Malicious .giff files but can’t delete without website errors

  • Resolved studiophg

    (@studiophg)


    7 years, 2 months ago

    have a wordpress scan warning for malicious .giff files, the files don’t open as images so i also believe they’re likely malicious as well.

    But when I delete the files, via ftp, i have the following warning on the site.

    logos.gif): failed to open stream: No such file or directory in /homepages/37/d634318852/htdocs/clickandbuilds/printhousegroup/wp-content/themes/inkthemetrust/functions.php on line 10

    Warning: include(): Failed opening ‘images/logos.gif’ for inclusion (include_path=’.:/usr/lib/php5.6′) in /homepages/37/d634318852/htdocs/clickandbuilds/printhousegroup/wp-content/themes/inkthemetrust/functions.php on line 10

    Warning: Cannot modify header information – headers already sent by (output started at /homepages/37/d634318852/htdocs/clickandbuilds/printhousegroup/wp-content/themes/inkthemetrust/functions.php:10) in /homepages/37/d634318852/htdocs/clickandbuilds/printhousegroup/wp-admin/includes/misc.php on line 1114

    I have to put the .giff back to remove the error. WordPress scan results are:

    File appears to be malicious: wp-content/themes/inkthemetrust/images/logos2.gif
    Filename: wp-content/themes/inkthemetrust/images/logos2.gif
    File Type: Not a core, theme or plugin file.
    Issue First Detected: 8 mins ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “a:7:{s:18:”__sape_delimiter__”;”. The infection type is: Misc:TXT/links. This file was detected because you have enabled “Scan images, binary, and other files as if they were executable”, which treats non-PHP files as if they were PHP code. This option is more aggressive than the usual scans, and may cause false positives.

    File appears to be malicious: wp-content/themes/inkthemetrust/images/logos.gif
    Filename: wp-content/themes/inkthemetrust/images/logos.gif
    File Type: Not a core, theme or plugin file.
    Issue First Detected: 8 mins ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “var $_server_list = array(‘dispenser-01.sape.ru'”. The infection type is: Spammer:PHP/SAPE. This file was detected because you have enabled “Scan images, binary, and other files as if they were executable”, which treats non-PHP files as if they were PHP code. This option is more aggressive than the usual scans, and may cause false positives.

    I use the paid version of the WordPress
    As I’m out of my depth with this issue your advice is most welcome

    Thanks

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter studiophg

    (@studiophg)

    should add the files in question are in

    wp-content/themes/inkthemetrust/images

    Note the line in the warning at the bottom: “This option is more aggressive than the usual scans, and may cause false positives.”

    Try turning off the option: “Scan images, binary, and other files as if they were executable” in the Wordfence options.

    Thread Starter studiophg

    (@studiophg)

    thanks for your reply, i did notice that however as the files appear to be new and are not valid gifs (don’t open) I’m concerned that they are malicious.

    Turning off the aggressive scan will stop the file being scanned but I feel that would be ignoring the issue somewhat.

    Is there any reason, yet unexplained, you feel I shouldn’t be concerned?

    If they are invalid GIFs then you should be concerned, and further investigation is warranted.

    You may have a backdoor outside your site layer that is allowing hackers a way in.

    Wordfence wouldn’t be able to stop hack attempts that occur externally to your site (ie, some compromise at a hosting level, or another site on a shared host, for example)…

    See this article from Wordfence:
    https://www.wordfence.com/learn/has-my-site-been-hacked/

    And more:
    https://www.wordfence.com/learn/

    Thread Starter studiophg

    (@studiophg)

    In the absence of advice on how to fix the site I’m winging it somewhat but I think have found a solution.

    I noticed that line 10 in the function.php appears to be requesting the logos.gif file. So I delete the logos.gif and logos2.gif files and replaced the functions.php file with one from an earlier backup that didn’t include the line 10 logos.gif request.

    The results have passed the wordpress scan.

    • This reply was modified 7 years, 2 months ago by studiophg.

    Hi @studiophg
    Your theme’s functions.php file is calling these files, so my first step is to replace the theme files with a pure copy directly downloaded from the theme author website, since you mentioned there was a back-up copy of the theme without these lines including the images, I’m very concerned that your themes files were compromised at some pints to include these images files with malicious code, I highly recommend following these steps mentioned in “How to Clean a Hacked WordPress Site using Wordfence“.

    Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Malicious .giff files but can’t delete without website errors’ is closed to new replies.