Wordfence reports compromised files

  • Resolved edjarrett

    (@edjarrett)


    3 years, 7 months ago

    Since your most recent update, Wordfence has reported the following three files have potential issues. Are these indeed issues or are the files correct. If they are correct, you might consider a change so that Wordfence does not flag these for others as well.

    ————————

    File appears to be malicious or unsafe: wp-content/plugins/ewww-image-optimizer/binaries/cwebp-linux
    Type: File
    Issue Found April 2, 2021 6:09 am
    Critical
    IGNORE
    DETAILS
    Filename: wp-content/plugins/ewww-image-optimizer/binaries/cwebp-linux
    File Type: Not a core, theme, or plugin file from www.ads-software.com.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: bk_nextsize == victim\x00

    The issue type is: Backdoor:BIN/adcp.ubuntu.10066
    Description: Code seen in binary malware packages

    File appears to be malicious or unsafe: wp-content/plugins/ewww-image-optimizer/binaries/pngquant-linux
    Type: File
    Issue Found April 2, 2021 6:09 am
    Critical
    IGNORE
    DETAILS
    Filename: wp-content/plugins/ewww-image-optimizer/binaries/pngquant-linux
    File Type: Not a core, theme, or plugin file from www.ads-software.com.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: bk_nextsize == victim\x00

    The issue type is: Backdoor:BIN/adcp.ubuntu.10066
    Description: Code seen in binary malware packages

    File appears to be malicious or unsafe: wp-content/plugins/ewww-image-optimizer/binaries/jpegtran-linux
    Type: File
    Issue Found April 2, 2021 6:09 am
    Critical
    IGNORE
    DETAILS
    Filename: wp-content/plugins/ewww-image-optimizer/binaries/jpegtran-linux
    File Type: Not a core, theme, or plugin file from www.ads-software.com.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: bk_nextsize == victim\x00

    The issue type is: Backdoor:BIN/adcp.ubuntu.10066
    Description: Code seen in binary malware packages

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author nosilver4u

    (@nosilver4u)

    This is a false positive from Wordfence, as those 3 files were just updated in the 6.1.0 release.
    Additionally, we have been in contact with Wordfence so they are aware of the issue.

    Thread Starter edjarrett

    (@edjarrett)

    Thanks for your quick response. I will just ignore them then.

    Plugin Author nosilver4u

    (@nosilver4u)

    For anyone that still gets the files flagged, I just heard back from Wordfence, and there were two issues in play here:
    1. There was a “signature” they had found in previous malware that looked like it was unique, but turns out it’s a pretty common line, related to memory allocation from what I can see. They’ve since removed this signature from the database.
    2. Since the 6.1.0 release was brand new, their copy of the wp.org repository hadn’t yet caught up. Normally, it would ignore files that match what is hosted on wp.org, but there is some lag time in there–due to the massive amount of time required to sync the wp.org repo on a regular basis.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Wordfence reports compromised files’ is closed to new replies.