Hello Community,
i found today that my wordpress site was hacked. GOTMLS is running.
What i found was:
1. load.php was changed
2. there was .aaaaa.css file in iclues/sodium/src
3. wp-config was changed.
4.
The time the files where changed i find this in access log:
85.214.41.226 – – [08/Jun/2024:00:18:49 +0000] “POST /?qLDzA=pMU HTTP/1.1″ 200 58980 “http://xxxxxxx” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.183” 1240 63620209.61.197.16 – – [08/Jun/2024:00:19:01 +0000] “POST /wp-content/plugins/shortpixel-image-optimiser/res/img/bulk/style.php HTTP/1.0” 200 121 “http://amazon1.org/” “Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 Safari/604.1” 9969 3914207.180.204.122 – – [08/Jun/2024:00:19:02 +0000] “POST /?Dawk=dHI HTTP/1.1″ 200 103 “http://xxxxxxxx/” “Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1” 1248 4046146.255.83.74 – – [08/Jun/2024:00:19:03 +0000] “POST /?vRRIU=QRNI HTTP/1.1″ 200 56 “http://xxxxx/” “Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Mobile/15E148 Safari/604.1” 24284 3998
I stupidly deleted the files
I could not do a GOTMLS scan … I found the malicious files through a code profiler.
Do you have any idea how I can find how these were uplaoded?
THX Niels
Thanks for sending me this new malicious code. I have added this new variant to my definition updates so that it can now be found and fixed with my Anti-Malware plugin.
Please let me know if you find any more or if you continue to have repeated infections.