• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

How does this malware work? (Found it in my astra child theme)

mrbo

Member
Nov 10, 2018
45
8
8
Hi! Somebody contacted me today and said that they think I have some malware on my website. I checked it in chrome, mozilla and opera in private mode without any extension and I didnt get any errors. Than they sent me a video of it when browsing with safari which was redirecting to another site.

Wordfence found the code malicious code in the astra child theme functions php. Does anybody have any idea how it might have got there and Im also very curious to understand how the malware works if someone would like to explain From what I understand it checked if I had a wp-tmp file, but when I try to access that website directly it doesnt work.
 

Attachments

  • astra-child-functions.zip
    1.8 KB · Views: 48
Hi! Somebody contacted me today and said that they think I have some malware on my website. I checked it in chrome, mozilla and opera in private mode without any extension and I didnt get any errors. Than they sent me a video of it when browsing with safari which was redirecting to another site.

Wordfence found the code malicious code in the astra child theme functions php. Does anybody have any idea how it might have got there and Im also very curious to understand how the malware works if someone would like to explain From what I understand it checked if I had a wp-tmp file, but when I try to access that website directly it doesnt work.
where you download this chid theme ?
 
Yeah, but why does it try communicate with wp-includes/wp-tmp.php and whats with the password request at the top?
 
Yeah, but why does it try communicate with wp-includes/wp-tmp.php and whats with the password request at the top?
everything back to your host
im sure you install some hacked plugins before or someone upload shell to your host
 
  • Like
Reactions: mrbo
everything back to your host
im sure you install some hacked plugins before or someone upload shell to your host

Ok, thanks. Just a quick follow up question. Whats does virustotal do?
I just checked the file with virustotal and it said it was clean.
 
Ok, thanks. Just a quick follow up question. Whats does virustotal do?
I just checked the file with virustotal and it said it was clean.
VirusTotal checks for any signs of a virus using 60+ antivirus applications. It is one of the most reliable forms of checking for viruses
 
  • Like
Reactions: mrbo
VirusTotal checks for any signs of a virus using 60+ antivirus applications. It is one of the most reliable forms of checking for viruses

Ok, so it doesnt check for malicious code?
I thought malicious code was part of the structure of a virus.
 
Virustotal will NOT detect malicious code. These are 2 different things. I am using the free wordfence plugin and changed file and folder permissions so that no one can overwrite or upload files. Besides that you can only pray and backup daily.
 
  • Like
Reactions: mrbo
hi @mrbo

When you use any nulled plugin and theme in your site, it's most potent chances to come
malware attack on our website.
First of all, check your theme functions.php file and you see some malicious code in the top of the data, it's means you are under attack on malware.
Different type of malware code work on our site, some are a white blank page of our website and others are redirected our site to other unwanted sites when you search on google your site.
The solution to this malware is to remove unwanted code and use some good security plugins and use google console and crawl on website redirect case.

Thank you
 

Forum statistics

Threads
78,865
Messages
1,127,912
Members
246,577
Latest member
ruiztees
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock