This code causes the front page of the wordpress site to display a blank page.
Plugin Author
Eli
(@scheeeli)
My plugin should find where where that image is being included and remove the reference to it from there. If you are saying that is did not do this with the latest definition update then I would like to check your site personally and see why it was not found.
If you are willing to give me access to you WP Admin so I can figure this out and add it to my definition update then please email me directly: eli AT gotmls DOT net
Thank you for your prompt reply. I spent the whole night removing the replication of the social.png using names like social0.png, social10.png social20.png etc. Now it shows copies on other websites on my server. I believe a theme or a third party plugin may have been the cause. However I have not way of knowing on which domain was started. I did a search and deleted all of them from the server, but my guess is going to come back unless I clean the code if I can find it.
I forgot to mention the code gets inserted in the “functions.php” file of the active theme.
Plugin Author
Eli
(@scheeeli)
I would very much like to help you with this. I’m sure my plugin can do all the cleaning up for you. If you would be willing to send me a WP Admin login to your site I can get it to do all the heavy lifting π
please email me directly: eli AT gotmls DOT net
Hi Eli, thank you for your assistance. I found the script that loaded the file at the end of the file “functions.php” of the theme installed. I removed the code and I sent you the social.png file in ZIP format for your evaluation. If you open it with a text editor, you will see the malicious code. Unfortunately, I think your plugin sees the file as an image file and cannot read it for detection. Again thank you for your great plugin. I foresee a donation coming your way. Take care and keep the good work.
Plugin Author
Eli
(@scheeeli)
Hi Jose,
Thanks for sending me that PNG file. I will add this new code to my definition update right away. My plug does ignore PNG files (and other binary files too) based on their extension, but because they can’t contain malicious PHP code but because even if they do contain PHP code it can’t be executed without being included by another PHP script. It is the scripts that include these false-image files that are the real threat.
You mentioned that you were able to find the plugin that caused the problem. Could you please send me that malicious file as well? I would like to see how these files were written and included to be sure that I have that in my definitions too.
Aloha, Eli
I just sent it your way. Thanks again.
I also have the same social.png across all my domains hosted on justhost; painful to see and its injecting into everything. Is there a solution to this problem?
Sent you a message and made a donation. Thx
Plugin Author
Eli
(@scheeeli)
Thanks for the donation. I have added this treat to my definition updates so my plugin should disable this malware from including itself in your content. The tricky problem with this code is that the social.png files are included elsewhere in the PHP code of your site, so if you delete these PNG files it could break your site. My plug can find where it is included and remove that malicious code, then the PNG files are are harmless since they cannot be executed without being included elsewhere.
Here is a quick step-by-step guide to resolving this issue (do this on each site):
1. Download and install my plugin.
2. Download the latest Definition Update with-in the plugin Settings page.
3. Run the Complete Scan on the whole site.
4. Click “Automatically Fix…” if any Know Threats or Back-doors are found.
5. Once the include injections are removed you should be able to safely delete all of those social.png files, but if your site breaks when you delete them then you will either need to put them back and scan again or check your error_log to see where they are being included from.
run following command to delete files
#find -L /var/ -type f \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \;|grep PHP >~/virus-files
It will be save in ~/virus-files, now we can delete all files which are mentioned in “virus-files” file
Plugin Author
Eli
(@scheeeli)
#find -L /var/ -type f \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \;|grep PHP >~/virus-files
This command assumes that your website files are in the /var/ directory and that you have shell access to your server, it also fails to find files with UPPERCASE extensions, but other than that it would be reasonably effective at producing a list of bogus image files.
Keep in mind, specifically with this social.png hack, these bogus image files cannot do any harm unless they are included from another PHP script on your site. And, EVEN MORE IMPORTANT, if they are included somewhere in the PHP code of your site than you will be breaking your site if you delete these files. That is why my plugin searches the PHP code on your site for the include line that executes the code in these files.
