Possible javascript malware code injection

  • Resolved Fanaticweb

    (@fanaticweb)


    6 years, 9 months ago

    John,

    I received a security alert from my host stating the following:

    A few minutes ago, our antivirus scanner detected that a malicious file was uploaded to your webspace.

    /wp-content/uploads/backupbuddy_temp/j2o9barz4y/wpweb_redirection_404.sql

    When I checked with Sucuri.net, it flagged the site being infected with a Known javascript malware

    I understand that the main plugin BackupBuddy was performing an automated backup and stored the DB files in a temp folder but your file got flagged as being the one infected.

    Any input or feedback would be appreciated

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author John Godley

    (@johnny5)

    6 years, 9 months ago

    The 404 log contains 404 requests to your site. If someone requests a URL that is associated with malware then it will be logged. This will appear in your backup file, which is then being falsely detected.

    Thread Starter Fanaticweb

    (@fanaticweb)

    6 years, 9 months ago

    I understand and makes sense, but why did Sucuri.net flag my site with a Known javascript malware? I doubt they can access and read those logs, meanwhile, I’m going to run this with the iThemes team, the developers of BackupBuddy, to get their feedback as well.

    I appreciate your prompt response.

    Plugin Author John Godley

    (@johnny5)

    6 years, 9 months ago

    Sucuri does register false positives, and the two reports may be unconnected. Given the information available there’s nothing else I can really say.

    Thread Starter Fanaticweb

    (@fanaticweb)

    6 years, 9 months ago

    I understand, I’m gonna run some tests and followup with the updates, thank you John.

    Thread Starter Fanaticweb

    (@fanaticweb)

    6 years, 9 months ago

    Just gonna add this here: every time I update the plugin, it fails, its the only one that fails, yet, when I refresh the page, the plugin update seems to have gone through.

    Any thoughts on this behavior?

    Plugin Author John Godley

    (@johnny5)

    6 years, 9 months ago

    Fails how? Refresh what page? Gone through what?

    Thread Starter Fanaticweb

    (@fanaticweb)

    6 years, 9 months ago

    Fails with the error “Failed to update” it displays some raw HTML code listing all the plugins on-board, so I ignore the error, refresh the page and try again, then the update goes through successfully, my gut feeling is a possible malware onboard and it’s affecting the behavior of your plugin for some reason.

    Plugin Author John Godley

    (@johnny5)

    6 years, 9 months ago

    Ok, so that message comes from WordPress during the update process. Redirection has no control over this, and it is not related to Redirection itself. Maybe you have some file permission problems.

    Why do you think it’s malware?

    I will assume your original report is no longer an issue now. For future malware issues it’s always better to go direct to the author. This means that if there is a problem it can be fixed before it becomes generally exploitable. If there isn’t a problem then you don’t cause undue alarm for others that may read the report in a public forum.

    Thread Starter Fanaticweb

    (@fanaticweb)

    6 years, 9 months ago

    Noted and agree, by all means, please go ahead and delete/remove this thread.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Possible javascript malware code injection’ is closed to new replies.