Help needed! Website probably infected.

  • Resolved vossalab

    (@vossalab)


    3 years, 4 months ago

    Hi there,

    Can you guys help out? We’ve used Quttera internal scan and got theses results. Unfortunately, we can’t decipher whats going on. Report below.

    =======================================================================
Quttera Web Malware Scanner plugin for WordPress
Website Malware Scan Report

Scanned Website: https://orgiecompany.com
Scan type: Internal
Report generation time: 2021-11-04 16:37

Scan launch time: 2021-11-04 16:12
Scanned files: 32205
Clean: 32185
Potentially Suspicious: 9
Suspicious: 7
Malicious: 4

? 2021 Quttera Ltd. All rights reserved.
For any questions about this report: [email protected]
=======================================================================

FILE: wp-admin/error_log
FILE_MD5: f86e6d114c1bbb9e2ba906cc51c863e6
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: f86e6d114c1bbb9e2ba906cc51c863e6
THREAT_NAME: Heur.AlienFile.gen
THREAT: Unknown file in core directory...
DETAILS: Detected unknown file in core directory

FILE: wp-includes/functions.php
FILE_MD5: bb5e0afc6e3bbc183d056d9418fe66bc
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: bb5e0afc6e3bbc183d056d9418fe66bc
THREAT_NAME: Heur.CoreFile.gen
THREAT: Modified core file...
DETAILS: Detected modified core file

FILE: wp-includes/.htaccess
FILE_MD5: afbfe5b96c30725461c87c5a9b438a0a
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: afbfe5b96c30725461c87c5a9b438a0a
THREAT_NAME: Heur.AlienFile.gen
THREAT: Unknown file in core directory...
DETAILS: Detected unknown file in core directory

FILE: system/library/xlsxwriter.class.php
FILE_MD5: 99eb95176201e11212bfc9e7650c901b
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: ea818234bd45260819f343124a2b49bd
THREAT_NAME: Heur.PHP.Hexa.gen.4e
THREAT: $v[0].$v[0].$v[1].$v[1].$v[2]....
DETAILS: Detected malicious PHP obfuscation

FILE: system/library/xlsxwriter.class.php
FILE_MD5: 99eb95176201e11212bfc9e7650c901b
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: ea818234bd45260819f343124a2b49bd
THREAT_NAME: Heur.PHP.Encoded.gen
THREAT: $v[0].$v[0].$v[1].$v[1].$v[2]....
DETAILS: Detected malicious PHP obfuscation

FILE: system/library/xlsxwriter.class.php
FILE_MD5: 99eb95176201e11212bfc9e7650c901b
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 9a9bb3830c4b5d46c22c9e3e66f3c21f
THREAT_NAME: Heur.PHP.Encoded.gen.271C
THREAT: \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e...
DETAILS: Potentially suspicious obfuscated PHP threat

FILE: system/library/xlsxwriter.class.php
FILE_MD5: 99eb95176201e11212bfc9e7650c901b
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 77d806dc7371711849afef87d14c29c4
THREAT_NAME: Heur.PHP.Encoded.gen
THREAT: \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e...
DETAILS: Generic suspicious HEX encoder

FILE: wp-admin/network/error_log
FILE_MD5: ccf1dce3dd1c18d821375390b8fbb28b
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: ccf1dce3dd1c18d821375390b8fbb28b
THREAT_NAME: Heur.AlienFile.gen
THREAT: Unknown file in core directory...
DETAILS: Detected unknown file in core directory

FILE: wp-admin/user/error_log
FILE_MD5: 6e3dccea3211902769fc49c3f2cbd9ee
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 6e3dccea3211902769fc49c3f2cbd9ee
THREAT_NAME: Heur.AlienFile.gen
THREAT: Unknown file in core directory...
DETAILS: Detected unknown file in core directory

FILE: wp-includes/blocks/error_log
FILE_MD5: dcc811f89f18368f6e7e2c2d60418bde
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: dcc811f89f18368f6e7e2c2d60418bde
THREAT_NAME: Heur.AlienFile.gen
THREAT: Unknown file in core directory...
DETAILS: Detected unknown file in core directory

FILE: wp-content/plugins/antispam-bee/CHANGELOG.md
FILE_MD5: 871aea79c292f0b6bb61aa18aa5dc44c
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987
THREAT_NAME: Heur.HTML.Defacement.gen.F4248
THREAT: Fatal Error...
DETAILS: Website Potentially Defaced

FILE: wp-content/plugins/antispam-bee/js/raphael.min.js
FILE_MD5: c6a62efcd62b5aface9a6e03272b7ce9
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: c664da642f08448d6b4cfb11c840b7e5
THREAT_NAME: Heur.PHP.Encoded.gen.271C
THREAT: \x09\x0a\x0b\x0c\x0d\x20\xa0...
DETAILS: Potentially suspicious obfuscated PHP threat

FILE: wp-content/plugins/litespeed-cache/lib/jsmin.cls.php
FILE_MD5: c0b1f1372db6d72a0304614b5b9226dd
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: 44d596c8f0b86a1f94015eb5b55af2c4
THREAT_NAME: Heur.PHP.iframe.gen.38
THREAT: preg_replace('/e...
DETAILS: Detected malicious iframe injection

