How does this malware work? (Found it in my astra child theme)

M

mrbo

Member
Nov 10, 2018
43
8
8
Hi! Somebody contacted me today and said that they think I have some malware on my website. I checked it in chrome, mozilla and opera in private mode without any extension and I didnt get any errors. Than they sent me a video of it when browsing with safari which was redirecting to another site.

Wordfence found the code malicious code in the astra child theme functions php. Does anybody have any idea how it might have got there and Im also very curious to understand how the malware works if someone would like to explain From what I understand it checked if I had a wp-tmp file, but when I try to access that website directly it doesnt work.
 

Attachments

  • astra-child-functions.zip
    1.8 KB · Views: 46
tanierlyons

tanierlyons

Well-known member
Staff member
Administrative
Moderator
May 24, 2018
75,058
111,714
120
mrbo said:
Hi! Somebody contacted me today and said that they think I have some malware on my website. I checked it in chrome, mozilla and opera in private mode without any extension and I didnt get any errors. Than they sent me a video of it when browsing with safari which was redirecting to another site.

Wordfence found the code malicious code in the astra child theme functions php. Does anybody have any idea how it might have got there and Im also very curious to understand how the malware works if someone would like to explain From what I understand it checked if I had a wp-tmp file, but when I try to access that website directly it doesnt work.
Click to expand...
where you download this chid theme ?
 
M

mrbo

Member
Nov 10, 2018
43
8
8
Yeah, but why does it try communicate with wp-includes/wp-tmp.php and whats with the password request at the top?
 
tanierlyons

tanierlyons

Well-known member
Staff member
Administrative
Moderator
May 24, 2018
75,058
111,714
120
mrbo said:
Yeah, but why does it try communicate with wp-includes/wp-tmp.php and whats with the password request at the top?
Click to expand...
everything back to your host
im sure you install some hacked plugins before or someone upload shell to your host
 
  • Like
Reactions: mrbo
M

mrbo

Member
Nov 10, 2018
43
8
8
Tomz said:
everything back to your host
im sure you install some hacked plugins before or someone upload shell to your host
Click to expand...

Ok, thanks. Just a quick follow up question. Whats does virustotal do?
I just checked the file with virustotal and it said it was clean.
 
1nf0t3ch

1nf0t3ch

Active member
Dec 3, 2018
231
120
43
mrbo said:
Ok, thanks. Just a quick follow up question. Whats does virustotal do?
I just checked the file with virustotal and it said it was clean.
Click to expand...
VirusTotal checks for any signs of a virus using 60+ antivirus applications. It is one of the most reliable forms of checking for viruses
 
  • Like
Reactions: mrbo
M

mrbo

Member
Nov 10, 2018
43
8
8
1nf0t3ch said:
VirusTotal checks for any signs of a virus using 60+ antivirus applications. It is one of the most reliable forms of checking for viruses
Click to expand...

Ok, so it doesnt check for malicious code?
I thought malicious code was part of the structure of a virus.
 
biscuit

biscuit

Well-known member
May 30, 2018
417
240
63
Virustotal will NOT detect malicious code. These are 2 different things. I am using the free wordfence plugin and changed file and folder permissions so that no one can overwrite or upload files. Besides that you can only pray and backup daily.
 
  • Like
Reactions: mrbo
john119

john119

New member
Aug 19, 2019
19
4
3
hi @mrbo

When you use any nulled plugin and theme in your site, it's most potent chances to come
malware attack on our website.
First of all, check your theme functions.php file and you see some malicious code in the top of the data, it's means you are under attack on malware.
Different type of malware code work on our site, some are a white blank page of our website and others are redirected our site to other unwanted sites when you search on google your site.
The solution to this malware is to remove unwanted code and use some good security plugins and use google console and crawl on website redirect case.

Thank you
 
You must log in or register to reply here.

Similar threads

luciomaro
what does it mean "To view the hidden text, you must post it..."
Replies
2
Views
557
General Discussion
luciomaro
luciomaro
Prcek
Does anyone offer Adobe CC?
Replies
1
Views
330
General Discussion
Energy
Energy
Kanix_rulz
Does anyone know this template's name
Replies
0
Views
306
General Discussion
Kanix_rulz
Kanix_rulz
captain009
Does anyone know how the feature of this tool is implemented?
Replies
2
Views
338
General Discussion
captain009
captain009
Rrrazy
Sound Design (Does anyone have recommendations for a course or starting point for sound design??)
Replies
4
Views
372
General Discussion
Rrrazy
Rrrazy

Latest posts

Forum statistics

Threads
69,206
Messages
908,351
Members
236,895
Latest member
jeremcastdlp

Share this page

Share this page

About us

  • Our community has been around for many years and pride ourselves on offering unbiased, critical discussion among people of all different backgrounds. We are working every day to make sure our community is one of the best.

Quick Navigation

Forums Contact us

User Menu

Login
Community platform by XenForo © 2010-2022 XenForo Ltd.
Top Bottom