Malware in version 2.0.25

  • Hello,

    I had some problems with a malware on the version 2.0.23. I deleted and repaired all of the affected files and upgraded to the version 2.0.25. but I have the same problem every day. I’ve installed the plugin wordfence security to scan and repair files and basically every day about twice I get this malware on my site. The malware creates some php files with malicious code and also adds this code on other files that already exist. This is a list of what was infected yesterday:

    Critical Problems:

    * WordPress core file modified: wp-admin/includes/ms-deprecated.php

    * WordPress core file modified: wp-includes/Requests/Utility/FilteredIterator.php

    * WordPress core file modified: wp-includes/class-walker-page-dropdown.php

    * WordPress core file modified: wp-includes/widgets/class-wp-widget-media-audio.php

    * File appears to be malicious: wp-includes/class-walker-page-dropdown.php

    * File appears to be malicious: wp-admin/includes/snvrnfdi.php

    * File appears to be malicious: wp-includes/js/imgareaselect/lzwwubeq.php

    * File appears to be malicious: wp-content/themes/Divi-child/bzcjifrh.php

    * File appears to be malicious: wp-admin/includes/ms-deprecated.php

    * File appears to be malicious: wp-includes/images/civnzrpb.php

    * File appears to be malicious: wp-includes/widgets/class-wp-widget-media-audio.php

    * File appears to be malicious: wp-includes/Requests/Utility/FilteredIterator.php

    * File appears to be malicious: wp-content/uploads/et_temp/qqosgpzn.php

    * File appears to be malicious: wp-content/uploads/ultimatemember/137/uzekuomq.php

    Warnings:

    * Unknown file in WordPress core: wp-admin/includes/snvrnfdi.php

    * Unknown file in WordPress core: wp-includes/images/civnzrpb.php

    * Unknown file in WordPress core: wp-includes/js/imgareaselect/lzwwubeq.php

    Please, can you help me out with this? I’ve been having this problem for three weeks already.

    Many thanks,

    Isabel

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)

  • Malware infection could be injected in four ways
    1 – using fake WordPress admin user credentials
    2 – via a vulnerable plugin(s) installed on your system
    3 – via previously installed malicious shell used to reinfect other
    4 – In the case of shared hosting or multiple sites on the same hosting account, the infection may come from other sites as well

    It is worth to
    1 – reset all WordPress password and review/remove all suspicious uses
    2 – investigate your WordPress setup with other security plugins
    3 – investigate website access log to locate what exactly exploited on your side

    The malware is from Ultimate Member plugin – I’m currently investigating this. The plugin seems to have been somehow exploited, the owners are on it. Upgrade to the latest version of the plugin. Update your theme, plugins and WordPress to the latest version.

    Do a scan and edit the affected files and you’re good to go. Cheers!

    Perhaps there may be another plugin infected? Do you have by any chance revslider installed? Their previous version was infected in their core. Just after I upgraded to the latest version it was removed, directly within the language directory.

    So, what I did to identify new files or unauthorized changes etc… was to add the codebase to a repository like bitbucket, there I put a clean wordpress 4.9.8 and made it match with my site, I installed additional plugins that I needed but I was able to quickly diff and check if there were files hiding somewhere else.

    I hope that helps.

    Plugin Support Ultimate Member Support

    (@ultimatemembersupport)

    Hi @isabelsaez85,

    Unfortunately, malicious code could be added to your theme files, please make sure to re-upload and overwrite all theme files with the clean ones from the backup or from the local storage.

    Regards.

    Thread Starter isabelsaez85

    (@isabelsaez85)

    Hi @ultimatemembersupport

    The problem is that the backup that I have is from after has been infected. I don’t know what to do anymore, I installed Wordfence to detected, every day I scan it and it comes back, I deleted and clean the files are infected but I still have this problem.

    Not sure how to solve it. I’m so desperate ??

    Thread Starter isabelsaez85

    (@isabelsaez85)

    Hi @sukafia

    I’ve done everything you said and still happening.
    Wordfence detected once is infected, and then I deleted and clean the files. I scan it and it’s fine but next day gets infected again.

    Do you know if the malware exist also in the latest version?

    Thread Starter isabelsaez85

    (@isabelsaez85)

    Hi @andres_mrg,

    I’ve never used bitbucket do you know any tutorial to do what you’ve done to compare clean WordPress with my site?

    Thanks in advance,

    Isa

    @isabelsaez85 sorry for the late reply. I’d advice you remove the Ultimate Member plugin and see if you’re still getting malware errors. if you’re not, it’s definitely from the plugin, so you can forget about it and use another membership plugin. There are tons of them in the plugin repository. Best of luck

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Malware in version 2.0.25’ is closed to new replies.