Tapwin 2024 download no deposit bonus.Enjoy Free 888+200 Daily Legal Bonus

(@gettingitdone)

Hello,

I’ve checked a WP website I manage today and have noticed two new plugins not shown on the main plugin page. They are called “wp-dms-registry” and “wp-task-manager”.

Wp-dms-registry consists one a single index file. Its internal description is

/*
Plugin Name: WP System Cache
Plugin URI: https://www.ads-software.com/#
Description: Official WordPress plugin
Author: WordPress
Version: 14.2.9
Author URI: https://www.ads-software.com/#
*/

wp-task-manager consists of class-scheduler.php, index.html, index.php, scheduler.pnp, and wrapper.php. Its internal description is

/*
Plugin Name: Task Agent
Plugin URI: https://wordpress.com/
Description: Used by millions, Task Agent is quite possibly the best way in the world to protect your blog from spam. It keeps your site protected even while you sleep. To get started: activate the Task Agent plugin and then go to your Task Agent Settings page to set up your API key.
Version: 7.8.1
Author: Automatic
Author URI: https://wordpress.com/wordpress-plugins/
License: GPLv2 or later
Text Domain: Task Agent
*/

/*
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

Copyright 2005-2020 Automatic, Inc.
*/

I’ve never seen these before and I can’t find them on www.ads-software.com’s plugin section. They seem suspicious. Anyone know more about them?

The site’s WP version is 6.2.2 and it is hosted via GoDaddy’s WP site hosting service.

Viewing 5 replies - 1 through 5 (of 5 total)

gregorwendland
(@gregorwendland)

1 year, 3 months ago

Hi @gettingitdone ,

I would have the same feeling as you. I would take a deeper look to the code of those plugins. Maybe you can see something suspicious code.

Was the website build by another one or did you have set it up? If you are the only technical manager of the site I would also say that this is suspicious!

And I think it doesen’t look like GoDaddy would install these two plugins. GoDaddy would name itself as author, I think.

Moderator bcworkz
(@bcworkz)

1 year, 3 months ago

Have the plugins been activated? Or are they just installed and not active?

If you’re the only WP user who is able to install and activate plugins and you didn’t add these, it’s likely your site has been hacked and the plugins could be malicious. But IME it’s unusual for hackers to add new plugins, it’s a little too obvious. Hacker code is usually more hidden. I suppose this could be a “hidden in plain sight” tactic. There’s a chance this is not a hack and it’s something more benign.

If you suspect a hack, please work through the steps outlined in FAQ My Site was Hacked.

Could it be removing the plugins will entirely clean up the site, that there is no other “backdoor” code left behind? Unlikely but possible. It’s certainly the easiest thing to try first in finding and removing a hack. (after resetting all access) If after a period of time the plugins return, seemingly on their own, then the site was not completely cleaned and a more diligent effort at clean up will be needed.

If you have good, known clean backups of your site, wiping out everything and reinstalling from backup is a reliable way to fully clean the site. Sadly not everyone has good reliable backups. Without known clean backups, if simply removing the plugins does not fully clean the site, you may require professional help to fully clean the site.
dominointernet
(@dominointernet)

1 year ago
A new client called today saying his WP was hacked and only his Homepage was working.

I just noticed he’s got “WP Task Agent” installed too, which I can’t find info about in Google.

And what calls a heap of attention from your message is these 2 things:
1. it says that Author is Automatic … when the company that owns WP is actually called Automattic (with 2 TT at the end) !!!
2. And the Author URI reffers to a generic webpage with no info about tis specific plugin: https://wordpress.com/wordpress-plugins/
I still haven’t got FTP access but if it looks like shit and smells like shit, most probable it’s shit!

What do you guys think?

NOTE: after a deeper look into the his plugins list I can see that he’s got also installed File Manager (a real WP plugin which gives an Admin a FTP-like access to all the website files!) and 2 copies of another weird plugin called WP Base… and then I remembered that another client of mine had the SAME plugins installed in his hacked website !!!
mediawiz
(@mediawiz)

12 months ago

Yes this is a plugin installed by hackers. I was checking one of my sites yesterday and immediately saw something was off;

Last update time was the day before (but I did not make changes the last 5 weeks) and I discovered a file manager plugin and the “WP System Cache“.

There we’re some Viagra pages on my site (which didn’t show up in the posts/pages in the admin). The code of the WP System Cache was encrypted so probably injecting the malicious pages.

So, if you see this plugin you have to take action immediately!

voitsekhovskymax
(@maxsirko)

7 months, 3 weeks ago

Hi all! Today I encountered the same problem, a client complained that his two sites were hacked. Using FTP, I saw that several third-party plugins had appeared masquerading as WP Task Manager, WP System Cache, etc.

At the root of the site there was also a folder and third-party files.

What is noteworthy is that the malware also replaced sitemap.xml and robots.txt