WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] WordPress File Monitor report (17 posts)

  1. Steve D
    Member
    Posted 4 years ago #

    Is this normal? I did absolutely nothing but update my akismet plugin a while ago. Then this

    This email is to alert you of the following changes to the file system of your website.
    Timestamp: Tue, 08 Jun 2010 02:12:27 +0000

    Added:
    wp-content/plugins/sidebar-login/sidebar-login.pot
    wp-content/plugins/sidebar-login/langs/alternate/lang_HU_old/sblogin-hu_HU.mo
    wp-content/plugins/sidebar-login/langs/alternate/lang_HU_old/sblogin-hu_HU.po
    wp-content/plugins/sidebar-login/langs/alternate/lang_HU_young/sblogin-hu_HU_2.po
    wp-content/plugins/sidebar-login/langs/alternate/lang_HU_young/sblogin-hu_HU_2.mo
    wp-content/plugins/antivirus/css/style.css
    wp-content/plugins/antivirus/js/script.js

    Removed:
    wp-content/plugins/sidebar-login/langs/alternate/sblogin-hu_HU.mo
    wp-content/plugins/sidebar-login/langs/alternate/sblogin-hu_HU.po
    wp-content/plugins/antivirus/css/global.css
    wp-content/plugins/antivirus/inc/wplize.class.php

    Changed:
    wp-content/plugins/sidebar-login/style.css
    wp-content/plugins/sidebar-login/sidebar-login.php
    wp-content/plugins/sidebar-login/readme.txt
    wp-content/plugins/antivirus/screenshot-1.png
    wp-content/plugins/antivirus/antivirus.php
    wp-content/plugins/antivirus/uninstall.php
    wp-content/plugins/antivirus/readme.txt
    wp-content/plugins/antivirus/lang/antivirus-ru_RU.po
    wp-content/plugins/antivirus/lang/antivirus-de_DE.po
    wp-content/plugins/antivirus/lang/antivirus-de_DE.mo
    wp-content/plugins/antivirus/lang/antivirus-ru_RU.mo
    wp-content/plugins/antivirus/img/icon32.png
    wp-content/plugins/akismet/akismet.php
    wp-content/plugins/akismet/readme.txt

  2. Steve D
    Member
    Posted 4 years ago #

    Or am I just going nuts?

  3. What sent you the email? That's not standard WP. Is it from your VPS or another plugin?

    Also ... I'd check those files to make sure they match what a clean backup (or fresh install) has.

  4. Steve D
    Member
    Posted 4 years ago #

    My WordPress File Monitor plugin alerted me to these changes. I have it send me an automatic email alert if any changes are made without my knowledge and permissions.

    So with this alert I noticed something or someone the next day ahead of me did something.

    (Timestamp: Tue, 08 Jun 2010 02:12:27 +0000)

  5. Ah. Yeah, I'd check those files ASAP. WordPress doesn't update files like that without user intervention.

  6. Steve D
    Member
    Posted 4 years ago #

    Ah. Yeah, I'd check those files ASAP. WordPress doesn't update files like that without user intervention.

    Yip, yup, yep . . That's kind of what I was thinking.

    Guess it time to call the Host Company and say "Guess What?"

    Again

  7. Steve D
    Member
    Posted 4 years ago #

    So if this a hack of some sort, the little demon-scumbag is apparently targeting AntiVirus for WordPress and Sidebar Login Plugin wouldn't that be the bottom line?

  8. Daniel Cid
    Member
    Posted 4 years ago #

    Steve:

    Can you post the contents of these files for us to check? It looks like a valid update (see the readme files changing, png, etc). But since you didn't do it yourself, someone did :)

  9. Steve D
    Member
    Posted 4 years ago #

    dd@sucuri.net . .

    I did run your scan and everything came up clean. It did occur to me that it could have been some normal and valid plugin upgrade changes. Everything looks normal on the server. Permissions are set properly.

    At second glance I am noticing that all this hu_HU.mo - ru_RU.po - lang stuff appears to be part of these plugins architecture.

    I'm hoping these plugin authors might be able to confirm and clarify this is normal stuff.

    Let me see if I can put some file contents together.

  10. Steve D
    Member
    Posted 4 years ago #

    Okay I ran an exploit scan.

    Now per the list above I noticed . .

    Timestamp: Tue, 08 Jun 2010 02:12:27 +0000
    Added:
    wp-content/plugins/antivirus/js/script.js

    My exploit scan just produced the following . .

    /wp-content/plugins/antivirus/js/script.js:1
    Could be JavaScript code used to hide code inserted by a hacker.

    t){var item=$('#av_template_'+id);if(input){input=eval('('+input+')');if(!input.nonce||input.nonce !=av_nonce){return;}item.addClass('danger');var i=0;var lines=input.data;var len=lines.length;for(i;i<len;i=i+3){var nu

    e_list'},function(input){if(!input){return;}input=eval('('+input+')');if(!input.nonce||input.nonce !=av_nonce){return;}var parent=$('#'+input.data[0]).parent();if(parent.parent().children().length<=1){parent.parent().hide(&

    _files'},function(input){if(!input){return;}input=eval('('+input+')');if(!input.nonce||input.nonce !=av_nonce){return;}var output='';av_files=input.data;av_files_total=av_files.length;av_files_loaded=0;jQuery.each(av_files,fun

  11. Steve D
    Member
    Posted 4 years ago #

    Okay check this out. I just did a SFTP check and here is what I see.

    On the left is my known clean backup copy local. The right side is what is on the server today. I notice a js folder added to Antivirus that is not part of my clean backup. Inside it is a script.js file dated 5/29.

    Here's the snip.

    http://i80.photobucket.com/albums/j161/aprilette/Develop/CaptureJune8.jpg?t=1276012007

  12. Download a fresh copy of that plugin from the repository and check it against what you have on your server.

  13. Steve D
    Member
    Posted 4 years ago #

    Okay fresh download that folder is in this latest package yet the script.js file in it is reported as "unknown publisher".

    Obviously the next question is why and who added the js folder to this when it was not a part of the original package. Or am I missing something or forgetting something here?

  14. Are there other admins of your WP install?

    Is there a possibility you ran the 'upgrade all plugins that need upgrading' version and not the just one?

  15. Steve D
    Member
    Posted 4 years ago #

    I'm the only administrator.

    I only upgrade a plugin one at a time. I approach everything in standardized checklist like procedures. No seat of the pants flying.
    So when something happens, I notice very quickly.

    This could be nothing, maybe I'm over reacting.

    I'll have to leave it to the pro's in Blog Traffic Control and Technical to advise at this point.

    I can't figure it out.

  16. DavyB
    Member
    Posted 4 years ago #

    That tells me that both the sidebar-login and antivirus plugins have been updated, either by you clicking to automatically update all plugins with new versions.

    Whether or not that is the correct set of file updates is up to you to determine.

    I would download the plugin zip files from the wp repository to a local directory and check what files are actually in the latest versions.

  17. Steve D
    Member
    Posted 4 years ago #

    DavyB

    That tells me that both the sidebar-login and antivirus plugins have been updated

    Your correct. Finally figured it out.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags