Security Archives

Yesterday, I was notified there were malicious activity from your website, a huge number of email spam messages is originating from it.211cn.ca. As a result the website was suspended as limited access, which only allow registered IP can access the website. When I logon, notification appeared on the panel. And my.siteground home Detail notification In the review panel I saw a list of files that contains malicious code. GEN|eval_base64decode|92ac7c84794de23675efab25846195ea|07/09/20| /home/hostlike/pubweb211/211it/blyuzewtpd.php GEN|eval_base64decode|92ac7c84794de23675efab25846195ea|07/09/20| /home/hostlike/pubweb211/211it/ndxwcecntb.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|11/09/20| /home/hostlike/pubweb211/211it/vckkmhpjam.php GEN|eval_base64decode|92ac7c84794de23675efab25846195ea|07/09/20| /home/hostlike/pubweb211/211it/lllriasktz.php GEN|eval_base64decode|b200c70d10b280b747353869008d8975|10/09/20| /home/hostlike/pubweb211/211it/guzzmmgqcc.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/cmswprkgwt.php GEN|eval_base64decode|6d9dc920c3142026786fac9ef4a85b7f|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/upmnzusqae.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/awiotljzvb.php HEX|strrev_gzinflate_obfusc|69f9670e8743e996e97b271aa8570044|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/rsixodaduj.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/wcbwqrugyx.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/zrjkkylnkr.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/oqjfkoyenl.php HEX|strrev_gzinflate_obfusc|69f9670e8743e996e97b271aa8570044|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/qbhdyxlhku.php HEX|strrev_gzinflate_obfusc|69f9670e8743e996e97b271aa8570044|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/wgmtivragq.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/hiqobbrcem.php HEX|strrev_gzinflate_obfusc|69f9670e8743e996e97b271aa8570044|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/smkjoogdfw.php HEX|strrev_gzinflate_obfusc|69f9670e8743e996e97b271aa8570044|07/09/20| /home/hostlike/pubweb211/211it/wp-content/plugins/wp-file-manager/lib/files/mmnudpdxaj.php STR|wp_vcd_malware|8125436f73ec321255941993e83d4215|17/05/19| /home/hostlike/pubweb211/211it/wp-content/themes/apostrophe-2-wpcom/functions.php STR|wp_vcd_malware|3bd15df2ee78583e0e5249c20b004570|17/05/19| /home/hostlike/pubweb211/211it/wp-content/themes/twentynineteen/functions.php STR|wp_vcd_malware|89e770805bc10deaaed0bc2b5e5e2044|17/05/19| /home/hostlike/pubweb211/211it/wp-content/themes/apostrophe-2-wpcom-child/functions.php STR|wp_vcd_malware|3342254765f2895b7287d55206c4715a|30/12/19| /home/hostlike/pubweb211/211it/wp-content/themes/twentytwenty/functions.php STR|wp_vcd_malware|6a87f54f37ac47b27764d760559444fe|17/05/19| /home/hostlike/pubweb211/211it/wp-content/themes/twentyseventeen/functions.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|10/09/20| /home/hostlike/pubweb211/211it/hllyqgfyoo.php GEN|eval_base64decode|d2015c782da6ab8e637d8e6fe7318d06|11/09/20| /home/hostlike/pubweb211/211it/F0xAutoConfig/inthagame.php GEN|eval_base64decode|d2015c782da6ab8e637d8e6fe7318d06|22/02/18| /home/hostlike/pubweb211/211it/api/intrigantes.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|10/09/20| /home/hostlike/pubweb211/211it/jsilrrlpdj.php STR|wp_vcd_malware|6fc123ea0b9564867df8f3391206f05c|02/01/20| /home/hostlike/pubweb211/211it/wp-includes/post.php STR|wp_vcd_malware|6e618a387332c93c2f78e08f21c724d3|17/01/20| /home/hostlike/pubweb211/211it/wp-includes/wp-vcd.php HEX|js_url_slider|92ea63f479cf2a449af94368f951010f|06/09/20| /home/hostlike/pubweb211/211it/wp-includes/wp-tmp.php GEN|eval_base64decode|d2015c782da6ab8e637d8e6fe7318d06|17/05/19| /home/hostlike/pubweb211/211it/wp-snapshots/intro.php HEX|eval_gzinflate_b64d_0|8266b96d0ba86770c9f7edf62198a003|07/05/19| /home/hostlike/pubweb211/211it/pages/tk_desk.php HEX|eval_gzinflate_b64d_0|8266b96d0ba86770c9f7edf62198a003|22/02/18| /home/hostlike/pubweb211/211it/tools/tjsend.php GEN|eval_base64decode|d6a7b5db62bf7815a10a17cdf7ddbd4b|10/09/20| /home/hostlike/pubweb211/211it/dvflreeurs.php HEX|remote_content_includer_6|3480dcf23fdfa81ed608897c2680bb4a|07/09/20| /home/hostlike/pubweb211/211it/vynugoevjh.php WP-VCD malware is used to add an admin user, it hides in legitimate WordPress files. The initial version of this threat was uploaded via wp include file called wp-vcd.php. The malicious code is injected into Wordpress core files like functions.php, class.wp.php, post.php, and also injected into WordPress themes, including child theme. It was reported that WP-VCD malware is a malicious code that comes bundled with illegitimate versions of a paid theme/plugin. These pirated themes and plugins incorporate malicious scripts that get inserted once you install them. Once leaked to your website though a nulled theme, it starts spreading to infect other themes on your site and even proliferates to infect every unprotected site hosted on the shared server. If you’ll look for “Free [pugin…

Mixed Content warning: request an insecure element was automatically upgraded to HTTPS

Removing WP-VCD malware