Title: Backdoor (1) in default.php file?
Last modified: August 31, 2016

---

# Backdoor (1) in default.php file?

 *  [roof55-no](https://wordpress.org/support/users/roof55-no/)
 * (@roof55-no)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/)
 * Hi folks!
 * Now, after struggling with search, search to find answer to my WEB hotel server
   warning, I have to take place her in formu with this thread.
 * The WARNING:
    # Damaged files found: 2 Backdoor (1): ./www/default.php Malware-
   URL-4 (hecodat.de (11)): ./www/index.html
 * First error, temporary not in use (from old hTML creater), was removed from the
   WEB server.
    So next file, default.php, place under this directory: \www\wp-content\
   plugins\siteorigin-panels\widgets\widgets\animated-image\tpl
 * It’s follow contains this string command:
 * [malware removed]
 * So, my wondering, where are the “secret” Backdoor, and sincere and original, 
   it is necessary with this default.php file at all?
    Just wondering? And, still
   MalwareByte and Bitdefender block my web site, while Google safe search did not
   mention to any risks / harmful behavior is registered to my side. Please make
   a visit for test to my my WEB site: `panoramaflyfoto.no`
 * My Anti-Malware from GOTMLS.NET reppor:
    Potential Threats
 *  * NOTE: These are probably not malicious scripts (but it’s a good place to start
   looking IF your site is infected and no Known Threats were found).
 * ?…/www/wp-content/plugins/wp-simple-firewall/src/common/Twig/Environment.php
   ?…/
   www/wp-content/plugins/wp-simple-firewall/src/common/Twig/Test/IntegrationTestCase.
   php ?…/www/wp-content/plugins/wp-simple-firewall/src/common/json/JSON.php ?…/
   www/wp-content/themes/ultra/js/flexie.js ?…/www/wp-content/uploads/ithemes-security/
   logs/event-log-panoramaflyfoto-no-J84zrog.log
 * Thank you for further assistance, to one that is completely fresco in phage and
   novice in this code language.

Viewing 14 replies - 1 through 14 (of 14 total)

 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988242)
 * Remain calm and carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked).
   When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress).
 *  Thread Starter [roof55-no](https://wordpress.org/support/users/roof55-no/)
 * (@roof55-no)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988373)
 * Thanks.
    First I was do, remove an old html file, as index.html. Easy. Next to
   do was change the password for enter WEB server hotel. Also change password to
   WP enter. Both password with >>>16 char., lower/upper caser+ mix of count tal,
   as well.
 * I was implemented 3 different security ads to my WP. 1. Anti-Malware from GOTMLS.
   NET, 2. iThemes Security, 3. iControlWP, think tat shod be enough. Just first
   one running av full version (donated), two other running thus function as free
   version. possibility. Other paid function cost $$$, so have to see for a while
   if extra function are paid for.
 * any way, one error left, and I really did not see it! Google search inform as
   not dangerous page for visit, even my MalwareBytes+Bitedefender give warning 
   to entry this web. The malware are <hidden> into the file default.php, which 
   contains as follow:
    <img src=”<?php echo esc_url($instance[‘image’]) ?>” style
   =”visibility:hidden” data-animation=”<?php echo esc_attr($instance[‘animation’])?
   >” />
 * I will now simply try to remove this file from my WEB server (back up all files
   as download to my pc). Then let see wath happen with the function for the WEB,
   also about this entering warning, disappear(?).
 *  Thread Starter [roof55-no](https://wordpress.org/support/users/roof55-no/)
 * (@roof55-no)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988374)
 * That was no good idea:
    Error 503 Backend fetch failed
 * Backend fetch failed
    Guru Meditation: XID: 115332999 Varnish cache server
 * So, wondering why Google search did not give any warning to visit this WEB site,
   but MalwareBytes and Bitdefender do it?
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988375)
 * Did you replace the file with a freshly downloaded copy after you removed it?
 *  Thread Starter [roof55-no](https://wordpress.org/support/users/roof55-no/)
 * (@roof55-no)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988423)
 * No. I just leave it, but change the end words, from PHP to PHP-OLD. When entry
   the page, I get the 503 error. Renamed this file again., and it was up and running.
   My worry are my MalwareBytes and Bitdefender give warning to entry this site,
   but Google safe search did not give any warnings(?). It could be a solution to
   sent inquiry to thus two security software, in same method as it is for google
   safe search, you have to give a manual operation to google to be whitelisted 
   again after attac. After this, I have open every php files in www/wp-contains
   map and take a look for suspicious, but could not find any crypted sentence.
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988424)
 * What directory is the file currently in?
 *  Thread Starter [roof55-no](https://wordpress.org/support/users/roof55-no/)
 * (@roof55-no)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988433)
 * At first i goes through all php files in the root\www Dir.
 * The default.php belongs to Dir. root\www\www\wp-content\plugins\siteorigin-panels\
   widgets\widgets\animated-image\tpl
    This file are declared to contains a Backdoor
 * Hopefully this was some helps?
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988436)
 * Ok, deactivate and delete the SiteOrigin Panels plugin from the Plugins section
   of your blog’s Dashboard, then install a new copy via Plugins -> Add New.
 *  Thread Starter [roof55-no](https://wordpress.org/support/users/roof55-no/)
 * (@roof55-no)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988451)
 * Glosshh! So easy! No, no warning longer! Thanks to volunteers, but especially
   James Huff. It’s great, made my day’s!
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988452)
 * You’re welcome!
 *  Thread Starter [roof55-no](https://wordpress.org/support/users/roof55-no/)
 * (@roof55-no)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988479)
 * Thanks to Jim Huff for still supporting with good advices!
    Last sacan: Congratulations!
   No security problems were detected by Wordfence.
 * GOTMLS.NET repporting in front of above scan:
    Check all 4 Items in Quarantine…/
   www/wp-includes/js/jquery/jquery-migrate.min.js …/www/wp-includes/js/jquery/jquery-
   migrate.js …/www/wp-includes/images/crystal/license.txt …/www/license.txt
 * All file was re-installed, work out by GOTMLS.NET features. Result of new scan:
   