FILE: wp-content/plugins/sucuri-scanner/src/mail.lib.php
FILE_MD5: 7b6d288b03158f92691a4b1e75f2a824
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 385be5e48f8157440cca64b0dea95da5
THREAT_NAME: Heur.PHP.Mailer.gen.4c4b4f
THREAT: @mail($email, $subject, $message, implode("\r\n", $headers)...
DETAILS: Detected suspicious mailer

FILE: wp-content/plugins/yith-woocommerce-badges-management/plugin-fw/yit-deactive-plugin.php
FILE_MD5: 9806469f9cb1525500509e524089757a
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: 1b44e2c055310d733b72c27516a19d23
THREAT_NAME: Heur.PHP.Redirection.gen
THREAT: <?php /** * Functions for deactivating plugins. * * @pac...
DETAILS: Detected malicious redirection header

FILE: wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/yit-deactive-plugin.php
FILE_MD5: 9806469f9cb1525500509e524089757a
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: 1b44e2c055310d733b72c27516a19d23
THREAT_NAME: Heur.PHP.Redirection.gen
THREAT: <?php /** * Functions for deactivating plugins. * * @pac...
DETAILS: Detected malicious redirection header

FILE: wp-content/themes/bridge/css/woocommerce.min.css
FILE_MD5: 0491bb25eefe859d8bc5a7ab74d3c7d9
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a
THREAT_NAME: Heur.PHP.Encoded.gen.271C
THREAT: \73\73\73\73\73...
DETAILS: Potentially suspicious obfuscated PHP threat

FILE: wp-content/themes/bridge/css/woocommerce.css
FILE_MD5: 03e28dfa8a01594f44393a5048fc9b65
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a
THREAT_NAME: Heur.PHP.Encoded.gen.271C
THREAT: \73\73\73\73\73...
DETAILS: Potentially suspicious obfuscated PHP threat

FILE: wp-content/plugins/yith-woocommerce-badges-management/plugin-fw/includes/class-yit-plugin-panel.php
FILE_MD5: 00ab60b6c4e5a36c4a401bcd2ba8013d
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987
THREAT_NAME: Heur.HTML.Defacement.gen.F4248
THREAT: Fatal Error...
DETAILS: Website Potentially Defaced

FILE: wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/includes/class-yit-plugin-panel.php
FILE_MD5: 9649ac9133928bbd29f9a26529e77729
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987
THREAT_NAME: Heur.HTML.Defacement.gen.F4248
THREAT: Fatal Error...
DETAILS: Website Potentially Defaced

FILE: wp-content/plugins/revslider/public/assets/css/settings.css
FILE_MD5: 3562402588e3bd6410012cf058d1948c
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a
THREAT_NAME: Heur.PHP.Encoded.gen.271C
THREAT: \73\73\73\73\73...
DETAILS: Potentially suspicious obfuscated PHP threat

FILE: wp-content/plugins/revslider/public/assets/css/settings-source.css
FILE_MD5: bbdc05bd89914457a2e2fd5c82d2169f
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a
THREAT_NAME: Heur.PHP.Encoded.gen.271C
THREAT: \73\73\73\73\73...
DETAILS: Potentially suspicious obfuscated PHP threat

FILE: wp-content/plugins/fat-portfolio/assets/js/library/diamond/jquery.diamonds.js
FILE_MD5: 68ac808506b98e834aef4057935117c0
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 0828df5c240b8860e3853e270ecda0cf
THREAT_NAME: Heur.JS.Encoded.gen
THREAT: 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace...
DETAILS: Suspicious obfuscated JavaScript threat

FILE: admin/view/javascript/d_shopunity/library/codemirror/mode/julia/index.html
FILE_MD5: 69db273ff7565bb4dd261c774cf95a40
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: ccc4d60100b9840a602836237f6d66d9
THREAT_NAME: Heur.PHP.Encoded.gen.276B
THREAT: @eval(:x)...
DETAILS: Detected suspicious eval call

    Thanks!

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author quttera

    (@quttera)

    Hello,

    Based on the report you have modified WordPress core files as well as alien files added to WordPress core directories (these files should not be there).

    Can you please send archive (zip/tgz) including the following files to support[at]quttera.com for further investigation

    wp-includes/functions.php
    wp-includes/.htaccess
    admin/view/javascript/d_shopunity/library/codemirror/mode/julia/index.html
    system/library/xlsxwriter.class.php

    Please mention the website’s domain name

    Our malware research team will investigate these files and will share the verdict

    Best Regards

    Thread Starter vossalab

    (@vossalab)

    Hello,

    Files sent!

    Best regards,
    Pedro Pina

    Thread Starter vossalab

    (@vossalab)

    Hello!

    Thank you very much for the speedy reply. Glad to know that everything is safe and running smoothly. Updating the post status.

    Best regards,
    Pedro Pina

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Help needed! Website probably infected.’ is closed to new replies.