Google Security issue with item in WP includes

@jtrkwok It looks like some phishing directories were the cause of the warning being displayed by Google. Your host may have already deleted them, or they could have been removed by the attacker (some phishing kits self-remove after being used). I would also recommend using a different scanner than the cPanel virus scanner as it relies on the web server’s ClamAV signature database and this can vary a lot depending on the host. It would probably be easier to just replace the core WP files and directories (wp-includes, wp-admin) and then only need to scan through wp-content.

@g0tr00t Thanks for the reply. I have a few additional questions. Sorry I’m not exactly IT savvy.

” Your host may have already deleted them, or they could have been removed by the attacker (some phishing kits self-remove after being used)” Does this mean that the attacker has done what it wanted to do and has left my website alone (meaning I can ask Google to request a review)? Or has the attacker left some permanent edits to my files for future use?

As for the wp-includes and wp-admin. Are these files created/edited/updated only by WordPress, ie. not by me. Would downloading and replacing these files, which I assume I need to use a file manager like FileZilla, mess with any content in my website including plugins, backups, admin and account information etc.? If my content is safe, to carry out the replacement, do I just delete the wp-includes and wp-admin and replace them with the files downloaded from WP download page?

That said, I tried to go into the WP plugin page to download “shield security” which was recommended by some user after some research. wp-admin/plugin-install.php?tab=featured and all the other tabs is showing “An unexpected error occurred. Something may be wrong with www.ads-software.com or this server’s configuration. If you continue to have problems, please try the support forums.”

Also not sure if related:
I did recently about 2 months ago have to rebuild my entire website from scratch when I was encountering problems visiting my website. Seems like some PHP files had been erased causing even my wp admin page to not load properly.

Just last week some email accounts disappeared from my cPanel “email accounts” list although they were viewable in the “File Manager”. My host loaded a backup from the day before and made me change my WP and cpanel password.

My website is an extremely basic website with no viewer/user interactions so this is probably causing me more headaches than what they could possibly gain.

Thanks again for your help.

@jtrkwok The hacker almost certainly will want to maintain some type of access (backdoor) for further malicious activity. This is usually in the form of a malicious file that can be used to upload further malicious content without the need of exploiting anything again – they just use the malicious backdoor file.

I would recommend trying to download the Sucuri plugin through the wp-admin dashboard and see if it gives you the same error. If it does, you can do this work around:

1) download the plugin’s .zip file here

2) using FTP or File Manager, upload the sucuri-scanner.1.8.21.zip file to your /wp-content/plugins/ directory

3) unzip sucuri-scanner.1.8.21.zip, it should unpack and create /wp-content/plugins/sucuri-scanner/ with all the plugin files.

4) go to your wp-admin, navigate to /wp-admin/plugins.php and the Sucuri plugin should show up and be available for activation.

I mention this plugin before replacing wp-admin or wp-includes as the plugin can compare your core WP files (wp-includes, wp-admin, etc) against the files on the WP repository corresponding to the version of WP you use.

It will list the files under “WordPress Integrity” if any have modifications like injected code. You will want to review the flagged files to be sure it was not anything you or a legitimate plugin added and is needed by your website. Nevertheless, be sure to backup before changing anything.

If there are just a handful of core WP files that were infected, then you can replace them by hand from the available files for all versions of WP here

And yes I think the issue you faced 2 months ago is related as that is not normal behavior for WordPress and the email accounts issue may also be due to malware as some malware will create email accounts just using a PHP file they uploaded and not ever logging into your cPanel like is normally done.

They aren’t trying to rip off your visitors, but rather just use your website’s good standing (e.g not blacklisted) and just spam out phishing emails that contain a link to the phishing pages they set up on your legit website. Any of the details submitted by the victim get sent to the hacker via email (sometimes they use different methods) and they just keep sending victims until you secure your website or until it is burned (blacklisted to the point it is no longer useful).

Hope this helps.

hello @g0tr00t

I’ve downloaded through the zip file. Plugin store is not working for me.
It says “All Core WordPress Files Are Correct” and “Site is Clean”

Can I assume that nothing was left behind or was deleted. or that Google detected some false positive?
Still blacklisted only by Google though so I’ll try and request for a review from them.

The plugin does have a few recommendations so I think I will explore those options.
PHP version is also apparently not updated so I’ll get my host to do that for me.

If there’s nothing left to do, I’ll wait for Google to get back to me and I’ll update the status here.

Thank you so much for your time.

@jtrkwok I did some further digging once I found your domain name and noticed that it does still seem to be containing some luxury brand content, however it is only displayed if the request to your website is made from a search engine crawler like Googlebot. It just checks the user-agent used in the HTTP request, so we can spoof this and trick the server in returning what it normally would return to Googlebot (I believe you should be able to “fetch as Google” within your Google Webmaster Tools security area).

If you are familiar with the terminal then you can use a curl request like this:

curl -sD – -L -A “Mozilla/5.0 (compatible; Googlebot/2.1; +https://www.google.com/bot.html)” “https://[redacted]/wp-includes/blocks/Assets/orantghamat/95b4ab135119154c8808b4792/”

(just put your domain name instead inplace of [redacted])

In case you can’t run it, here’s the results of it: https://pastebin.com/NMZFPJkR

As you can see, your website is infected with Japanese SEO spam that tries to remain hidden to your normal users and only search engines would really notice any problems as they are returned an entirely different web page. Unfortunately it looks like you do still have some malware, so I’d check your theme files (in particular: header.php, footer.php, and 404.php). Also the database tables wp_posts and wp_options should be checked for malicious content.

@g0tr00t

Are those codes what I need to look for? I’ve deleted 2 themes that I’ve downloaded (didn’t really open it, just deleted it using FileZilla) but not used and I’m left with Twenty-Nineteen. I’ve checked all the files in that that theme’s file and couldn’t really find anything out of the ordinary (to my limited knowledge)

Error log file does show this: (PHP Fatal error: Uncaught Error: Call to undefined function get_header() in /public_html/wp-content/themes/twentynineteen/index.php:17
Stack trace:
#0 {main}

Its the same error prompt I got 2 months ago, where my php files were empty and visiting the website gave a call to undefined function for something that I can’t recall now.

This is the code found in the header.php
https://pastebin.com/7tb8qHDJ

footer.php looks clean as everything refers to the blog and the theme
404.php is quite empty
The rest of the PHP files look normal (again, to my limited knowledge)

No idea how to check database tables wp_posts and wp_options though.

I did upgrade my PHP version to 7.1 just a few minutes before you posted.

EDIT: I’ve passed this information to my webhost and their reply was this:
A check shows that the malicious content is no longer there as we have restored the account with the backup

Maybe you want to contact your developer to perform a security check on your wordpress site.

In other words, they believe there is nothing wrong with the files and can’t follow up.

• This reply was modified 5 years, 7 months ago by jtrkwok.

Seems like the backup that my host did resolved it. No more warnings on Google Search Console. Marking as resolved for now.