Support » Plugin: Quttera Web Malware Scanner » Help needed! Website probably infected.

  • Resolved vossalab

    (@vossalab)


    Hi there,

    Can you guys help out? We’ve used Quttera internal scan and got theses results. Unfortunately, we can’t decipher whats going on. Report below.

    =======================================================================
    Quttera Web Malware Scanner plugin for WordPress
    Website Malware Scan Report
    
    Scanned Website: https://orgiecompany.com
    Scan type: Internal
    Report generation time: 2021-11-04 16:37
    
    Scan launch time: 2021-11-04 16:12
    Scanned files: 32205
    Clean: 32185
    Potentially Suspicious: 9
    Suspicious: 7
    Malicious: 4
    
    © 2021 Quttera Ltd. All rights reserved.
    For any questions about this report: support@quttera.com
    =======================================================================
    
    FILE: wp-admin/error_log
    FILE_MD5: f86e6d114c1bbb9e2ba906cc51c863e6
    SEVERITY: enSuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: f86e6d114c1bbb9e2ba906cc51c863e6
    THREAT_NAME: Heur.AlienFile.gen
    THREAT: Unknown file in core directory...
    DETAILS: Detected unknown file in core directory
    
    FILE: wp-includes/functions.php
    FILE_MD5: bb5e0afc6e3bbc183d056d9418fe66bc
    SEVERITY: enSuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: bb5e0afc6e3bbc183d056d9418fe66bc
    THREAT_NAME: Heur.CoreFile.gen
    THREAT: Modified core file...
    DETAILS: Detected modified core file
    
    FILE: wp-includes/.htaccess
    FILE_MD5: afbfe5b96c30725461c87c5a9b438a0a
    SEVERITY: enSuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: afbfe5b96c30725461c87c5a9b438a0a
    THREAT_NAME: Heur.AlienFile.gen
    THREAT: Unknown file in core directory...
    DETAILS: Detected unknown file in core directory
    
    FILE: system/library/xlsxwriter.class.php
    FILE_MD5: 99eb95176201e11212bfc9e7650c901b
    SEVERITY: enMaliciousThreatType
    ENGINE: fscanner
    THREAT_SIG: ea818234bd45260819f343124a2b49bd
    THREAT_NAME: Heur.PHP.Hexa.gen.4e
    THREAT: $v[0].$v[0].$v[1].$v[1].$v[2]....
    DETAILS: Detected malicious PHP obfuscation
    
    FILE: system/library/xlsxwriter.class.php
    FILE_MD5: 99eb95176201e11212bfc9e7650c901b
    SEVERITY: enMaliciousThreatType
    ENGINE: fscanner
    THREAT_SIG: ea818234bd45260819f343124a2b49bd
    THREAT_NAME: Heur.PHP.Encoded.gen
    THREAT: $v[0].$v[0].$v[1].$v[1].$v[2]....
    DETAILS: Detected malicious PHP obfuscation
    
    FILE: system/library/xlsxwriter.class.php
    FILE_MD5: 99eb95176201e11212bfc9e7650c901b
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 9a9bb3830c4b5d46c22c9e3e66f3c21f
    THREAT_NAME: Heur.PHP.Encoded.gen.271C
    THREAT: \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e...
    DETAILS: Potentially suspicious obfuscated PHP threat
    
    FILE: system/library/xlsxwriter.class.php
    FILE_MD5: 99eb95176201e11212bfc9e7650c901b
    SEVERITY: enSuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 77d806dc7371711849afef87d14c29c4
    THREAT_NAME: Heur.PHP.Encoded.gen
    THREAT: \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e...
    DETAILS: Generic suspicious HEX encoder
    
    FILE: wp-admin/network/error_log
    FILE_MD5: ccf1dce3dd1c18d821375390b8fbb28b
    SEVERITY: enSuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: ccf1dce3dd1c18d821375390b8fbb28b
    THREAT_NAME: Heur.AlienFile.gen
    THREAT: Unknown file in core directory...
    DETAILS: Detected unknown file in core directory
    
    FILE: wp-admin/user/error_log
    FILE_MD5: 6e3dccea3211902769fc49c3f2cbd9ee
    SEVERITY: enSuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 6e3dccea3211902769fc49c3f2cbd9ee
    THREAT_NAME: Heur.AlienFile.gen
    THREAT: Unknown file in core directory...
    DETAILS: Detected unknown file in core directory
    
    FILE: wp-includes/blocks/error_log
    FILE_MD5: dcc811f89f18368f6e7e2c2d60418bde
    SEVERITY: enSuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: dcc811f89f18368f6e7e2c2d60418bde
    THREAT_NAME: Heur.AlienFile.gen
    THREAT: Unknown file in core directory...
    DETAILS: Detected unknown file in core directory
    
    FILE: wp-content/plugins/antispam-bee/CHANGELOG.md
    FILE_MD5: 871aea79c292f0b6bb61aa18aa5dc44c
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987
    THREAT_NAME: Heur.HTML.Defacement.gen.F4248
    THREAT: Fatal Error...
    DETAILS: Website Potentially Defaced
    
    FILE: wp-content/plugins/antispam-bee/js/raphael.min.js
    FILE_MD5: c6a62efcd62b5aface9a6e03272b7ce9
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: c664da642f08448d6b4cfb11c840b7e5
    THREAT_NAME: Heur.PHP.Encoded.gen.271C
    THREAT: \x09\x0a\x0b\x0c\x0d\x20\xa0...
    DETAILS: Potentially suspicious obfuscated PHP threat
    
