WordPress.org

Ready to get started?Download WordPress

Forums

Quttera Web Malware Scanner
Wasn't able to detect malware on a compromised WordPress website (9 posts)

1 star
  1. julianm
    Member
    Posted 1 year ago #

    Wasn't able to detect malware on a compromised WordPress website. Nothing complicated or complex, just the usual code injection.

  2. Quttera
    Member
    Plugin Author

    Posted 1 year ago #

    Hello Julianm,

    Thank you for using our plugin!

    Can you please be more specific?
    Please make sure the file/s with injection appear in the list of scanned files for the specified domain.

    It sounds like a bug if we really missed JS injection in one of the scanned files.

    Best Regards,
    Quttera team.

  3. julianm
    Member
    Posted 1 year ago #

    Hello! There was a malicious JavaScript snippet in the theme's header.php template. The file didn't didn't show specifically in the scan results, as it seems the plugin doesn't do any local scanning, but the code would have been included by all public WordPress pages. I think the plugin has potential, but as, it is kind of limited in what it's able to detect - for example, .htaccess files are excluded, and also conditional redirects, if there is no local scanning.

    Apologies if my review seems negative. These were just my thoughts. If there's anything I can do to help, please give me a shout.

  4. Quttera
    Member
    Plugin Author

    Posted 1 year ago #

    Hello Julianm,

    No need to apologize. The other way around.
    Just in order to convert this into constructive feedback, we'd like to ask you for samples or a website that was missed by our engine.

    Could you please kindly provide us one of those?

    In case you want to switch to personal mode: contactus@quttera.com or support@quttera.com

    Best Regards,
    Quttera team.

  5. julianm
    Member
    Posted 1 year ago #

    Unfortunately, I've already cleaned the site, and the exploits were deleted, but I will email you the site address. Since I have absolutely no association with the website, only that the client asked me to remove the malware, I'd prefer not to post the address publicly.

    I'm dealing with a lot of infected sites as of recently, though, and since you seem genuinely interested in feedback, I'm willing to give this plugin another go. Having said that, most of the infected sites I'm seeing are Joomla sites; not a lot of WordPress sites.

  6. julianm
    Member
    Posted 12 months ago #

    Here is another compromised WordPress site that Quttera flagged as clean:
    http://goo.gl/hTbdj

    This is the source code:
    http://pastebin.com/XvaFwxKs

  7. Quttera
    Member
    Plugin Author

    Posted 11 months ago #

    Hi Julian,

    Thank you for your information!

    Decoding showed nothing - string: "<style undefined>.nemonn{position:absolute;top:-9999px}</style>"

    I'm trying to understand what exactly did plugin miss? The "pharma-related" words/ links?

  8. julianm
    Member
    Posted 11 months ago #

    Hi! Yes, that's what the JavaScript inserts into the page, and it effectively hides the <p> element with class "nemonn" (the pharma-related link spam) from regular users. It is visible to search engines, though, and this malware will have a lot of negative impacts on an infected website.

    The JavaScript snippet is well known as malware, especially the function name "xViewState". There's some more info here:

    http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html

  9. Quttera
    Member
    Plugin Author

    Posted 11 months ago #

    I will open a bug for our development team to fix it ASAP.
    Again, thanks a lot for your feedback. Any new samples will be appreciated ...

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.