Support » Plugin: WP Super Cache » Malware found

  • Just had a site taken down by bluehost because they found malware in Super Cache – I removed the plugin and the cache file and the site came back clean. Are you aware of a vulnerability in the plugin – I see there is an updated but it does not mention a vulnerability.

    Malware.txt file
    wp-content/cache/supercache/www.sitename.com/index-mobile.html: SL-PHP-HACKEDBY-nke.UNOFFICIAL FOUND
    /home3/xxxxxx/public_html/wp-content/cache/supercache/www.sitename.com/index-https.html: SL-PHP-HACKEDBY-nke.UNOFFICIAL FOUND
    /home3/xxxxxx/public_html/wp-content/cache/supercache/www.sitename.com/online-store/index-https-mobile.html: SL-PHP-HACKEDBY-nqx.UNOFFICIAL FOUND
    /home3/xxxxxx/public_html/wp-content/cache/supercache/www.sitename.com/product-category/uncategorized/index-https-mobile.html: SL-PHP-HACKEDBY-nqx.UNOFFICIAL FOUND

    ———– SCAN SUMMARY ———–
    Known viruses: 2064321
    Engine version: devel-clamav-0.99-beta1-632-g8a582c7
    Scanned directories: 2707
    Scanned files: 21461
    Infected files: 4
    Data scanned: 556.70 MB
    Data read: 1453.09 MB (ratio 0.38:1)
    Time: 308.014 sec (5 m 8 s)

    ———– SCAN SUMMARY ———–
    Known viruses: 2064321
    Engine version: devel-clamav-0.99-beta1-632-g8a582c7
    Scanned directories: 0
    Scanned files: 0
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 6.436 sec (0 m 6 s)

    ———– SCAN SUMMARY ———–
    Known viruses: 2064321
    Engine version: devel-clamav-0.99-beta1-632-g8a582c7
    Scanned directories: 0
    Scanned files: 0
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 6.411 sec (0 m 6 s)

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Donncha Ó Caoimh

    (@donncha)

    There’s malware on your site but it’s not in WP Super Cache. The plugin simply cached pages on your website containing the malware Javascript/HTML.

    I can’t recommend any particular way to get rid of it but search Google for “WordPress malware” returns a number of plugins and sites that will help.

    @tvoltz since infected files you listed were part of cache, that means you may still have malicious PHP files on your website.

    When hackers gain access they upload malicious PHP files and infect good files. Files you mentioned are HTML and are cached. This usually is a symptom, not the problem itself. Hacker inserted malicious spam content on your site, WP Super Cache saved it as cache HTML file and that’s what BlueHost flagged.

    So you may still have backdoors on your website, which means it might come back or still there. BlueHost’s antivirus engine ClamAV isn’t 100% accurate, it will miss malicious files or flag good files as malicious.

    We’ve worked with BlueHost customers before. If they detect malware again, they will suspend you again. So keep an eye on your website.

    If you can provide a list of active plugins on your site, we may be able to help identify which plugin was exploited. There has been a lot of vulnerabilities disclosed in the last 3 months publicly for many popular plugins. So lots of websites hacked, unfortunately.

    @donncha Thanks for your reply – the site was restored – all plugins and themes installed are updated and reputable – still not sure how the hack occurred. I saw in another post that the plugin was leaving stray .php – Security plugins (Wordfence and Shield) have found unrecognizable files in my sites – “wp-admin/.php” – I am guessing this is from the super cache plugin and that the recent update fixed that problem.

    https://wordpress.org/support/topic/wp-super-cache-created-a-stray-php/

    Thanks @supporthero for your feedback – those were the only files Bluehost found in their scans. Plugins were all updated and reputable – none that have been recently compromised.

    • This reply was modified 5 months, 2 weeks ago by  TVoltz. Reason: forget to fully reply
Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.