Title: Phishing alert
Last modified: August 21, 2016

---

# Phishing alert

 *  Resolved [echoleaf](https://wordpress.org/support/users/echoleaf/)
 * (@echoleaf)
 * [12 years, 8 months ago](https://wordpress.org/support/topic/phishing-alert/)
 * I received a phishing alert for my site and it was traced to the iWP-Client folder.
   The hackscan noted
 * `a2.brazilbank.phish`
 * in /wp-content/plugins/iwp-client/core.class.php
 * I’ve replaced the hacked files with new copies of the plugin files. Have you 
   experienced anything like this before?
 * [http://wordpress.org/plugins/iwp-client/](http://wordpress.org/plugins/iwp-client/)

Viewing 15 replies - 1 through 15 (of 18 total)

1 [2](https://wordpress.org/support/topic/phishing-alert/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/phishing-alert/page/2/?output_format=md)

 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [12 years, 8 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252000)
 * You need to start working your way through these resources:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Anything less will probably result in the hacker walking straight back into your
   site again.
 * Additional Resources:
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 *  Thread Starter [echoleaf](https://wordpress.org/support/users/echoleaf/)
 * (@echoleaf)
 * [12 years, 8 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252001)
 * Damn – I just ran a virus scan on my cpanel and this is what I got:
 *     ```
       public_html/wp-content/plugins/iwp-client.zip	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
       public_html/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
       public_html/domain.com/wp-content/plugins/iwp-client.zip	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
       public_html/domain.com/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
       ```
   
 * The .zip is what I just downloaded from WordPress.org! I’m deleting the plugin
   until we get to the bottom of this.
 *  Thread Starter [echoleaf](https://wordpress.org/support/users/echoleaf/)
 * (@echoleaf)
 * [12 years, 8 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252007)
 * Thanks for those links, I will go through them immediately.
 *  [akedv](https://wordpress.org/support/users/ak71/)
 * (@ak71)
 * [12 years, 7 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252178)
 * where did you download the iwp-client.zip?
 *  Thread Starter [echoleaf](https://wordpress.org/support/users/echoleaf/)
 * (@echoleaf)
 * [12 years, 7 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252179)
 * Here.
 *  Plugin Author [infinitewp](https://wordpress.org/support/users/infinitewp/)
 * (@infinitewp)
 * [12 years, 6 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252226)
 * As esmi pointed out if your site is fully compromised the virus will recreate
   itself on different folders. So kindly do a full clean and let us know.
 * The code in the repository is definitely virus free. We do our side of investigation
   and WordPress.org also constantly scan all popular plugins for virus / malicious
   activity.
 * Let me know if you have any doubt.
 *  [DiverGreg](https://wordpress.org/support/users/divergreg/)
 * (@divergreg)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252268)
 * Hello infinitewp
 * Anything we should be worried about?
    I also ran a Virus Scanner powered by ClamAV
   on Cpanel and all my wp sites with infitewp got flagged with this a2.brazilbank.
   phish
 *     ```
       public_html/XXXXX1.fr/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
       public_html/XXXXX2.com/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
       public_html/XXXXX3.com/wp-content/plugins/iwp-client/core.class.php	{HEX}a2.brazilbank.phish.1.UNOFFICIAL
       public_html/XXXXX4.com/data/plugins/iwp-client/core.class.php		{HEX}a2.brazilbank.phish.1.UNOFFICIAL
       ```
   
 * I did remove the plugin and re-ran a virus scan and did not find any issues. 
   I than Re-installed infinitwp re-scan and got the a2.brazilbank.phish again.
 *  [Marcelo Pedra](https://wordpress.org/support/users/kent-brockman/)
 * (@kent-brockman)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252270)
 * Hello guys, I have WP 3.8.1 with cPanel and ClamAV and I tried to reproduce the
   issue scanning several sites but I’m not getting this phishing issue.
 * [@divergreg](https://wordpress.org/support/users/divergreg/):
    [@echoleaf](https://wordpress.org/support/users/echoleaf/):
   Are you both using shared hosting? Maybe the entire server is compromised, or
   maybe you both are using casually the same vulnerable plugin/theme which lead
   to an intrusion. Are you using the last versions of WP and InfiniteWP?
 *  Thread Starter [echoleaf](https://wordpress.org/support/users/echoleaf/)
 * (@echoleaf)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252271)
 * I’m on a different host now, I assume the old host had been compromised.
 *  [DiverGreg](https://wordpress.org/support/users/divergreg/)
 * (@divergreg)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252272)
 * Hello Marcelo, I have multiple WP sites on several servers, dedicated and shared,
   including wpengine, and only got this issue with this one (shared) hosting company.
   
