WordPress.org

Ready to get started?Download WordPress

Forums

InfiniteWP Client
[resolved] Phishing alert (19 posts)

  1. echoleaf
    Member
    Posted 8 months ago #

    I received a phishing alert for my site and it was traced to the iWP-Client folder. The hackscan noted

    a2.brazilbank.phish

    in /wp-content/plugins/iwp-client/core.class.php

    I've replaced the hacked files with new copies of the plugin files. Have you experienced anything like this before?

    http://wordpress.org/plugins/iwp-client/

  2. esmi
    Forum Moderator
    Posted 8 months ago #

  3. echoleaf
    Member
    Posted 8 months ago #

    Damn - I just ran a virus scan on my cpanel and this is what I got:

    public_html/wp-content/plugins/iwp-client.zip	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
    public_html/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
    public_html/domain.com/wp-content/plugins/iwp-client.zip	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
    public_html/domain.com/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL

    The .zip is what I just downloaded from WordPress.org! I'm deleting the plugin until we get to the bottom of this.

  4. echoleaf
    Member
    Posted 8 months ago #

    Thanks for those links, I will go through them immediately.

  5. akedv
    Member
    Posted 8 months ago #

    where did you download the iwp-client.zip?

  6. echoleaf
    Member
    Posted 8 months ago #

    Here.

  7. infinitewp
    Member
    Plugin Author

    Posted 7 months ago #

    As esmi pointed out if your site is fully compromised the virus will recreate itself on different folders. So kindly do a full clean and let us know.

    The code in the repository is definitely virus free. We do our side of investigation and WordPress.org also constantly scan all popular plugins for virus / malicious activity.

    Let me know if you have any doubt.

  8. DiverGreg
    Member
    Posted 4 months ago #

    Hello infinitewp

    Anything we should be worried about?
    I also ran a Virus Scanner powered by ClamAV on Cpanel and all my wp sites with infitewp got flagged with this a2.brazilbank.phish

    public_html/XXXXX1.fr/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
    public_html/XXXXX2.com/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
    public_html/XXXXX3.com/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
    public_html/XXXXX4.com/data/plugins/iwp-client/core.class.php		{HEX}a2.brazilbank.phish.1.UNOFFICIAL

    I did remove the plugin and re-ran a virus scan and did not find any issues. I than Re-installed infinitwp re-scan and got the a2.brazilbank.phish again.

  9. Marcelo Pedra
    Member
    Posted 4 months ago #

    Hello guys, I have WP 3.8.1 with cPanel and ClamAV and I tried to reproduce the issue scanning several sites but I'm not getting this phishing issue.

    @DiverGreg:
    @echoleaf:
    Are you both using shared hosting?
    Maybe the entire server is compromised, or maybe you both are using casually the same vulnerable plugin/theme which lead to an intrusion.
    Are you using the last versions of WP and InfiniteWP?

  10. echoleaf
    Member
    Posted 4 months ago #

    I'm on a different host now, I assume the old host had been compromised.

  11. DiverGreg
    Member
    Posted 4 months ago #

    Hello Marcelo, I have multiple WP sites on several servers, dedicated and shared, including wpengine, and only got this issue with this one (shared) hosting company.
    I am trying to follow up with Tech support to figure out why ClamAV is giving us this false positive and I also got a similar issue with a managewp plugin on that same server.
    So I am not worried and will keep managing my 40+ sites with infinitewp :)

  12. echoleaf
    Member
    Posted 4 months ago #

    I am using InfiniteWP on my new host, sorry for not mentioning it before. This is definitely not an issue specific to InfiniteWP.

  13. Marcelo Pedra
    Member
    Posted 4 months ago #

    Maybe the shared hosting is compromised, or the ClamAV is outdated, thus detecting a false positive....

  14. DiverGreg
    Member
    Posted 4 months ago #

    Just following up my last message, Tech support did not provide an acceptable answer:

    "This false positive can happen from time to time if the system believes the code inside has been hacked (especially with anything involving EVAL code).
    As long as nothing if being effected on your site, then you should be good to go."

  15. Marcelo Pedra
    Member
    Posted 4 months ago #

    @DiverGreg: I know it looks like a cheap answer. BUT, all in all, majority of online security software will simply alert you when they detect an eval with a base64_decode command, because -except for very specific cases- they can't decode and follow links or commands to see if it is dangerous. That's why those are ending in the mere alert. WordFence firewall and scan plugin also has this behaviour. It's up to you to further investigate and detect weird files and/or behaviours.

    You should decompress in your PC the plugin zip pack downloaded from WP repo and FTP it to your "compromised" site. See if right after upload the files size has been increased compared to your offline versions (this due to code injection by a malware). If not, wait a couple minutes and compare again. If not, wait a couple hours and compare again. If not, and if after 24 hours the files remain untouched, you could then have peace of mind...

  16. DiverGreg
    Member
    Posted 4 months ago #

    Hello Marcelo, thank you for clarifying a little all this.
    I just tried uploading that one file and now that server is changing the file permission to 000 and will not let me upload or change this file or the entire zip file directly from wordpress.org

    But the question I had was why did a Cpanel with ClamAV on different servers did not return the same thing... short of being different versions.

  17. Marcelo Pedra
    Member
    Posted 4 months ago #

    ok, if the file has permission 0 then the hosting guys probably blocked it in regards of your request. ClamAV doesnt modify attributes, it just alerts you of suspicious things.

    If ClamAV is giving different results in different servers, you have to compare what versions of cPanel and ClamAV are running in both servers. They probably differ.

  18. DiverGreg
    Member
    Posted 4 months ago #

  19. Marcelo Pedra
    Member
    Posted 4 months ago #

    Yes, that's what David from infinitewp said. It's a false positive. ClamAV must be outdated then. Report it to your hosting service.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags