Skip to content

Magefix.com – Guides

Powered by Magefix

Search

Magefix.com – Guides

Powered by Magefix

Close menu

Magefix.com – Guides

Powered by Magefix

Search Toggle menu

Site hacked? Check wp-stream.php, wp-logout.php & signup.php

By Adrian StoianApril 9, 2021April 22, 2021Guides

If your site keeps getting infected with stick.travelinskydream.ga malware after a recent cleanup, follow these instructions:

1. Review our latest cleanup guide:
https://guides.magefix.com/2021/04/stick-travelinskydream-ga/.

Need help? Let us clean your site.

2. Make sure ALL your plugins and themes are up to date, including:
All Thrive themes, including Pressive, Rise, Ignition, and others | Version < 2.0.0 Thrive Optimize | Version < 1.4.13.3 Thrive Comments | Version < 1.4.15.3 Thrive Headline Optimizer | Version < 1.3.7.3 Thrive Themes Builder | Version < 2.2.4 Thrive Leads Version | < 2.3.9.4 Thrive Ultimatum Version | < 2.3.9.4 Thrive Quiz Builder Version | < 2.3.9.4 Thrive Apprentice | Version < 2.3.9.4 Thrive Architect | Version < 2.6.7.4 Thrive Dashboard | Version < 2.3.9.3 Thrive Ovation | Version < 2.4.5 Thrive Clever Widgets | Version < 1.56.1 3. Review and reset password for all users with administrator privilege. 4. Clean _posts table, using search and replace plugin ( Better search and replace ).

Look for wp-strongs.php, wp-stream.php, signup.php and lte_ files.
Also make sure index.php files are clean. Monitor wp_posts table.

Need help? Try our Free security analysis.

Malicious URLs and domains:
hxxps://stick.travelinskydream[.]ga/analytics.js
hxxps://tron.talkingaboutfirms[.]ga/main.js?s=553&b=2&cid=11141
Domains: bellowforwardstep.me.

Malicious plugins or files found:
/wp-content/uploads/wp-logout.php
/wp-content/uploads/wp-stream.php
/lte_

Attacker IPs noted:
5.255.176.41, 195.242.110.144, 67.211.223.164, 129.226.116.80.

Logs
176.96.238.135 – – [07/Apr/2021:16:05:37 +0200] “POST /wp-content/uploads/wp-logout.php HTTP/1.1” 200 63 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36”
195.154.191.51 – – [05/Apr/2021:23:18:33 +0200] “POST /wp-stream.php HTTP/1.1” 200 43 “example.com” “Mozilla/5.1 (Windows NT 6.0; WOW64) AppleWebKit/533.36 (KHTML, like Gecko) Chrome/46.0.2754.75 Safari/533.36”
185.183.208.12 – – [19/Mar/2021:20:23:20 +0100] “POST /wp-stream.php HTTP/1.0” 404 23702 “example.com” “Mozilla/5.1 (Windows NT 6.0; WOW64) AppleWebKit/533.36 (KHTML, like Gecko) Chrome/46.0.2754.75 Safari/533.36”
185.212.129.205 – – [02/Apr/2021:14:13:46 +0200] “POST /wp-content/uploads/wp-logout.php HTTP/1.1” 200 127 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36”

signup.phpstick.travelinskydream.gatron.talkingaboutfirms.gawp-logout.phpwp-stream.php

Post navigation

How To Clean AnonymousFox Hack & Prevent From Happening Again
AnonymousFox explained loginOK & Wordfence alerts
Magefix platinum
© 2023 Magefix.com - Guides. Proudly powered by Sydney