WordPress.org

Make WordPress Core

Opened 17 months ago

Closed 17 months ago

Last modified 16 months ago

#50295 closed defect (bug) (invalid)

malware report

Reported by: aerta Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Hi,
I have had half a dozen WP sites running the Blox theme and Padma themes infected with malware in the last few days. The theme developers insist that their themes aren't the cause, and the sites are hosted in two separate hosting companies - who also deny vulnerability.

Common plugins are:
akismet, classic editor, easy smooth scroll links, foogallery, foobox image lightbox, GDPR cookie consent banner, google xml sitemaps, imsanity, jetpack, loginizer, responsive menu pro, unique title checker, velvet blues, wordfence, yellow pencil pro, Yoast SEO, Padma services, padma updater, layerslider, disable comments, disable gutenberg, mobile menu, really simple ssl, widget content blocks, WP latest posts, disable comments, layerslider WP, WP responsive menu.

Here are the reports from Wordfence. I'd be very grateful if you could give me some idea how the malware is getting into these sites so that I can stop it happening. Thanks, John

Critical Problems:

  • File appears to be malicious: fdrdfu.php
  • File appears to be malicious: wp-content/themes/bloxtheme/library/visual-editor/scripts-src/deps/ckeditor/plugins/imageuploader/doc.php
  • File appears to be malicious: ucjovrw.php
  • File appears to be malicious: wp-content/themes/bloxtheme/library/visual-editor/scripts-src/deps/ckeditor/plugins/imageuploader/doc.php
  • File appears to be malicious: izbymjv.php
  • File appears to be malicious: wp-content/themes/bloxtheme/library/visual-editor/scripts-src/deps/ckeditor/plugins/imageuploader/doc.php

{HEX}php.cmdshell.egyspider.240 : /home/schoolof/public_html/wso2.php

  • File appears to be malicious: khrgpjrm.php
  • File appears to be malicious: wp-content/themes/bloxtheme/library/visual-editor/scripts-src/deps/ckeditor/plugins/imageuploader/doc.php
  • File appears to be malicious: doc.php
  • File appears to be malicious: ognjlj.php

Change History (5)

#1 @carike
17 months ago

  • Keywords needs-patch removed
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed
  • Version 5.4.1 deleted

Hallo @aerta :)

Core Trac is for reporting issues in the WordPress (core) software itself.
If you suspect that there may be malware in a plugin, please do not report it publicly.
You can contact the developer, if they have an e-mail address in the plugin, or via their official website, or via their GitHub.
If that is not something you want to do (which is okay too), or not something you are able to do, you can reach out to the plugins team at plugins @ wordpress . org

That having been said, the report from WordFence is not very detailed (and therefore not easily actionable), so there may not be anything that can be done.
If you are using a premium version of WordFence, you may want to consider contacting them via their official support channels.

Something you need to remember is that the place that malware shows up (if it is indeed malware), may not necessarily be the place that it came from. You may want to consider hiring a reputable company to clean up your site for you.

I am closing this ticket as we are unfortunately not able to assist you with your issue here.
All the best!

#2 follow-up: @aerta
17 months ago

Thank you. The reason I posted here is because I'm not certain that a plugin is at fault, and I wondered if it may be a vulnerability in the WP core which allowed these Trojans into my sites.

#3 in reply to: ↑ 2 @knutsp
17 months ago

Replying to aerta:

I wondered if it may be a vulnerability in the WP core

In that case you should absolutely not report it here. You did not read the big warning "Do not report potential security vulnerabilities here", and the instructions on how to do so, in the "New ticket" header section.

You are welcome to report all other bugs, and to suggest enhancements to core here.

#4 @carike
17 months ago

Although a vulnerability in core is always possible (which is why the HackerOne reporting mechanism exists), it is usually far more likely that the source of the malware is a plugin or a theme.
That is particularly true when the plugin or theme was not obtained from the official WordPress.org repository / directory, respectively - which appears to be the case here.
It becomes even more likely that a plugin or theme can contain malicious code if you obtained that code from a nulled source (so a "free" version not directly from the developer).

There are reputable companies out there that you can hire to find the source of malware and to clean up your site. That may be an avenue you may wish to consider.

#5 @desrosj
16 months ago

  • Component changed from General to Security
  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.