Wordfence Fail – Didn’t find malicious plugin

  • Resolved hmsproducts

    (@hmsproducts)


    7 years, 1 month ago

    Plugin installed that wa not caught by even your free scanner (which is usually very good).

    Plugin “name”: injectbody/injectsrc

    I found this after a site started redirecting users to a scam support page. However, Wordfence “high sensitivity” scan didn’t detect it. Has anyone else seen this and any ideas on where else could this be lurking? I can’t seem to find it anywhere else. Sucuri is still seeing the payload, but, Wordfence still does not see it.

    Thanks,
    HMS Products

Viewing 7 replies - 1 through 7 (of 7 total)

  • What payload does Sucuri still see? They usually tell you the name of the payload from their database.

    ^V

    Thread Starter hmsproducts

    (@hmsproducts)

    It’s finding the following. The payload was in the plugin files that I deleted, but, I am not finding it anywhere else in the site.

    malware.generic_jsobfuscator

    Thanks!

    I have found the same malicious plugin installed in a site I manage (injectbody/injectsrc). The premium version of Wordfence did not detect this. I was only able to figure this out after reading hmsproduct’s initial question.

    Thread Starter hmsproducts

    (@hmsproducts)

    I found the remaining issue. It was from Lightbox Evolution plugin (removed from WP Plugin repository) that was using obfuscated code. Removed it and the Sucuri scan is now coming up clean. Still, thought, Wordfence still didn’t find that either, which is a bit concerning.

    Good luck!

    I have found the same plugin in my site (injectbody/injectsrc). I deleted the files, but I don’t know if I have to do database clean or if there ir other files infected

    Hello,

    Logs show that hackers log into WordPress and install those two plugins. So changing WordPress passwords and checking for rogue users is a must.

    Note, the plugins have code that makes them visible in the dashboard only when you provide a special parameter. So don’t rely on what you see in the dashboard – check wp-content/plugins directly on server.

    • This reply was modified 7 years, 1 month ago by UseShots.

    Hi,
    Thanks for reporting this issue, it has been reported to our team for investigation a couple of days ago but I missed to reply back on this thread.

    @hmsproducts thanks for sending the sample ZIP file.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Wordfence Fail – Didn’t find malicious plugin’ is closed to new replies.

Tags