JetPack Protect Warning

  • Resolved equidistant

    (@equidistant)


    6 months, 2 weeks ago

    Hi Support,

    I’ve started to get warning from JetPack Protect security scan as follows (I get 2 warnings on each site I have Matomo WordPress Plugin and JetPack Protect installed)

    Is this anything I need to worry about?
    Are you able to update the plugin to stop this warning in future?

    Up to date on all WordPress, themes, plugins etc etc.
    Tried removing the Matomo plugin (deleting all data) and reinstalling from plugins repository – scan throws the same warning.

    Thank you

    File contains malicious code: eagercache-502-tracker.php

A malware was found on your site. Please take immediate action.More

What did Jetpack find?

wordpresscore(.com) is a domain name that was used as part of an exploit to the Custom Content Type Manager plugin. This suspicious string that was found may or may not be related however. Further investigation may be required.

Sometimes the code is so heavily obfuscated that it's hard to tell what are the final intentions of it, however, Jetpack Scan team's experience allows them to pinpoint the most common indicators and alert when something is wrong.

The technical details

Threat found in file:/srv/htdocs/wp-content/uploads/matomo/tmp/cache/tracker/eagercache-502-tracker.php

1

<?php return unserialize('a:2:{s:8:"lifetime";i:1715317617;s:4:"data";a:296:{s:21:"PluginCoreVueMetadata";a:7:{s:11:"description";s:25:"CoreVue_PluginDescription";s:8:"homepage";s:19:"https://matomo.org/";s:7:"authors";a:1:{i:0;a:2:{s:4:"name";s:6:"Matomo";s:8:"homepage";s:19:"https://matomo.org/";}}s:7:"license";s:7:"GPL v3+";s:7:"version";s:5:"5.0.2";s:5:"theme";b:0;s:7:"require";a:0:{}}s:30:"PluginCorePluginsAdminMetadata";a:7:{s:11:"description";s:34:"CorePluginsAdmin_PluginDescription";s:8:... (truncated)

How to resolve or handle this detection?

Jetpack Scan cannot automatically fix this threat. We suggest that you resolve the threat manually: ensure that WordPress, your theme, and all of your plugins are up to date, and remove the offending code, theme, or plugin from your site.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support dizzyatinnocraft

    (@dizzyatinnocraft)

    Hi @equidistant, can you download the file the warning is talking about (eagercache-502-tracker.php) from your server and email it to dizzy (at) innocraft (dot) com?

    Plugin Support dizzyatinnocraft

    (@dizzyatinnocraft)

    Also you many want to report this to JetPack Protect as well.

    Thread Starter equidistant

    (@equidistant)

    Thanks @dizzyatinnocraft – I have emailed you the file and reported to Jetpack also.

    Jeremy Herve

    (@jeherve)

    Jetpack Mechanic ??

    Hi there!

    I work on the Jetpack team and wanted to provide a bit more information about the issue.

    I’m not quite familiar with how the Matomo Analytics plugin works, but it seems that it’s caching a list of spam referrer websites, under the name ReferrerSpamFilter-referrer_spam_blacklist. That list of spam websites includes some malicious sites, including one that is triggering the alert you’re getting from Jetpack Protect.

    That doesn’t mean your site is vulnerable though, since that malicious site isn’t found anywhere on your site; it’s just listed as a site that should be ignored in your stats by the Matomo plugin.

    You can consequently mark this threat as “Ignored” in the Protect interface. This warning does not show a vulnerability on your site, it’s a false positive.

    Thread Starter equidistant

    (@equidistant)

    Hi @dizzyatinnocraft

    Had a reply back from JetPack as follows which confirms it is a false positive in their scan (it has just picked up the malicious domain referenced in the Matomo code and flagged that). Message as follows:

    It seems that it’s caching a list of spam referrer websites, under the name?ReferrerSpamFilter-referrer_spam_blacklist. That list of spam websites includes some malicious sites, including one that is triggering the alert you’re getting from Jetpack Protect.
    ?
    That doesn’t mean your site is vulnerable though, since that malicious site isn’t found anywhere on your site; it’s just listed as a site that should be ignored in your stats by the Matomo plugin.
    ?
    You can consequently mark this threat as “Ignored”. Your site is not vulnerable.

    Thank you for looking into it – I think you can close this now.

    Plugin Support dizzyatinnocraft

    (@dizzyatinnocraft)

    I see, yes, that makes sense. Thanks for the replies and explanation. If it’s possible to avoid false positives like this popping up, we’ll do so.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘JetPack Protect Warning’ is closed to new replies.