Virus Uploading Problem – Windows IIS Server

  • Hello,

    We have WordPress installed onto a Windows IIS server. The latest version of WordPress and Revolution Slider plugin are installed. The website uses PHP 7.2 and the Windows OS is up to date. FTP access in not enabled.

    We have been having problems with virus files being uploaded to our server. We have a Windows server and the Windows Defender software catches the virus files being uploaded in real-time. In the Windows Defender scanner log file this is what we see which makes us suspect the Revolution Slider plugin.

    Category: Trojan
    Description: This program is dangerous and executes commands from an attacker.
    Recommended action: Remove this software immediately.
    Items: containerfile:C:\Windows\Temp\php3013.tmp
    containerfile:C:\Windows\Temp\php7CB5.tmp
    containerfile:C:\Windows\Temp\php80B2.tmp
    containerfile:C:\Windows\Temp\php9C04.tmp
    containerfile:C:\Windows\Temp\phpACA1.tmp
    containerfile:C:\Windows\Temp\phpC3C.tmp
    file:C:\Windows\Temp\php3013.tmp->revslider/db.php
    file:C:\Windows\Temp\php3013.tmp->revslider/db.php->(SCRIPT0000)

    Another Windows Defender scan log file example looks like this:

    containerfile:C:\Windows\Temp\php55B2.tmp
    file:C:\Windows\Temp\php55B2.tmp
    file:C:\Windows\Temp\php55B2.tmp->(SCRIPT0000)

    We made many adjustments and checks to make the virus file uploading stop like updating passwords, changing the login salts, running the Securi Scanner etc…. The last two changes we made that made the virus file uploading stop altogether was to remove the Revolution Slider plugin and also manually disable the /wp-admin/admin-ajax.php file by changing the file name extension to .php.disabled. After a few days of no virus uploading I re-enabled the Revolution Slider plugin to test and we started to see virus files being uploaded again. So our testing continues.

    Does anyone know how to tell which specific PHP files are allowing the virus files to be uploaded? We were unable to figure out which specific PHP files are vulnerable to the virus file uploading. I installed the Activity Log tracking plugin to the website and it did not show us any information about the virus uploading problem so the virus files must be uploaded via an un-authenticated visitor to the website.

    Do you know what the problem is? Do you have any suggestions?

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator t-p

    (@t-p)

    Carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

    Thread Starter candatsystems

    (@candatsystems)

    Hello,

    Thanks for the information but I already went through the guides and followed the suggestions / double checked everything.

    What I need to know if how to tell which PHP files is allowing the file uploading without authentication?

    I did both the Securi scan and the Wordfence plugin install a while ago.

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Virus Uploading Problem – Windows IIS Server’ is closed to new replies.