w3 total chache cached files contain virus

Hi, I am facing the same problem .. exact problem same virus in cache folder PUA.Phishing.Bank. Moment I switch of the Page Catching from settings, it stops coming, but i cannot do without page caching …. Please let me know how this can be solved …. i scanned the catched html files .. it is showing some trozan …

https://www.ads-software.com/plugins/w3-total-cache/

Hi jha_final, even after deleting the infected files, they get recreated whenever those URLs are accessed, with the same virus. Before posting here, I found lot of other users also faced the same problem, but there was no resolution for the same.

My hosting provided blocked the outbound port 80 whenever they get to see these infected files, which makes the site very slow, especially wp-admin.

Finally I decided to stop using the plugin and went for free CloudFlare service which does the caching and minifying of CSS, JS and image files.

I have no solution for you, but if your main goal of using this plugin is to increase the site response I suppose you may try the cloudflare thing, if it suits you. all the best.

Ok so first let’s get into the detail of why this is most likely a false positive.

PUA is a potentially unwanted application. Phising Bank is normally used to describe a form of malware that targets banking or ecommerce transactions.

Now your cache files are just static versions of your main website URLs therefore if this was a true infection your users would still be getting it whether or not you have it cached or not (unless it was an exploit of W3TC).

The easiest way to test this is to take one of the cache files (whichever one Clam AV says is malicious) and download it to your computer. Then go to virustotal.com and upload the same file.

If it comes back with only 1 detection IE Clam AV ignore the warning. If it comes back with multiple take a close look and decide from there.

You could also check your website frontend given that same website.

Hope this helps.

I have same issue on many sites on my two different hosting accounts.

Due W3 Total Cache issues my hosting company already two days closed Outbound Ports on both hosting accounts.

I already reported this issues to my hosting support but they replied me that my hosting accounts hacked.

Incredible !
I never had such problems with W3 Total cache, but now I have huge headache

https://www.ads-software.com/plugins/w3-total-cache/

@destac: thanks for the detailed suggestion. I do suspect that this could be a false positive. The scanner in the Cpanel reported 17 cached files and I had scanned the related URLs and homepage with virustotal.com. None of the links are reported to have been infected. However I have deleted the cached files.

The issue here is that the hosting provider is blocking the outbound port 80 whenever they find these infected files (although it could be a false positive) which is making things worse for me.

Thanks again.

If you are both facing security issues I recommend using CloudFlare and setting the default security level to high it will solve the problem!

Can you please Close the thread if you don’t mind it makes it easier on me. (if we are done here?)

PUA.Phishing.Bank virus is a serious issue causing one. It is affecting W3 Total cache and when i tried using WP Super cache, it was also affected by it in the caching folder.

I strongly believe if it is not removed , it will affect the search engine position of websites, because google will block the websites saying that it has malicious software installed and this is the another big main aim of the virus, to blacklist a website from google or other search engines, in addition to collecting personal data about site visitors.

I have send messages to W3 Total cache support and waiting for reply.

This issue should not be waived off as a simple one. If it is not properly dealt with, next time it will be affecting other important plugins or even with word press itself.

I found my site extremely slow and was thinking what was the reason and when i contacted the hosting support, they informed that my Port 80 was closed due to infection of virus.

So everyone please check whether your site is affected by this virus. You will never know you are infected unless you scan the site and files as follows,

Go to CPanel
Search for Virus Scanner, you will get (ClamAv Scanner) Virus Scanner and you can Start a new scan with option “Scan Entire Home Directory” and start scan now and after 100% completion of scan you will get the details o infected files and how to quarantine or destroy it.

Also from CPanel, check whether your Port80 is open or closed.

@shinu123 you summed it up all.

Hope the plugin developers look into this issue. As you said, getting blacklisted by search engines due to virus is the worst nightmare.

@destac: did we conclude that uninstalling the plugin is the only resolution? I think I can close the ticket then.

@shinu123 the problem with what you said comes from the part where you state that WP Super Cache had the same issue. If that is the case it is not because of W3TC its likely that your particular website has some sort of script that is being registered as a false positive.

However if it isn’t then it still wouldn’t be tied to W3TC. This means you should be reviewing your website scripts particularly the cached pages that are being registered as malicious.

If the issue was Tied to W3TC and it was injecting malicious code you would expect it to be found on more pages than just a handful.

Again its most likely a false positive.

Also Virus Total the website i gave is owned and operated by Google. One of the scanning engines is Google’s Safe Browsing. Take your website and run the cached file through there.

Both for the most part should come up as being 100% clean.

Hi,

This problem is not just with W3Total cache, I am using WP rocket and facing same problem ..Most of the cached files are reported to be containing virus “PUA.Phishing.Bank” by the virus scan and my hosting blocked the outbound port 80 whenever they get to see these infected files..Deleting these cache also doesn’t helped as they are again created!

I have send support ticket to wprocket and waiting for reply..

It will be nice if someone finds the reason behind this and ofcourse Fix to this problem.

What happen when you try using security plugins to scan your site? Is this PUA Phising Bank still come up?

Hii, I recently install w3 total cache plugin and after scanning form cpanel calmav antivirus, I found PUA.Phishing.Bank in cache directory.

Main problem is- after uninstalling w3 total cache, I again install other cache plugins but all shows same issue. I think w3 total cache save this virus somewhere is word press files and now it comes with all cache plugins

Please help me

These are infected files that shown PUA.Phishing.Bank

https://hindisoch.com/wp-content/cache/page_enhanced/www.hindisoch.com/our-parents/_index.html

https://hindisoch.com/wp-content/cache/page_enhanced/www.hindisoch.com/our-parents/_index.html_gzip

@saxenapawan I am getting the exact issue … I have exported the blogs in XML format and imported it in some other instance .. there also i am getting the issue .. i tried Wordfence, another plugin for caching .. it is also giving this same problem ….

This is bad .. there has been no response from the W3 Total Cache Developers.
It is very frustrating.

@saxenaspawan I scanned both files through the URL checker, and the file checker on Virus Total + 5 antivirus engines on my local machine you are 100% good my friend.

Clam AV also returned with no warning again it’s most likely a false positive.

If you know how to manage your own server try to update ClamAV. This is a good hint guide..
https://www.clamav.net/documents/installing-clamav

You are all mindlessly at this point blaming the plugin despite it being one antivirus which is returning it for multiple plugins that all can’t have the same problem.

If you have never worked with computer security I recommend you take a step back and breathe. ClamAV isn’t really relevant in terms of AV protection as its an open source project with limited functionality and it is prone to getting errors.

IF ANYONE ELSE HAS FILES THEY WANT CHECKED DROP THE LINK HERE AND I WILL PERSONALLY CHECK THEM ALL. ONLY GIVE ME ABOUT 1-5.