Graham Crichton

Forum Replies Created

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • September 28, 2015 at 11:51 pm in reply to: Wordfence (issues with modified GOTMLS files) #1259

    Graham Crichton
    Member

    Thank you. That makes a lot more sense now :-)

    September 28, 2015 at 6:30 am in reply to: Wordfence (issues with modified GOTMLS files) #1254

    Graham Crichton
    Member

    Hi there,

    My site has Wordfence and Antimalware installed. Wordfence sends me an email every week telling me what it was up to. Every week it tells me the top modified files are things like:
    wp-content/plugins/gotmls/safe-load/_SESSION/.GOTMLS.6d5683eb555fba4c06d32f417260c326.php

    They are always in the GOTMLS safe load directory and there is always a lot of them.

    So I had a wee look to see what was in one of these files and found some base64 code.

    Php code would begin here

    $GLOBALS["GOTMLS"]["logins"]["e278f3d8359437957452325f82c85676"]=unserialize(base64_decode(“YToxOntzOjM6IkdFVCI7czoxMzoiMTQzNzQxNjAwNy45MiI7fQ==”));

    Php code would end here

    What does this do? When decoded it says this:
    a:1:{s:3:”GET”;s:13:”1437416007.92″;}

    Is this malicious? Anyone know what and why this is?

    Many thanks,
    Graham.

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)