Gel4y Mini Shell by Indonesian Darknet - Gel4y Mini Shell by Indonesian Darknet 🕵️

Gel4y Mini Shell by Indonesian Darknet 🕵️

Recently encountered a version of Gel4y Mini Shell that is not detectable by Imunify360 yet! Gel4y Mini Shell is a small PHP shell that has two notable features: 🔴 Compared to other PHP shells such as IDBTE4M BOT V87 Gel4y Mini Shell by Indonesian Darknet offers a lot fewer features: Source code: UPDATE: Imunify360 now … Read more

Cloudflare phishing popup that downloads malware - ⚠️ Cloudflare phishing popup that downloads malware

⚠️ Cloudflare phishing popup that downloads malware

In this post, I will discuss the most realistic phishing popup that I’ve seen in years. These popups appear only on WordPress websites that use Cloudflare and can easily be mistaken with the original Cloudflare’s “sorry you have been blocked” screen. The post is divided in two sections: Analysis of the malware and malicious code … Read more

R4gn4r0 Mailer - 🔴 R4gn4r0 Mailer 1.0

🔴 R4gn4r0 Mailer 1.0

A straightforward PHP script called R4gn4r0 Mailer is used to send bulk emails from WordPress websites that have been hacked. It offers capabilities like email address filtering, mass emailing, and blacklist checking and is essentially a clone of the LeafMailer. The malware is often discussed as a wp-active2.php file. Simple login form, the password is … Read more

IDBTE4M BOT V87

IDBTE4M BOT V87 🤖

IDBTE4M BOT V87 is a PHP shell that has a rarely good mailer function which is hard to detect because it uses random [email protected] for sending SPAM: source code: when accessed publically the IDBTE4M BOT V87 shell gives a blank page, but with a POST request containing the random password, the shell looks like this: … Read more

Remove cronjobs from AnonymousFox malware - 🔴 FoxAuto WordPress malware

🔴 FoxAuto WordPress malware

The AnonymousFox Hack guide by Sucuri misses a huge step in cleaning a hacked WordPress website, and that step is: removing the cronjobs While removing AnonymousFox malware from a website I noticed the following cron: It downloads a script from http://hello.hahaha666.xyz/xxxd and runs it, the script is: It creates a new folder css and replaces … Read more

How to Clean cofounderspecials.com Malware - How to Clean 🔴 cofounderspecials.com Malware

How to Clean 🔴 cofounderspecials.com Malware

According to publicwww about 5000 websites are known to be infected with this type of WordPress malware. It is similar to legendarytable.com malware and adds js code into every post and page so that visitors are redirected to third-party websites. Check if infected To check if your website is infected, open PHPMyAdmin, select your database, … Read more

Three Column Screen Layout WordPress Plugin Exploit - Three Column Screen Layout WordPress Plugin ⚠️ Exploit

Three Column Screen Layout WordPress Plugin ⚠️ Exploit

Another website got hacked and the owner noticed weird chinese characters in search results for his website. The index.php file contained the following code: Initially, the point of entry for this malicious code was a plugin named Three Column Screen Layout that has a vulnerability which as many other WordPress users report is being actively … Read more

How to delete WordPress malware - How to delete WordPress malware ($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) &&

How to delete WordPress malware ($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) &&

This type of malware causes unwanted redirects to third-party websites, and is commonly found inside nulled theme’s functions.php file Source code: How to remove this WordPress redirects? Delete wp-vcd.php and class.wp.php files from wp-include folder Edit post.php and delete the malicious code Edit your theme’s functions.php file, and delete the above code ☝️ UPDATE: I recommend reinstalling WordPress as instructed here: How to … Read more