Host identified files as malware in latest update package

Resolved John
(@dsl225)

5 years ago

Hello,

FYI I received 2 messages related to the update process of the latest version about a site hosted at Hawk Host that supposedly were virus:

Our systems performed a routine malware/virus scan on your account and unfortunately located infected/malicious files. We’ve automatically moved the infected files(s) out of your public_html directory into a safe, quarantined directory. Below is the file our scanners were able to locate:

***/wp-content/upgrade/ewww-image-optimizer.4.7.3-6cBu1z/ewww-image-optimizer/binaries/gifsicle-linux
(quarantined to ***/gifsicle-linux.1555637737_1) ClamAV detected virus = [Heuristics.Broken.Executable]

and about 3 hours later this one:

Our systems performed a routine malware/virus scan on your account and unfortunately located infected/malicious files. We’ve automatically moved the infected files(s) out of your public_html directory into a safe, quarantined directory. Below is the file our scanners were able to locate:

***/wp-content/plugins/ewww-image-optimizer/binaries/pngquant-fbsd
(quarantined to ***/pngquant-fbsd.1555635651_1) ClamAV detected virus = [Heuristics.Broken.Executable]

Please let me know how to follow-up with this.

Thanks.

Viewing 8 replies - 1 through 8 (of 8 total)

Plugin Author nosilver4u
(@nosilver4u)

5 years ago

It’s most likely a false positive, none of the binaries were changed in the most recent update.
To be double-sure, delete the plugin completely, and then reinstall from the built-in plugin installer.

Thread Starter John
(@dsl225)

5 years ago

Thanks, I did that and didn’t get anymore alerts.
Seems to be a false positive as you said.
Thanks!

hocscreative
(@hocscreative)

4 years, 11 months ago

I have doubt on “EWWW Image Optimizer” plug in now. I installed it to 4 of my sites.
All of them got infected.

I get this message to all of my sites.

Deceptive site ahead
Attackers on #######-002-site3.######.com may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards). Learn more

Turn out, my image was infected.

Plugin Author nosilver4u
(@nosilver4u)

4 years, 11 months ago

@hocscreative That means your site was hacked and blacklisted by Google, has nothing to do with EWWW IO. The plugin would get kicked off WordPress.org in no time flat for pulling crap like that.

hocscreative
(@hocscreative)

4 years, 11 months ago

I understand what you are saying mate.
I am just saying from what I experienced.

The site was hacked by image got injected.
All four sites I had problem with had all ewww plugin.

But one of them particularly, I could not solve the deceptive issue though I removed domain name out of it completely.

So I look in the server and turn out ewww plug in cause the issue.
I removed the plug in and my site was back to normal.
No more Deceptive.

Now you say it was not your plug in. I am not so sure about that.

Plugin Author nosilver4u
(@nosilver4u)

4 years, 11 months ago

We scan the plugin every day to make sure no one has tampered with the files on wordpress.org, there are no known security issues with the plugin. Additionally, no one else has ever reported Google flagging their site for having the plugin installed, and it’s installed on 700,000+ sites…

arwanapratama
(@arwanapratama)

4 years, 10 months ago

Recently my site was also exposed to malware, but after I disabled the EWWW Image Optimizer plugin, my site returned to normal. Until now I am still investigating the causes of malware, I am not sure if EWWW Image Optimizer is infected by malware.

Plugin Author nosilver4u
(@nosilver4u)

4 years, 10 months ago

If you’re not sure, delete it and reinstall from wordpress.org. And for future reference, don’t post on an old/resolved thread, always start your own.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Host identified files as malware in latest update package’ is closed to new replies.