wp-wcd.php and more malware

  • Resolved josmatic

    (@josmatic)


    5 years, 1 month ago

    Hi,

    My team has problem with multiple malicious type of virus, first of theme VCD which came inside wp-includes/ and inject code in theme/functions.php . Second virus change permissions and third has some chinese signs inside plugins. Also on few sites we had installed Wordfence free version and setuped properly, but mysteriously wordfence dissapear from server!

    Did you have this expirience before?

    Best regards.

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter josmatic

    (@josmatic)

    5 years, 1 month ago

    more info from Wordfence:

    A backdoor known as cgok
    A backdoor known as 561C
    Suspicious eval with a base64_decode
    A suspicious code known as eval_exit
    Obfuscated code using eval via create_function.
    A malicious PHP backdoor
    A backdoor known as preg_replace-variant
    A backdoor known as SPEEDY-03
    A malicious file uploader known as Generic
    A backdoor known as n1zb
    A backdoor known as Xh33l

    Unknown file in WordPress core: wp-includes/js/tinymce/skins/wordpress/simple.php5
    Unknown file in WordPress core: wp-includes/rest-api/akismet.php
    Unknown file in WordPress core: wp-includes/js/tinymce/themes/modern/wp-console.php
    Unknown file in WordPress core: wp-includes/js/tinymce/themes/wp-single.php
    Unknown file in WordPress core: wp-includes/js/tinymce/plugins/image/got.php
    Unknown file in WordPress core: wp-includes/js/tinymce/plugins/wordpress/newsfired.php
    Unknown file in WordPress core: wp-includes/js/tinymce/plugins/fullscreen/sq.php
    Unknown file in WordPress core: wp-includes/js/mediaelement/renderers/ex_liner.php
    Unknown file in WordPress core: wp-includes/js/codemirror/miniv48.php
    Unknown file in WordPress core: wp-includes/css/hello.php
    Unknown file in WordPress core: wp-includes/css/newsside.php
    Unknown file in WordPress core: wp-admin/sib.php

    wfdave

    (@wfdave)

    5 years, 1 month ago

    Hi @josmatic,

    It seems like your site has been infected with multiple backdoors.

    I would recommend backing up important data on the host, and then completely wiping the document root. Then, you can go about reinstalling WordPress, Wordfence, and then the other plugins you use with WordPress.

    The files detected in question were direct matches of known backdoors, so the likelihood of it being a false positive is very low.

    Dave

    Thread Starter josmatic

    (@josmatic)

    5 years, 1 month ago

    Thank you on answer,

    Pretty much we do all of that only did not replace all plugins with new files. My question is: is it database infected!? We find few MYSQL injection for database in suspicion injection or files.

    Best regards.

    wfdave

    (@wfdave)

    5 years ago

    Hi again,

    From the log above, I don’t believe your database is infected, however there are various infected files that Wordfence detected.

    Dave

    Thread Starter josmatic

    (@josmatic)

    5 years ago

    Hi wfdave,

    Thank you on answer, I did not find anything suspicious in database but after few days I make restore of site before any backdoor action. Setup Wordfence and few additional security parameter.

    Once again, thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘wp-wcd.php and more malware’ is closed to new replies.