Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » new clean 4.5.3 version from Plesk showing errors??

  • Resolved rfollett

    (@rfollett)



    I installed 4.5.3 via my plesk dashboad and installed sucuri and this is what I see… does this mean that the version supplied via plesk is infected?

    please see screen capture

    http://prntscr.com/bq9y8u

    added ~87.15K July 8, 2016 8:04 am wp-admin/includes/upgrade.php.orig
    added ~617.00B July 8, 2016 8:04 am wp-admin/plugin-uploader.php
    added ~609.00B July 8, 2016 8:04 am wp-admin/theme-uploader.php
    added ~242.71K July 8, 2016 8:04 am wp-admin/uploader/pclzip.lib.php
    added ~1.50K July 8, 2016 8:04 am wp-admin/uploader/upload.php
    added ~158.44K July 8, 2016 8:04 am wp-includes/functions.php.orig
    modified ~87.16K July 8, 2016 8:04 am wp-admin/includes/upgrade.php
    modified ~158.44K July 8, 2016 8:04 am wp-includes/functions.php

    https://wordpress.org/plugins/sucuri-scanner/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author yorman

    (@yorman)

    These two files [1][2] are harmless, they are usually created when one reverts a change in a Mercurial repository, it is safe to select those two files and delete them.

    Now about these files [3][4][5][6] they look suspicious to me, I just download WordPress 4.5.3 from the official website and none of those files are part of the release. I have also seen files with the same names in infected website during regular malware scans, if I was you I would delete them too unless you can confirm that the files are harmless. I would like to have a copy of those files if you don’t mind, you can send them to support@sucuri.net and reference this ticket, that would be helpful for us.

    Regarding the last two files marked as “modified” [7][8], the modification might be related with the suspicious files mentioned above, but since your hosting seems to have a Mercurial repository (because of the two files in the first paragraph) I am inclined to believe that they (for some unknown reason) decided to modify those files to include/remove some features.

    If I was you I would (without hesitation) delete the first five files, then select the other two files and restore their content using the dropdown below the table. The link you provided in your second comment is what I was thinking about the uploader files, it is a good idea to ask your hosting for an explanation of why they are providing (infected?) modified WordPress installers.

    [1] wp-admin/includes/upgrade.php.orig
    [2] wp-includes/functions.php.orig
    [3] wp-admin/plugin-uploader.php
    [4] wp-admin/theme-uploader.php
    [5] wp-admin/uploader/pclzip.lib.php
    [6] wp-admin/uploader/upload.php
    [7] wp-admin/includes/upgrade.php
    [8] wp-includes/functions.php

    copy of files in .txt format can bee seen here

    https://www.dropbox.com/sh/6ag9zvyas3de1o2/AABeCJ7BzDKfxc2X3x3JrHDea?dl=0

    Plugin Author yorman

    (@yorman)

    Thanks for the copy of the suspicious files, I checked them and found that the files marked as “modified” have the same code as the original version provided by WordPress but were saved with CRLF, probably using a Windows code editor, so instead of \n the lines were ending with \r\n causing a difference in the checksum when the plugin was comparing the files.

    wp-includes/functions.php
    Original: PHP script, UTF-8 Unicode text
    Modified: PHP script, Non-ISO extended-ASCII text, with CRLF line terminators
    
    wp-admin/includes/upgrade.php
    Original: PHP script, ASCII text
    Modified: PHP script, ASCII text, with CRLF line terminators
    

    The files “plugin-uploader.php” and “theme-uploader.php” located in the “wp-admin” directory are backdoors used to upload custom (malicious?) plugins and themes to your website. The files “upload.php” and “pclzip.lib.php” located in the “wp-admin/uploader/” directory are dependencies to the backdoors used to handle the upload of the files to the server.

    The link you posted above has more details about the infection.

    OK – thank you – So I installed WP as a standard application install via my Plesk dashboard which means from what you say that the core code on their download server is infected?? Which means anyone else doing same will also get same files…

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘new clean 4.5.3 version from Plesk showing errors??’ is closed to new replies.