Support » Plugin: malCure WP Malware Scanner & Firewall » Malware detected

  • Resolved Roberto Jobet

    (@robertojobet)


    Hi,

    During a scan, Malcure says that a malware has been detected in one of my WP sites.

    Malcure says that the malware has been detected in a index.html file in wp-content/cache folder created by a cache plugin (WP fastest cache).

    I analyzed thouroughly this file both manually and using even virustotal.com website, but there no whatsoever malware in this file…

    Is this a false positive?

    Best regards

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author malcure

    (@malcure)

    Happy to help. What kind of severity level does it say? Severe, suspicious etc?

    Roberto Jobet

    (@robertojobet)

    Severe

    Plugin Author malcure

    (@malcure)

    I’ll be more than happy to take a look if you can reach us via our website. I’ll also need to access your website to troubleshoot this.

    Roberto Jobet

    (@robertojobet)

    I made this scan today because I received the following notification from the waf firewall I’m using:

    27/Mar/20 23:12:49 #4066228 CRITICAL 114 5.188.95.56 GET /index.php – Cross-site scripting – [SERVER:REQUEST_URI = /resources/tutorial/recover-admin-password/%20AND%201=1%20UNION%20ALL%20SELECT%201,NULL,%27%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%27,table_name%20FROM%20inform…] – http://www.example.com

    What made me freak out was that Malcure detected a malware just on the same url “…/wp-content/cache/all/resources/tutorial/recover-admin-password/index.html” that was targeted by the cross-site scripting attack…

    I made a thorough analysis (WP backend, files and DB) of the website, but everything seems fine…

    Plugin Author malcure

    (@malcure)

    This seems like an SQL injection attack request. Caching plugins cache / save requests which are picked up by malware plugins as malware. Once you clear the cache (or if the cache expires) then all is well.

    Plugin Author malcure

    (@malcure)

    Closing. No response.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.