   I am trying to follow up with Tech support to figure out why ClamAV is giving
   us this false positive and I also got a similar issue with a managewp plugin 
   on that same server. So I am not worried and will keep managing my 40+ sites 
   with infinitewp 🙂
 *  Thread Starter [echoleaf](https://wordpress.org/support/users/echoleaf/)
 * (@echoleaf)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252273)
 * I am using InfiniteWP on my new host, sorry for not mentioning it before. This
   is definitely not an issue specific to InfiniteWP.
 *  [Marcelo Pedra](https://wordpress.org/support/users/kent-brockman/)
 * (@kent-brockman)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252274)
 * Maybe the shared hosting is compromised, or the ClamAV is outdated, thus detecting
   a false positive….
 *  [DiverGreg](https://wordpress.org/support/users/divergreg/)
 * (@divergreg)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252275)
 * Just following up my last message, Tech support did not provide an acceptable
   answer:
 * > “This false positive can happen from time to time if the system believes the
   > code inside has been hacked (especially with anything involving EVAL code).
   > 
   > As long as nothing if being effected on your site, then you should be good 
   > to go.”
 *  [Marcelo Pedra](https://wordpress.org/support/users/kent-brockman/)
 * (@kent-brockman)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252276)
 * [@divergreg](https://wordpress.org/support/users/divergreg/): I know it looks
   like a cheap answer. BUT, all in all, majority of online security software will
   simply alert you when they detect an eval with a base64_decode command, because-
   except for very specific cases- they can’t decode and follow links or commands
   to see if it is dangerous. That’s why those are ending in the mere alert. WordFence
   firewall and scan plugin also has this behaviour. It’s up to you to further investigate
   and detect weird files and/or behaviours.
 * You should decompress in your PC the plugin zip pack downloaded from WP repo 
   and FTP it to your “compromised” site. See if right after upload the files size
   has been increased compared to your offline versions (this due to code injection
   by a malware). If not, wait a couple minutes and compare again. If not, wait 
   a couple hours and compare again. If not, and if after 24 hours the files remain
   untouched, you could then have peace of mind…
 *  [DiverGreg](https://wordpress.org/support/users/divergreg/)
 * (@divergreg)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/phishing-alert/#post-4252277)
 * Hello Marcelo, thank you for clarifying a little all this.
    I just tried uploading
   that one file and now that server is changing the file permission to 000 and 
   will not let me upload or change this file or the entire zip file directly from
   wordpress.org
 * But the question I had was why did a Cpanel with ClamAV on different servers 
   did not return the same thing… short of being different versions.

Viewing 15 replies - 1 through 15 (of 18 total)

1 [2](https://wordpress.org/support/topic/phishing-alert/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/phishing-alert/page/2/?output_format=md)

The topic ‘Phishing alert’ is closed to new replies.

 * ![](https://ps.w.org/iwp-client/assets/icon-256x256.png?rev=1132008)
 * [InfiniteWP Client](https://wordpress.org/plugins/iwp-client/)
 * [Support Threads](https://wordpress.org/support/plugin/iwp-client/)
 * [Active Topics](https://wordpress.org/support/plugin/iwp-client/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/iwp-client/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/iwp-client/reviews/)

## Tags

 * [phishing](https://wordpress.org/support/topic-tag/phishing/)

 * 18 replies
 * 6 participants
 * Last reply from: [Marcelo Pedra](https://wordpress.org/support/users/kent-brockman/)
 * Last activity: [12 years, 3 months ago](https://wordpress.org/support/topic/phishing-alert/page/2/#post-4252280)
 * Status: resolved