Support » Plugin: Duplicator - WordPress Migration Plugin » Malicious file flagged by WordFence

  • Resolved asaracena

    (@asaracena)


    In the last two days I received the following warning from WordFence for four websites I manage:
    Filename:

    File Type: Not a core, theme, or plugin file from wordpress.org.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is:

    The infection type is: Vulnerable:PHP/duplicatorinstaller
    Description: Potentially unsafe file generated by Duplicator backups which can allow malicious actors to execute arbitrary code.

    The four websites are on three different hosts – HostMonster, Dreamhost and GoDaddy. Is there some vulnerability that is allowing hackers to inject code through the plugin? Or is this a false flag from WordFence?

    • This topic was modified 1 year, 10 months ago by Jan Dembowski.
Viewing 14 replies - 1 through 14 (of 14 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Your site is hacked and please do not post malware code again here.

    Give this a good read.

    https://codex.wordpress.org/FAQ_My_site_was_hacked

    I have received the same thing, and like the OP said, what is this about? Is it actually hacked? Is it “Potentially unsafe file generated by Duplicator backups which can allow malicious actors to execute arbitrary code.”

    Why is Duplicator generating unsafe backups, according to Wordfence? That doesn’t sound good. Is there a vulnerability, or is it a false flag?

    Can you explain this please? Thanks.

    Jan, can you let the author answer the question please? Thanks.

    • This reply was modified 1 year, 10 months ago by paaliaq.
    Plugin Author Cory Lamle

    (@corylamleorg)

    Just to be clear Duplicator is not generating unsafe backups. The notice is a valid warning indicateing that Duplicator install files where left on the server. These files will need to be removed from your server. For more details please visit this FAQ link:

        – Which files need to be removed after an install?
        – https://snapcreek.com/duplicator/docs/faqs-tech/#faq-installer-295-q

    Thanks for your message Corey however on all of these sites I only use Duplicator for backups. I haven’t migrated any of these sites using Duplicator so the install.php file was never used, just created using the plugin and stored in the snapshots folder.

    Either these files were generated by Duplicator or they are being added to the snapshots folder by a hacker – which seems unlikely on three different hosts especially as this is the only file that’s coming up with malicious code.

    Of course I have deleted the file(s) flagged by WordFence.

    Plugin Author Cory Lamle

    (@corylamleorg)

    Hi @asaracena,

    Duplicator does not create non-hashed files on the server during a package build (backup). The installer files are only laid down at install time from within the archive. Also, take note that WordFence also scans outside of your WP site so if you have other sites it may have picked up those paths. What is the name of the files that WordFence flagged as malicious?

    Thanks

    Thanks Cory for your reply. These are the files flagged by WordFence:
    wp-snapshots/20151207_alisonsaracena_687380ad026a98789219180425060847_installer.php
    wp-snapshots/20170705_icsia_7eecd6f82bdc24e83262180512093850_installer.php
    wp-snapshots/20170228_100friends_3331fe9447fe4ab62533171117090909_installer.php
    wp-snapshots/20170228_100friends_c0e4758893a1487e3867180508041512_installer.php
    wp-snapshots/20160828_uddami_a6ad7ee3cdfa3f7c1963180630071144_installer.php

    Alison

    Plugin Author Cory Lamle

    (@corylamleorg)

    Those files are hashed so they should not be an issue as far as I can see. I would report this back to WordFence as that looks to be a false scan.

    Hope that helps~

    Cory – I tried to put the entire WordFence message that included the malicious code in my first message but WP deleted it. Is there a way I can get that to you without copying it here? I could do a screenshot but there’s no way to attach it to this message.

    Plugin Author Bob Riley

    (@bobriley)

    Hi, could you send that text to support@snapcreek.com – Thanks

    Bob

    Plugin Author Bob Riley

    (@bobriley)

    Hi, I just got done talking with Wordfence. They WILL flag installer versions 1.2.40 and below as security risks – and based on the timestamp of all installers in your list it appears all of those installers were older ones. We had implemented an important security fix in 1.2.42 so any 1.2.42 installer or later should not be flagged by Wordfence.

    If you see Wordfence flag an installer that has been created with Duplicator 1.2.42 or later please let us know since those should not be getting flagged.

    Bob

    Thanks Bob – I really appreciate your thoroughness on figuring out this issue.

    I don’t keep track of which Duplicator version I use to make backups however I generally do this monthly and keep 2-3 backups just to be sure I have one that will work if I need it (most of my sites don’t change that often). So it’s possible that the flagged files were made prior to 1.2.42.

    When was Duplicator 1.2.42 created? If I know the date I can delete any backups made prior to that update.

    Alison

    Plugin Author Bob Riley

    (@bobriley)

    Hi Alison, 1.2.42 was released on August 24, 2018 so anything before that date would have been built with an earlier version.

    Bob

    Thanks Bob – having a date helps a lot. I’ll delete anything earlier.

    Again – your willingness to investigate this issue and find the cause is impressive. Great support!

    Alison

    Plugin Author Cory Lamle

    (@corylamleorg)

    Thanks Alison for helping to provide the detail and work through the issue.

    Cheers~

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Malicious file flagged by WordFence’ is closed to new replies.