dangerous part having already been removed. Can you look in Quarantine to see it there is a completely infected version of your wp-config.php file?
If you have the whole infected file can you email it to me (you can remove your database credentials from the file before sending it to me).
Aloha, Eli
Ivica,
Thanks for sending me access to your site. I don’t know where this code came from but it is not a complete threat. The harmful code that usually follows that line at the top of your wp-config.php file is just not there. I removed that line of code from the file and I could not find any other sign of malicious content.
Aloha, Eli
