Total Security plugin is a malware problem

False Positive…

Fabrix, thanks for the reply. You seem certain about false positive.

My web host informed me that one of the ways malware can happen is:
Installing applications, add-ons or modules which are downloaded from third-party locations and may be infected.

The file that was identified as malware was in the modules folder.

Question:
Did you create the files in the modules folder yourself, or did you download the modules folder with files from a third-party location, or did you obtain the modules folder with files from a third-party?

Fabrix – I am still waiting for your reply to my last message.

Next message:
Concerning the Total Security plugin identified as malware. The malware problem was identified as:
PHP-MAILER-GENERIC-md5-ji.UNOFFICIAL FOUND

The file identified as the malware problem is:
inc-popup.php

I spoke to a tech guy at my web host and mentioned the file name inc-popup.php. He made a reference to the term ‘generic mailer’ and said the file could be used to send email spam.

I want to inform you about this malware problem so you can investigate the problem and figure out a solution to the problem. Please let me know your solution to the problem.

the file inc-popup.php is only to display text in popup windows (wp modal).

and include besides text:

phpinfo();
get_plugins();
phpversion();
file_get_contents();
get_bloginfo();

full file: https://gist.github.com/fabrix/10945076

Fabrix,

I still don’t know if you got the modules folder from a third-party location.

I found the code file for the inc-popup.php file at GitHub. I will try to determine if there is code in the file that allows email or email spam to be sent. I will let you know what I find out.

Fabrix – I informed a WP plugins staff member about the malware problem. He checked the code file for inc-popup.php and did not find any code that could be a generic mailer/email spam problem. Link for code file:
https://plugins.svn.www.ads-software.com/total-security/trunk/modules/inc-popup.php

I submitted the code file to my web host’s security partner. They informed me that they could not pull up any malware details from the past from the Dashboard, so they could not determine if the file contained malware. So, they cannot determine if their security scan made a mistake.

I deleted the Total Security plugin from my site to avoid suspension of my site. After the deletion in February, and again this month (May), my web host rescanned my site and did not find any more malware problems.

Now I realize I should have downloaded the file right after the malware was identified. My web host gave me 24 hours to document that I fixed the problem or they would suspend my site.

Case resolved.