but it will delete all infected files which are required for wordpress to function.
He needs to scan with wordfence first and remove the malicious codes from the required files before scanning with imunify 360
My Site's been hacked!
- Thread starter YUCATAN.DANCE
- Start date
-
Welcome to Original Babiato! All Resource are Free and No downloading Limit.. Join Our Official Telegram Channel For updates Bypass All the resource restrictions/Password/Key? Read here! Read Before submitting Resource Read here! Support Our Work By Donating Click here!
He needs to scan with wordfence first and remove the malicious codes from the required files before scanning with imunify 360
YUCATAN.DANCE
Active member
Guys...
here is the simple method. ask your hosting provider for a full cPanel scan, that'll generate a log in root directory.
then use that report to find the infected files/folders and remove all.
here is my 2nd scan summary i did 30 mins ago.
here is the simple method. ask your hosting provider for a full cPanel scan, that'll generate a log in root directory.
then use that report to find the infected files/folders and remove all.
here is my 2nd scan summary i did 30 mins ago.
Code:
----------- SCAN SUMMARY -----------
Known viruses: 2206551
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 6378
Scanned files: 38937
Infected files: 0
Data scanned: 895.23 MB
Data read: 1903.41 MB (ratio 0.47:1)
Time: 1922.703 sec (32 m 2 s)unfortunately the regular scan doesn't always show all infected files
scan with wordfence again using high sensitivity scan to make sure and ask your hosting provider to install imunify 360 extension if it's not installed, if it's installed use it from cPanel and make sure to change the proactive defence to kill mode
YUCATAN.DANCE
Active member
thanks for the suggestion. I'll ask hostgator right away. i don't thik they'll use imunify 360, cuz they have sitelock managed by them.unfortunately the regular scan doesn't always show all infected files
scan with wordfence again using high sensitivity scan to make sure and ask your hosting provider to install imunify 360 extension if it's not installed, if it's installed use it from cPanel and make sure to change the proactive defence to kill mode
and wordfence is running in background with high sensitivity mode. let's see..
- Oct 19, 2020
- 62
- 14
- 8
I can't help but laugh when someone says either that Wordfence (or whatever WP plugin) will protect them from hacking/solve any hacking and when someone blames something they had downloaded here to be the cause of the hack.
In this particular case, I've to admit, because of your URL I thought that it was something that I did to a client that didn't pay.
In this particular case, I've to admit, because of your URL I thought that it was something that I did to a client that didn't pay.
wordfence will detect files with malicious codes and then you have to fix them yourself !!!
imunify 360 will stop the execution of malicious files
That was what i said
- Oct 19, 2020
- 62
- 14
- 8
The answer you gave on the previous page actually was not bad (as much as I don't like Imunify).
I guess I have seen too much blame on the plugin downloaded, and not on the person itself.
iWebMastro
New member
- Nov 16, 2022
- 1
- 0
- 1
I had the something similar to this, and the culprit for me was Classic Editor Plugin.
Like, If I activate Classic Editor Plugin, automatically some casino links were added to my site and lot of URL get generated to some slot website.
Even in upload folder again and again the File was getting uploaded, even if I delete them.
So first I cleaned my site with Wordfence.
Started looking for Plugins and Found when I activate Classic Editor Plugin all this sh** was happening.
I deleted, Classic Editor and problem solved.
Like, If I activate Classic Editor Plugin, automatically some casino links were added to my site and lot of URL get generated to some slot website.
Even in upload folder again and again the File was getting uploaded, even if I delete them.
So first I cleaned my site with Wordfence.
Started looking for Plugins and Found when I activate Classic Editor Plugin all this sh** was happening.
I deleted, Classic Editor and problem solved.
try securityinfinity.com
use their lifetime deal
it scans and shows all vulnerabilities in minutes.
tried for a friend and it worked
datadeba
Member
- May 5, 2022
- 54
- 40
- 18
I have also faced the same problem. I removed all the codes some time ago. My site ranking totally down!
I've had the same hack before. I don't love Wordfence but have used it. I used Securi (the plugin, not the service) on one site that was infected but found that it kept sending me false positives every time there was interaction with WooCommerce. Just my experience and I think we all find what works for us.
For a free solution:
wordpress.org/plugins/ninjascanner/
wordpress.org/plugins/ninjafirewall/
With the free versions you can run a scan and find problematic files and files that are don't match the original theme/plugin files where matching is available. Those unmatched files can be automatically fixed in many cases. The firewall will not prevent new hacks if you already have backdoors.
