What's new
  • Our resources on Babiato Forum is CLEAN and SAFE. So you can use it for development or production. But sometime the antivirus will warn the JS code. It's no problem. So before downloading, you need to disable the antivirus tools and then enjoy your "Party"!

How does this malware work? (Found it in my astra child theme)

mrbo

New member
Joined
Nov 10, 2018
Messages
28
Reaction score
6
Points
3
Hi! Somebody contacted me today and said that they think I have some malware on my website. I checked it in chrome, mozilla and opera in private mode without any extension and I didnt get any errors. Than they sent me a video of it when browsing with safari which was redirecting to another site.

Wordfence found the code malicious code in the astra child theme functions php. Does anybody have any idea how it might have got there and Im also very curious to understand how the malware works if someone would like to explain From what I understand it checked if I had a wp-tmp file, but when I try to access that website directly it doesnt work.
 

Attachments

Babak

Well-known member
Staff member
Administrator
Joined
May 24, 2018
Messages
20,492
Reaction score
12,284
Points
113
Age
28
Hi! Somebody contacted me today and said that they think I have some malware on my website. I checked it in chrome, mozilla and opera in private mode without any extension and I didnt get any errors. Than they sent me a video of it when browsing with safari which was redirecting to another site.

Wordfence found the code malicious code in the astra child theme functions php. Does anybody have any idea how it might have got there and Im also very curious to understand how the malware works if someone would like to explain From what I understand it checked if I had a wp-tmp file, but when I try to access that website directly it doesnt work.
where you download this chid theme ?
 

mrbo

New member
Joined
Nov 10, 2018
Messages
28
Reaction score
6
Points
3
Yeah, but why does it try communicate with wp-includes/wp-tmp.php and whats with the password request at the top?
 

Babak

Well-known member
Staff member
Administrator
Joined
May 24, 2018
Messages
20,492
Reaction score
12,284
Points
113
Age
28
Yeah, but why does it try communicate with wp-includes/wp-tmp.php and whats with the password request at the top?
everything back to your host
im sure you install some hacked plugins before or someone upload shell to your host
 

mrbo

New member
Joined
Nov 10, 2018
Messages
28
Reaction score
6
Points
3
everything back to your host
im sure you install some hacked plugins before or someone upload shell to your host
Ok, thanks. Just a quick follow up question. Whats does virustotal do?
I just checked the file with virustotal and it said it was clean.
 

1nf0t3ch

Active member
Joined
Dec 3, 2018
Messages
169
Reaction score
85
Points
28
Ok, thanks. Just a quick follow up question. Whats does virustotal do?
I just checked the file with virustotal and it said it was clean.
VirusTotal checks for any signs of a virus using 60+ antivirus applications. It is one of the most reliable forms of checking for viruses
 

mrbo

New member
Joined
Nov 10, 2018
Messages
28
Reaction score
6
Points
3
VirusTotal checks for any signs of a virus using 60+ antivirus applications. It is one of the most reliable forms of checking for viruses
Ok, so it doesnt check for malicious code?
I thought malicious code was part of the structure of a virus.
 

gopo

Member
Joined
Apr 24, 2019
Messages
57
Reaction score
28
Points
18
Virustotal will NOT detect malicious code. These are 2 different things. I am using the free wordfence plugin and changed file and folder permissions so that no one can overwrite or upload files. Besides that you can only pray and backup daily.
 

1nf0t3ch

Active member
Joined
Dec 3, 2018
Messages
169
Reaction score
85
Points
28
Ok, so it doesnt check for malicious code?
I thought malicious code was part of the structure of a virus.
You should always check using an anti-virus & anti-malware.
 

john119

New member
Joined
Aug 19, 2019
Messages
4
Reaction score
3
Points
3
hi @mrbo

When you use any nulled plugin and theme in your site, it's most potent chances to come
malware attack on our website.
First of all, check your theme functions.php file and you see some malicious code in the top of the data, it's means you are under attack on malware.
Different type of malware code work on our site, some are a white blank page of our website and others are redirected our site to other unwanted sites when you search on google your site.
The solution to this malware is to remove unwanted code and use some good security plugins and use google console and crawl on website redirect case.

Thank you
 

Similar threads


Forum statistics

Threads
11,200
Messages
63,985
Members
34,119
Latest member
kenshine2311