That file seems to be part of another plugin, “mojo-marketplace-wp-plugin”, added by your hosting provider, BlueHost, when you created your site. It allows the BlueHost WordPress installer to install other plugins, like Jetpack in this case.
The ie-shims.js is not malicious though, and the “ZXZhbC” text mentioned by WordFence is part of the original file:
https://github.com/Automattic/jetpack-start/blob/master/js/ie-shims.js#L1937
However, I’ll see if we can solve that false positive alert generated by WordFence. I’ll let you know as soon as I have some news.
In the meantime, you can ignore that warning, the file hasn’t been compromised.
Thanks for letting us know!
We’ve made some changes to the file, and it won’t create any other warnings once it’s updated by BlueHost on your site.
We should be all set!
Thanks for your excellent help.
Amanda
I just had the same thing happen. I’m hosted on Fatcow
Wordfence found the following new issues on “FourChicks.net”.
Alert generated at Friday 31st of July 2015 at 04:41:44 PM
Critical Problems:
* File appears to be malicious: wp-content/plugins/mojo-marketplace-wp-plugin/tests/jetpack-start/js/ie-shims.js
fourchicks.net is my site
Any updates on this update fix Jeremy with Fatcow? I didn’t see a reply to the last poster. I just received this notification recently by WordFence, Thanks.
WordFence Alert:
File appears to be malicious: wp-content/plugins/mojo-marketplace-wp-plugin/tests/jetpack-start/js/ie-shims.js
Filename: wp-content/plugins/mojo-marketplace-wp-plugin/tests/jetpack-start/js/ie-shims.js
File type: Not a core, theme or plugin file.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “ZXZhbC“
Error Screenshot
Mark
You can rest assured: that’s a false positive.
However, I’ve contacted WordFence to discuss this issue and see if we can work together to avoid such problems. You can follow our discussion here:
https://wordpress.org/support/topic/jetpack-start-wordfence-security-scanning-conflict?replies=1&view=all#post-7515122
Thanks for the update! I figured it was a false positive but just being careful. Keep up the good work.
Mark
How can you say that’s a false positive??
This may be a serious hacker attack, and if you’re not thorough and QUICK in your investigation, not only your site, but also all your related sites could be compromised!
I say this because this horrible virus has spread a massive infection in my sites!
Here’s how to tell if you’ve been compromised:
Open your Cpanel. Go to File Manager. Navigate to the site that your Wordfence scan said had an issue.
Open these files, one by one:
wp-config.php
index.php
header.php
Now look at the code of those files. If you see a whole slew of dbase64 code crap in there at the top, right after the php command, guess what? You’re screwed!
And if you’re not fast, it could possibly spread all over.
If you don’t see that code, consider yourself very lucky.
Another giveaway: If the flyout menus in your WordPress installation suddenly stop working, you might have this.
Right now, I wish I had a simple solution for recovering from this.
But all I can say is – if you have this horrible infection – is to run a complete Wordfence scan. Then go through the files it shows you are infected, and clean that code out using your Cpanel code editor.
If your flyout menus start working again, you might be ok…for a while.
I hope this helps someone.
Good luck.
@tonypearl The case listed above was a false positive. The WordFence log information @signify posted when he opened the thread allowed us to find the exact line of code that was triggering the warning. That line of code didn’t include any malicious code. It doesn’t insert any code in any other file of your WordPress installation.
If you did experience such issues on your site, I can confirm that the malicious code wasn’t added via the original ie-shims.js file in the MOJO Marketplace plugin.
Right now, I wish I had a simple solution for recovering from this.
But all I can say is – if you have this horrible infection – is to run a complete Wordfence scan. Then go through the files it shows you are infected, and clean that code out using your Cpanel code editor.
If your flyout menus start working again, you might be ok…for a while.
Once you’ve done all that, I’d strongly recommend following the instructions at the link below to make sure no one can get in again in the future:
https://codex.wordpress.org/FAQ_My_site_was_hacked
I hope this helps.
