Support » Plugin: Wordfence Security - Firewall & Malware Scan » Malware Scan ccode.php

Viewing 15 replies - 1 through 15 (of 19 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    @exolon Don’t post malware or malware links on this site again. It does not add any value here. The important detail is that an attacker was able to place a file on your site.

    If that file exists on your site then you’re hacked and need to delouse your site. Please remain calm and give this a good read.

    https://wordpress.org/support/article/faq-my-site-was-hacked/

    When you have successfully deloused your site then consider giving this a read too.

    https://wordpress.org/support/article/hardening-wordpress/

    ok sorry, I wanted to know, how and why I was attacked, the site has just started and is under maintenance

    Hey @exolon,

    Firstly, I’d suggest updating all passwords including WordPress, sFTP, database, and hosting control panel.

    In addition to Jan’s excellent recommendations, you might also look through the guide below. however, if the site becomes reinfected or you’re not comfortable doing this I’d suggest reaching out to a professional hack repair service to have the site cleaned, and the point of entry patched.

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    As far as how this happened, it’s really hard to say. It could be a plugin with a vulnerability or a server infection. To find how why/how this happened you’ll really need a hack repair service to investigate it.

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

    • This reply was modified 5 months, 1 week ago by WFGerroald.

    Hi @exolon,

    You have probably been hacked because you might have downloaded a nulled premium plugin.

    I am an author from a plugin, and we found out that our plugin has been stolen and is available for free from a very malicious website. This website author has injected the malware you are referring to in our plugin and made the whole pack downloadable for free (bad luck for us and for our potential customers).

    Just don’t download nulled plugin or very bad things will happen to your site, even if you have the best anti-malware on the market.

    I took a look at this malware, and it is really opening doors to an attacker and let him install whatever he wants on your site.

    If you downloaded nulled plugins, just consider not doing this again and you’ll be fine 😉

    Regards.

    karimisaid

    (@karimisaid)

    Hi guys

    The same is happening to me.

    This (wp-content/plugins/ccode.php) actually has a very bad code in it.
    In my case the url it contacts is http://www.vomndo.xyz/update.php

    What it does is show bad ad pop ups. I didn’t see it mor like two month, WHY? Because:

    1. I had a s**ty security plug in.

    2. Because the code is set to hide pop up ads from Admins and logged in users. Luckily, it only shows bad ads if the visitor accessed the website from a search engine (google, yahoo, etc.). So, not many of my website visitors saw the forced ads as I usually share the link to exams,doc files in SCN (fb). and the website is merely 3 months old. Not well indexed by search engines.

    That’s the bad thing about it. Everything seems good to you (as an admin or logged in user, it also uses your browser cookies to reognize you, and not show you ads and forcing visitors to accept to get notifications of such immoral ads.

    Havinbg discovered the ads, the second challenge was to find the malicious code. I wouldn’t have done it without wordfence.

    I deleted the ccode.php file (it’s actually a pluging hidden from the dashboard of plugings, but still found in the plugins directory (not in a folder). When I deleted it using file manager, I refreshed the plugins dashboard and a there was a wp message saying something like ccode.php plugin isn’t active as it was deleted.. or so. I also found it in phpmyadmin database after searching for ccode.php in the tables. There was a match listed under wp_options active_plugins.

    I’m a begginer, at trouble shooting.. Is there a way to determine if there is an injector of this code/plugin, to avoid it coming back.
    I really don’t want to keep checking my website logged out and from different devices through search enjines.
    I hope word spreads about this malicious code, as many wouldn’t realize that their website promotes bad ads, etc.
    Thanks from Marrakech

    kmilomore

    (@kmilomore)

    Dude, I have the same problem with the ccode.php file, how can I delete or disinfect this file ?

    One of my clients faced the same issue, they downloaded a theme from downloadfreethemes.co website. Following forensic examination, I found out that, ccode.php register itself as a plugin but hidden in the backend. It basically target add on traffic that is coming through search engines. It does not have access to SSH, SFTP or create uses or steal user/admin credentials.

    To mitigate, let the Wordfence plugin scan outside of the WordPress directory and you will need to carry a sensitive full scan and delete the offending files or the lines of code suggested by Wordfence plugin.

    Hi!
    > let the Wordfence plugin scan outside of the WordPress directory
    That option seems to be enabled by default. I’ve read the concerning section here: https://www.wordfence.com/help/scan/options/
    Does this actually mean all files on the server get scanned, or which files does this concern?

    • This reply was modified 4 months, 2 weeks ago by hcn101.
    thegrbteam

    (@thegrbteam)

    @hcn101 did it come back for you? I found it in a site, removed it, cleaned everything, updated all official plugins. This was only two days ago, but no sign of it yet…

    andy786

    (@andy786)

    @thegrbteam Did it came back for you? I have multiple WordPress installations at my hosting. I have cleaned all but still, it is returning back. @thegrbteam @hcn101 @kmilomore Do you know the root cause of this file ccode.php?

    It is effecting 1000 of sites nowadays. You can read about it at https://prophaze.com/web-application-firewall/tracking-down-new-wordpress-popup-injection-malware/

    thegrbteam

    (@thegrbteam)

    @andy786 so far it’s not returned. Deep cleaned, updated and changed all passwords and admin users. Had some old wp installs on test domains which probably let it in from an old plugin.

    I’m also infected this day and unable to access wp dashboard,. so I checked all files on File Manager and sorted out the recent dates edit and found out this ccode.php,

    just simply remove it and it’s done,.

    Not completely done.
    You’ll have to remove its entries from mysql database.
    Scan for keywords of websites it advertises on your site. Scan also for know malware keywords to remove the scripts which may regenerate the malware again..

    just simply remove it and it’s done,.

    I don’t think so. The infected downloaded plugin I found on the web had the malicious file, copied at different locations inside the plugin, and with different names.

    Plus, this malware opens doors to let the attackers install new plugins, so, if you activated the malware, you probably got others malicious scripts installed on your site.

    Regards.

    @tlartaud Can you let us know the name of Infected plugin which you downloaded from the web?

Viewing 15 replies - 1 through 15 (of 19 total)
  • You must be logged in to reply to this topic.