If you have SSH access there are a number of grep searches you can run to find files with similar strings. When this hack affects one site, it often affects other WP sites in the neighborhood.
You can run a search with a string you find in an affected file (sample string here - use one from your file):
You can also prevent files from being overwritten like this (wp-config.php, index.php and any others that get harmfully changed):
*You have to undo this if you are ever purposely changing (plugin/theme updates, etc.) or removing the directory containing the file you have protected this way.
You can also look for changed files in the past X time:
If you don't permanently solve the problem, it WILL come back.
For a free solution:
wordpress.org/plugins/ninjascanner/
wordpress.org/plugins/ninjafirewall/
With the free versions you can run a scan and find problematic files and files that are don't match the original theme/plugin files where matching is available. Those unmatched files can be automatically fixed in many cases. The firewall will not prevent new hacks if you already have backdoors.
If you have SSH access there are a number of grep searches you can run to find files with similar strings. When this hack affects one site, it often affects other WP sites in the neighborhood.
You can run a search with a string you find in an affected file (sample string here - use one from your file):
| find . -type f -name '*.php' | xargs grep -l " *Array();global*" |
You can also prevent files from being overwritten like this (wp-config.php, index.php and any others that get harmfully changed):
| find . -name "index.php" | xargs chattr +i |
*You have to undo this if you are ever purposely changing (plugin/theme updates, etc.) or removing the directory containing the file you have protected this way.
You can also look for changed files in the past X time:
| find . -type f -name '*.php' -mtime -1 -ls |
If you don't permanently solve the problem, it WILL come back.
emmsana
Member
- Feb 14, 2021
- 106
- 14
- 18
@YUCATAN.DANCE it will be appreciated if you can list the plugin and the theme. So that we can be careful of where to download from. Thanks.
emmsana
Member
- Feb 14, 2021
- 106
- 14
- 18
Please how do we know those trusted sellers here on babiato? Is there any section for it?
- Oct 16, 2019
- 373
- 189
- 43
Check their post history, age on forum, number of sales & contributions. For example, for anything for sale by someone like @Medw1311 or @TassieNZ will be 100% legit beyond doubt. There are quite a few very legit sellers here who you can safely buy from without any worries at all. These examples should give you an idea on how you can judge.
taintedage
Member
- May 5, 2022
- 73
- 17
- 8
So I had same issue a couple of days back, after combing through here this is what has solved my issue.
Deep scan with wordfence
Delete all plugins and themes and leave default wordpress themes
deleted wp includes and wp admin and replaced them with new folders from wordpress repository
So far so good so far, but I keep scanning and monitoring, and since it has not come back I suspect some outdated plugins
Deep scan with wordfence
Delete all plugins and themes and leave default wordpress themes
deleted wp includes and wp admin and replaced them with new folders from wordpress repository
So far so good so far, but I keep scanning and monitoring, and since it has not come back I suspect some outdated plugins
emmsana
Member
- Feb 14, 2021
- 106
- 14
- 18
I really appreciate the efforts of the moderators and the admins. Unfortunately, with what i learnt here yesterday, i decided to check one of my website which was broken and i am still trying to fix it.
i got the woozone plugin from babiato using the download button which i believe was screened before upload as you suggested. However, this is my scanned result attached. The ironic part is i just downloaded the Wordfence to scan the website and discovered wordfence even detected itself as effected.
CC: @Tomz
i need advice pls.
i got the woozone plugin from babiato using the download button which i believe was screened before upload as you suggested. However, this is my scanned result attached. The ironic part is i just downloaded the Wordfence to scan the website and discovered wordfence even detected itself as effected.
CC: @Tomz
i need advice pls.
Attachments
Maybe since you already have the injector on your website it just inject all php codes ?!
I'm using kaspersky total security and it usualy detect all infected php files, i will run a scanon the files you mentioned if you give me the post link and the version
I have just checked wordfence 7.7.1 and the infected file that you have in the screenshot is not even in the package !!
It must have been copied there by the malware that you already have on the server !
Please check the downloaded package locally on your PC and you will understand what i'm talking about !
and if you notice that it's already a dot file in both locations of the screenshots
I believe that you should've investigated this before you post such a comment, right ?
Similar threads
