Hi -
Thank you for this wonderful tool!
The tool, however, does not detect the below issue…
The file scanner I have installed shows that lend.php and hear.php gets created in the root folder. I delete it, but it gets created again every 3-4 hours. I am unable to figure out what is causing these files to get created.
lend.php -> https://ufile.io/izttn — (30 day expiry)
Also, please check this file; it looks very suspect -> evas.php – https://ufile.io/bntw0 — (30 day expiry)
Your help with this is much appreciated.
Thanks for those files, I have added both of these to my definition updates.
If the same infections are coming back then either your server is still infected (it may be another site on the sever) or there is a backdoor that is being overlooked. Check your servers raw access_log files to see what scripts are being accessed at the time of the infections (see the infection times in the Anti-Malware Quarantine.
Hi -
I found some malicious looking code (base64 coded) in the CSS file. Please see attachment and let me know what you think.
https://ufile.io/qy0k6 (exp. 30 days)
sorry… looks like a ttf file encoded as base 64… problem still continues on website with hear.php
can you send me this hear.php file too?
hear.php –> https://ufile.io/70g1b
Also, I have seen files like this getting added (don’t have copies of these)
/wp-content/wflogs/favicon_e85058.ico
/wp-content/uploads/ithemes-security/hkncnabx.php
Some more bad files… including the .ico file which has php code in it.
https://ufile.io/shyqj (zip files)
