Forum Replies Created
-
AuthorPosts
-
Hello,
I am still in Love with the Plugin. I get infected from time to time with similar malware.
I saved these files before cleaning.
https://www.dropbox.com/scl/fi/uewl8rfrjvjo0z8r2r3hw/Hack.zip?rlkey=b74z02diief46nd8l6fh3j6c0&dl=0
Perhaps it helps to improve to also find them.
Best wishes
Niels
i found this script now … through another scanner
Hello Community,
i found today that my wordpress site was hacked. GOTMLS is running.
What i found was:
1. load.php was changed
2. there was .aaaaa.css file in iclues/sodium/src
3. wp-config was changed.
4.
The time the files where changed i find this in access log:
85.214.41.226 – – [08/Jun/2024:00:18:49 +0000] “POST /?qLDzA=pMU HTTP/1.1″ 200 58980 “http://xxxxxxx” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.183” 1240 63620209.61.197.16 – – [08/Jun/2024:00:19:01 +0000] “POST /wp-content/plugins/shortpixel-image-optimiser/res/img/bulk/style.php HTTP/1.0” 200 121 “http://amazon1.org/” “Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 Safari/604.1” 9969 3914207.180.204.122 – – [08/Jun/2024:00:19:02 +0000] “POST /?Dawk=dHI HTTP/1.1″ 200 103 “http://xxxxxxxx/” “Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1” 1248 4046146.255.83.74 – – [08/Jun/2024:00:19:03 +0000] “POST /?vRRIU=QRNI HTTP/1.1″ 200 56 “http://xxxxx/” “Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Mobile/15E148 Safari/604.1” 24284 3998I stupidly deleted the files
I could not do a GOTMLS scan … I found the malicious files through a code profiler.
Do you have any idea how I can find how these were uplaoded?
THX NielsHello Eli,
still glad about your tool.
On one of my hakecked wordpresses are several upload php files (which are not meant to be there)
Perhaps you can add these to your scans ?
https://www.dropbox.com/s/mv5572283x5eema/Archiv.zip?dl=0
best wishes
NielsI have several wordpresses which i clean with GOTMLS (my life saver)
But they get on and on infected … can there be somehow a hidden backdoor ?
Hi,
today i found an exploit in the wp-config.php
The main part was successfully removed, but a little part remained (which caused an 500error)
Shoudl i send you the file for check and adjust of the algorhytmn ?
THX and best wishesNiels
-
AuthorPosts