wp-file-manager plugin malware ?

  • I have a small site that I administer for a voluntary organisation. It’s a basic site essentially to provide information to people. There is no ecommerce etc on the site. A few months ago my hosting company took the site offline due to malware, following which I took out a monthly subscription for a cleaning tool they supply. Its called SiteLock. This package cleaned the site and now monitors it and does a daily scan. I also read up on improving the site security on the WordPress forums and put other additional steps in place, and this seemed to solve the issue.

    However, today the scan detected another piece of malicious code.

    “wp-content/plugins/wp-file-manager/lib/codemirror/mode/434.xmlrpc.php
    Malware

    Cleaned Category SubCategory
    No CommandControlCoordination FileHacker

    d(0+0.2+0.2+0.2+0.2+0.2)]”

    The previous incidents also seemed to involve the wp-file-manager plugin.

    I am a novice at this and would appreciate some advice. Is this a real incident of malicious code, or a false positive ? Is there a vulnerability of the wp-file-manager plug in ?

    Andrew

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Yui

    (@fierevere)

    永子

    Make sure you have latest version of this plugin

    https://www.ads-software.com/plugins/wp-file-manager/#developers

    Changelog
    6.9 (1st Sept, 2020)

    Security issue fixed

    This article can be helpful too, when dealing with consequences:

    FAQ My site was hacked

    Thread Starter zimmer46

    (@zimmer46)

    Thank you for the reply.

    I have the auto update feature active and everything is up to date, including wp-file-manager. In actual fact, that link you sent was the very one I looked at when the first incident happened, so it’s good to see I am looking in the right area :-).

    After the first incident I added 2FA. I have Securi as a plugin and had a look at it’s logs. There are maybe 4 or 5 failed logins each day, I assume from some automated bot perhaps ? However, on the Securi log there was the following yesterday which coincides with what SiteLock detected :-

    “system Warning: New file added: (multiple entries):
    suspect.json.php (size: 214)
    wp-content/plugins/wp-file-manager/lib/codemirror/mode/434.xmlrpc.php (size: 21841)
    wp-content/plugins/wp-file-manager/lib/codemirror/mode/mscgen/suspect.json.php
    IP: 127.0.0.1”

    There were no admin logins at all to the site on that day, and the IP is the local system as I understand it. So I am puzzled. Can you help me understand what the significance or implication of these files are, and how they could have been added to the site ?

    Appreciate your help.

    Andrew

    You probably should ask this over at the plugin’s support forum then…

    https://www.ads-software.com/support/plugin/wp-file-manager/

    Do make sure that the version you have is really the updated version… A hacker with the ability to exploit this once has the ability to munge the version shown by the updater while the previous hack was still present. If it was me and I wasn’t sure I’d delete that plugin and then reinstall if I needed it.

    You might also want to run the two security plugins I run for some added assurance…

    https://www.ads-software.com/plugins/better-wp-security/

    https://www.ads-software.com/plugins/wordfence/

    Those two security plugins play well together and compliment each other.


    I do run that WP file Manager plugin myself and earlier today I did recommend it to someone else so I still feel comfortable with it…

    Also, cool website with a way cool subject!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘wp-file-manager plugin malware ?’ is closed to new replies.