   Potential Threats
 *  * NOTE: These are probably not malicious scripts (but it’s a good place to start
   looking IF your site is infected and no Known Threats were found).
 * ?…/www/wp-content/plugins/wp-simple-firewall/src/common/Twig/Environment.php
   ?…/
   www/wp-content/plugins/wp-simple-firewall/src/common/Twig/Test/IntegrationTestCase.
   php ?…/www/wp-content/plugins/wp-simple-firewall/src/common/json/JSON.php ?…/
   www/wp-content/themes/ultra/js/flexie.js ?…/www/wp-content/uploads/ithemes-security/
   logs/event-log-panoramaflyfoto-no-J84zrog.log
 * It seems to be a trust WEB site so far, even McAfee tells this:
    Phishing attempt!
   This page is part of a phishing attempt
 * Web page:
    [https://www.trustedsource.org/?p](https://www.trustedsource.org/?p)
 * [http://www.VIRUStotal](http://www.VIRUStotal) scan give this report:
    ADMINUSLabs
   Malicious site Avira Malware site Fortinet Malware site Yandex Safebrowsing Malware
   site But I still want my WEB hotel supplier to make a re-scan. And still update
   result here.
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988480)
 * If you can, make your site public, and run it through [https://sitecheck.sucuri.net/](https://sitecheck.sucuri.net/)
   too.
 *  Thread Starter [roof55-no](https://wordpress.org/support/users/roof55-no/)
 * (@roof55-no)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988484)
 * Yeh, have donne this at securi.com for several time. Seems to only helps her 
   is to pay $$$ as commercial page for service. If this service contains any sort
   of useful information, it’s good covered.
    I can see Mc Afee first time declare
   this site as red as long since to 2. in January 2016! panoramaflyfoto.no
 * This page shows details and results of our analysis on the domain panoramaflyfoto.
   no
    Threat Detail
 * Web Category: Malicious Downloads
    Activation: Last Seen: 2016-02-01 So, it is
   perhaps a matter of fact to get rid of the place in a blacking list?
 * I did not find more information, so far.
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988485)
 * Sucuri is definitely worth the money, but I was asking more if it found anything
   wrong with your site to begin with.
 * If there is one specific page McAfee doesn’t like, you can try removing it and
   filing an appeal with them.

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘Backdoor (1) in default.php file?’ is closed to new replies.

## Tags

 * [default.php](https://wordpress.org/support/topic-tag/default-php/)
 * [php](https://wordpress.org/support/topic-tag/php/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 14 replies
 * 2 participants
 * Last reply from: [James Huff](https://wordpress.org/support/users/macmanx/)
 * Last activity: [10 years, 3 months ago](https://wordpress.org/support/topic/backdoor-1-in-defaultphp-file/#post-6988485)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics