While I was working on TROM II I see an email alert from one of my websites, that 4 or so suspicious files called ".bt" are located in directories they should not belong to. This was tromsite.com so I was worried. After looking a bit more into it, it was clear...this was a virus. One that injects code into the website and redirects parts of the website to some bullshit pharmaceutical sites, to sell nonsense. Fuck...
After digging into it I finally managed to trace it. They infect php files. I got a hold of what the code looks like, logged into the server via SSH, did a "sudo su" to have root privileges, and did a find . -name '*.bt' -print inside that wordpress folder, to see where all of the ".bt" files are located. Then deleted them on by one with "rm ". Of course I the realized the virus creates these files all the time, so that's not a solution, and they are not the "virus" but an outcome of it.
Finally I searched all .php files that contained get_data_ya with find . -name '*.py' -print0 | xargs -0 grep 'get_data_ya' > output.txt . Checked the output.txt file and I FOUND it! It was the ./wp-includes/pomo/mo.phpthat was infected. I downloaded a fresh copy of Wordpress and since this is a core file I replaced it with the main Wordpress file. Done.
For now all seems good.
It appears that they were able to infect our website because of some outdated plugins. The main suspect is a premium one that I bought from codecanyon and since they do not provide auto-updates (and thus I have to manually keep an eye on the releases + update it on the website), I failed to update it in months. See!? The Bullshit trade game. "If you want this, give me that!" and because of this humans have to put barriers that are fucking atrocious. If this plugin was open source it would be easy peasy. Push updates to all who have it installed. But this other mother fuckers who trade software for money, have to restrict it and then they can't provide updates easily...
Anyways...seems to be ok now but I will keep on monitoring the website closely. #tromlive
More info about this virus, here.
Rokosun
in reply to Tio • • •Tio
in reply to Rokosun • •