Support » Plugin: PHP Everywhere » Impersonation of this plugin

  • Plugin Author Alexander Fuchs

    (@alexander_fuchs)


    Dear users of this plugin,

    I recently got a report that this plugin is being impersonated by referrer malware. The malware may use the name of “PHP Everywhere Support” and may use the developer name “Alexander Fuchs”. The malware was observed to use the file path “wp-content/plugins/plugs/plugs.php”, but may be using a different path or name depending on the infection of the site.

    Neither me as a developer nor this plugin are related to this malicious attack. And I am personally disappointed in the abuse of a non-profit open-source project for such things.

    Based on what I know so far, the malware will add itself as a separate plugin. If you suspect to be infected by the malware, you can uninstall all plugins with “PHP Everywhere” in their name and reinstall the official “PHP Everywhere” plugin from the WordPress plugin directory.

    Feel free to post any questions under this post.

    Thanks for using this plugin and your continued support.

    Alexander Fuchs

Viewing 4 replies - 1 through 4 (of 4 total)
  • I had this malicious plugin show up on a client’s site on May 31, exactly as you describe. The site did not have the real PHP Everywhere plugin installed. I do not yet have proof of how this malware was installed, but it is likely related to similar reports about a “Yobar Wordpresa” plugin being installed via the Jetpack remote management interface. We are using ManageWP, but the similarities are striking.

    In our case, this clien’t site was connected to more than one ManageWP account. Our account shows no activity on May 31, so we are checking with the other party to confirm if their account shows activity at that time.

    I haven’t been able to find much more information about this, so if anyone else had this issue, do you have a remote management plugin installed?

    Just dropping back in to confirm that the plugin was indeed remotely uploaded via ManageWP through our client’s partner’s account. We have the partner’s account logged via Wordfence’s wfLogins table at the exact time the plugin was uploaded, connected via python-requests and not a browser.

    One more wrinkle in this saga: it doesn’t seem like this was done via ManageWP after all. At least not directly in any sense. The user agent string, “python-requests/2.25.1”, does not show up for any other ManageWP site access, and the IP addresses associated with the WordFence log are from India and Hungary. Seems there may be a separate root cause/vulnerability that I will probably be unable to trace.

    @alexander_fuchs

    Hi. Is this plugin still being supported? I am desperate for one that allows php to be written in a gutenberg block!

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.