    FILE: wp-content/plugins/litespeed-cache/lib/jsmin.cls.php
    FILE_MD5: c0b1f1372db6d72a0304614b5b9226dd
    SEVERITY: enMaliciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 44d596c8f0b86a1f94015eb5b55af2c4
    THREAT_NAME: Heur.PHP.iframe.gen.38
    THREAT: preg_replace('/e...
    DETAILS: Detected malicious iframe injection
    
    FILE: wp-content/plugins/sucuri-scanner/src/mail.lib.php
    FILE_MD5: 7b6d288b03158f92691a4b1e75f2a824
    SEVERITY: enSuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 385be5e48f8157440cca64b0dea95da5
    THREAT_NAME: Heur.PHP.Mailer.gen.4c4b4f
    THREAT: @mail($email, $subject, $message, implode("\r\n", $headers)...
    DETAILS: Detected suspicious mailer
    
    FILE: wp-content/plugins/yith-woocommerce-badges-management/plugin-fw/yit-deactive-plugin.php
    FILE_MD5: 9806469f9cb1525500509e524089757a
    SEVERITY: enMaliciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 1b44e2c055310d733b72c27516a19d23
    THREAT_NAME: Heur.PHP.Redirection.gen
    THREAT: <?php /** * Functions for deactivating plugins. * * @pac...
    DETAILS: Detected malicious redirection header
    
    FILE: wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/yit-deactive-plugin.php
    FILE_MD5: 9806469f9cb1525500509e524089757a
    SEVERITY: enMaliciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 1b44e2c055310d733b72c27516a19d23
    THREAT_NAME: Heur.PHP.Redirection.gen
    THREAT: <?php /** * Functions for deactivating plugins. * * @pac...
    DETAILS: Detected malicious redirection header
    
    FILE: wp-content/themes/bridge/css/woocommerce.min.css
    FILE_MD5: 0491bb25eefe859d8bc5a7ab74d3c7d9
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a
    THREAT_NAME: Heur.PHP.Encoded.gen.271C
    THREAT: \73\73\73\73\73...
    DETAILS: Potentially suspicious obfuscated PHP threat
    
    FILE: wp-content/themes/bridge/css/woocommerce.css
    FILE_MD5: 03e28dfa8a01594f44393a5048fc9b65
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a
    THREAT_NAME: Heur.PHP.Encoded.gen.271C
    THREAT: \73\73\73\73\73...
    DETAILS: Potentially suspicious obfuscated PHP threat
    
    FILE: wp-content/plugins/yith-woocommerce-badges-management/plugin-fw/includes/class-yit-plugin-panel.php
    FILE_MD5: 00ab60b6c4e5a36c4a401bcd2ba8013d
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987
    THREAT_NAME: Heur.HTML.Defacement.gen.F4248
    THREAT: Fatal Error...
    DETAILS: Website Potentially Defaced
    
    FILE: wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/includes/class-yit-plugin-panel.php
    FILE_MD5: 9649ac9133928bbd29f9a26529e77729
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987
    THREAT_NAME: Heur.HTML.Defacement.gen.F4248
    THREAT: Fatal Error...
    DETAILS: Website Potentially Defaced
    
    FILE: wp-content/plugins/revslider/public/assets/css/settings.css
    FILE_MD5: 3562402588e3bd6410012cf058d1948c
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a
    THREAT_NAME: Heur.PHP.Encoded.gen.271C
    THREAT: \73\73\73\73\73...
    DETAILS: Potentially suspicious obfuscated PHP threat
    
    FILE: wp-content/plugins/revslider/public/assets/css/settings-source.css
    FILE_MD5: bbdc05bd89914457a2e2fd5c82d2169f
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a
    THREAT_NAME: Heur.PHP.Encoded.gen.271C
    THREAT: \73\73\73\73\73...
    DETAILS: Potentially suspicious obfuscated PHP threat
    
    FILE: wp-content/plugins/fat-portfolio/assets/js/library/diamond/jquery.diamonds.js
    FILE_MD5: 68ac808506b98e834aef4057935117c0
    SEVERITY: enPotentiallySuspiciousThreatType
    ENGINE: fscanner
    THREAT_SIG: 0828df5c240b8860e3853e270ecda0cf
    THREAT_NAME: Heur.JS.Encoded.gen
    THREAT: 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace...
    DETAILS: Suspicious obfuscated JavaScript threat
    
    FILE: admin/view/javascript/d_shopunity/library/codemirror/mode/julia/index.html
    FILE_MD5: 69db273ff7565bb4dd261c774cf95a40
    SEVERITY: enMaliciousThreatType
    ENGINE: fscanner
    THREAT_SIG: ccc4d60100b9840a602836237f6d66d9
    THREAT_NAME: Heur.PHP.Encoded.gen.276B
    THREAT: @eval(:x)...
    DETAILS: Detected suspicious eval call

    Thanks!

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author quttera

    (@quttera)

    Hello,

    Based on the report you have modified WordPress core files as well as alien files added to WordPress core directories (these files should not be there).

    Can you please send archive (zip/tgz) including the following files to support[at]quttera.com for further investigation

    wp-includes/functions.php
    wp-includes/.htaccess
    admin/view/javascript/d_shopunity/library/codemirror/mode/julia/index.html
    system/library/xlsxwriter.class.php

    Please mention the website’s domain name

    Our malware research team will investigate these files and will share the verdict

    Best Regards

    Thread Starter vossalab

    (@vossalab)

    Hello,

    Files sent!

    Best regards,
    Pedro Pina

    Thread Starter vossalab

    (@vossalab)

    Hello!

    Thank you very much for the speedy reply. Glad to know that everything is safe and running smoothly. Updating the post status.

    Best regards,
    Pedro Pina

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Help needed! Website probably infected.’ is closed to new replies.