malware detected on header back up file created by this plugin

  • Hi,

    This plugin is automatically creating a back-up file called header.php.wpseobak and it has been injected with some javascript malware. No matter how many time I delete the code and the file itself it keeps on regenerating. This is true even when I updated the plugin to the latest version.

    I know you guys don’t support free version of this plugin but I think it’s worth bringing up this issue.

    Any suggestions/guidelines would be great.

    Thanks!
    Umesh

    https://www.ads-software.com/plugins/wordpress-seo/

Viewing 10 replies - 1 through 10 (of 10 total)

  • I submitted a post about something similar two weeks ago:
    www.ads-software.com/support/topic/sql-database-infected-or-just-bloated

    Found possible problems in Option _transient_feed_895a6fef0cc57461ead214388fd67e81 (script tag )
    Just to take an example, “Yoast” appears 35 times alone in this 14KB excerpt (total size is 218KB). I once had Yoast’s SEO plugin installed, deleted long ago.

    Who else but Yoast himself would inject and bloat the database with “Yoast”? This could seem to suggest foul play. Does anyone have another explanation?

    [excessive code deleted]

    @wnthne – please stop posting code like that on these forums – it’s been deleted several times – if you need to post lengthy code, use a pastebin per the forum guidelines.

    https://codex.www.ads-software.com/Forum_Welcome#Posting_Code

    Thanks for the tip WPyogi. Here is the code excerpt: https://pastebin.com/kEdkTjTX

    I ran the ThreatScan plugin which exposed the injections.

    where is file created i can’t see one called header.php.wpseobak

    @ooomes @mrppp

    header.php.wpseobak – is found in the theme folder (not always).
    WordPress SEO only creates this file when it needs to change a themes built-in hard coded meta description function.

    The wpseo function is found in plugins/wordpress-seo/admin/pages/dashboard.php on line 64 in section starting on line 49, ending line 89

    $backup_file = date( 'Ymd-H.i.s-' ) . 'header.php.wpseobak';

    Because it’s hard coded in the theme, it cannot be removed by a filter action. Instead the plugin backs up the original theme file, removes the hard coded meta description section, and adds the WordPress SEO dynamic meta description function.
    It has to, or there will be 2 meta descriptions, which are not too good for SEO…

    The file you found named header.php.wpseobak is OK. it’s supposed to be there if the requirements mentioned above exist. It’s not a malware script.

    But it’s very good you are cautious ??

    To set your mind more at ease, because of the extension, .wpesobak, PHP cannot execute the file anyway. (same applies to extensions like .backup and so on which you sometimes find if the server techs have worked on the site

    If you’re still worried, you may e-mail header.php and header.php.wpseobak to [ redacted ] for free manual inspection (must be in zipped folder or mail server will strip .php attachments)and let me know the theme!)

    so we are talking theme header?
    Can’t see a header.php.wpseobak

    email sent

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    @mikeotgaar Please do not post your e-mail or request people contact you off of these forums like that. Keep the support on the forums.

    https://codex.www.ads-software.com/Forum_Welcome#Helping_Out

    Apologies Jan
    Didn’t realize offering free check was an issue.

    @mrppp
    The plugin only creates this ONLY IF the theme has built in SEO features like meta description – if this can’t be disabled in the theme settings and the meta description is hardcoded…

    If it’s not in your theme folder, it means WordPress SEO didn’t need to modify the original file, so no backup file.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘malware detected on header back up file created by this plugin’ is closed to new replies.