@nudgephelps Sorry to hear about your woes with files being quarantined. It’s possible a plugin or another service had a bug that was exploited. The most important thing to do at this point is to identify and try to remove the files that were added and are being quarantined and then try to identify what may have caused the vulnerability.
Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.
Thank you! I will certainly check the guide out, however, the site is working normally at the moment π Typical! I will let yo know how I get on. Thanks Again
Wordpress toolkit threw this up this morning?
WordPress Toolkit has found WordPress files at the following path:
Path
/var/www/vhosts/johnnysbackyard.co.uk/httpdocs_bak
However, it does not seem that this WordPress website is working. Try restoring the website from a backup or cleaning up the redundant files.
I restored to a back up and I igt this message:
WARNING: (Restore domain object 'johnnysbackyard.co.uk') Failed to restore the extension wp-toolkit: Failed to reset cache for the instance #283: WordPress Toolkit was not able to finish running an operation on this site in 60 seconds, so the operation was terminated. This could mean that your WordPress installation might be infected with malware. Check the wp-config.php file of the installation for potential malware code or run an anti-virus scan. If you cannot find any traces of malware, try running the operation again later.
I would really like someone to take a look at my site and try an rectify the problem, the issue is beyond me π
-
This reply was modified 1 year, 8 months ago by
nudgephelps.
I did an Internal Quttera Web Malware Scanner plugin for WordPress
This is the report.
=======================================================================
Quttera Web Malware Scanner plugin for WordPress
Website Malware Scan Report
Scanned Website: https://johnnysbackyard.co.uk
Scan type: Internal
Report generation time: 2022-08-13 13:18
Scan launch time: 2022-08-13 12:38
Scanned files: 22163
Clean: 22161
Potentially Suspicious: 0
Suspicious: 2
Malicious: 0
Β© 2021 Quttera Ltd. All rights reserved.
For any questions about this report: support@quttera.com
=======================================================================
FILE: wp-content/languages/themes/twentytwentytwo-en_GB.po
FILE_MD5: 7cdc7d54c4ec7a6d0619503e449d686d
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 7cdc7d54c4ec7a6d0619503e449d686d
THREAT_NAME: Heur.CoreFile.gen
THREAT: Modified core file...
DETAILS: Detected modified core file
FILE: wp-content/languages/themes/twentytwentytwo-en_GB.mo
FILE_MD5: 563f64c8b8f58d86848a8ce8ff05a92c
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 563f64c8b8f58d86848a8ce8ff05a92c
THREAT_NAME: Heur.CoreFile.gen
THREAT: Modified core file...
DETAILS: Detected modified core file
Hello @nudgephelps
Did you run internal scan in high sensitivity mode? If not please do it.
Also, please check wp-config.php if it contains any long encrypted string (which could be the infection itself)
Another step, go and disable plugins one of them could be infected. Go over plugins directory and verify you recognize all plugins located there.
In case one of plugins is infected this should help.
Next step, please switch to any default themes, if this helps to load site faster then infection locates in the theme sources.
OK Thanks for this. I ran the internal scan again in high sensitivity mode here’s what it found
=======================================================================
Quttera Web Malware Scanner plugin for WordPress
Website Malware Scan Report
Scanned Website: https://johnnysbackyard.co.uk
Scan type: Internal
Report generation time: 2022-08-14 11:35
Scan launch time: 2022-08-14 10:21
Scanned files: 22164
Clean: 22154
Potentially Suspicious: 4
Suspicious: 4
Malicious: 2
Β© 2021 Quttera Ltd. All rights reserved.
For any questions about this report: support@quttera.com
=======================================================================
FILE: phpinfo.php
FILE_MD5: 53628903e3c9cf1593d4ef97067fba40
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 53628903e3c9cf1593d4ef97067fba40
THREAT_NAME: Heur.PHP.Dropper.gen
THREAT: <?php phpinfo(); ?>...
DETAILS: Generic PHP information dropper
FILE: wp-content/languages/themes/twentytwentytwo-en_GB.po
FILE_MD5: 7cdc7d54c4ec7a6d0619503e449d686d
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 7cdc7d54c4ec7a6d0619503e449d686d
THREAT_NAME: Heur.CoreFile.gen
THREAT: Modified core file...
DETAILS: Detected modified core file
FILE: wp-content/languages/themes/twentytwentytwo-en_GB.mo
FILE_MD5: 563f64c8b8f58d86848a8ce8ff05a92c
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 563f64c8b8f58d86848a8ce8ff05a92c
THREAT_NAME: Heur.CoreFile.gen
THREAT: Modified core file...
DETAILS: Detected modified core file
FILE: wp-content/plugins/woocommerce-payments/readme.txt
FILE_MD5: 6ac5aadd162a87a663fba6d5c63db48e
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987
THREAT_NAME: Heur.HTML.Defacement.gen.F4248
THREAT: Fatal Error...
DETAILS: Website Potentially Defaced
FILE: wp-content/plugins/woocommerce-payments/changelog.txt
FILE_MD5: f93887562e6ac324f90fbbdab90325b3
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987
THREAT_NAME: Heur.HTML.Defacement.gen.F4248
THREAT: Fatal Error...
DETAILS: Website Potentially Defaced
FILE: wp-content/plugins/wp-stats-manager/includes/wsm_cron.php
FILE_MD5: 9f586af83113716e072e2e7fdb7168b6
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: c820ee601de1cf2c2258b8494baaf844
THREAT_NAME: Heur.PHP.Redirect.gen
THREAT: <?php /* if ( ! defined( 'ABSPATH' ) ) exit; class wsmCr...
DETAILS: suspicious PHP redirection
FILE: wp-content/plugins/woocommerce-services/images/payment-logos/brazil-tef.svg
FILE_MD5: 9da2ceca8668b7155bfae1e66219657e
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: 39e187127514ba3d80daaf528521932e
THREAT_NAME: Heur.JS.Encoded.gen
THREAT: 9.16.68.06.69.08.67.12.66.16.65.18.64.22.62.25.6.28.59.3.57....
DETAILS: Malicious obfuscated JavaScript threat (JS Trojan Downloader)
FILE: wp-content/plugins/woocommerce/client/legacy/css/twenty-twenty-two.scss
FILE_MD5: 99dd499cf6c98b8829505cea502758a3
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a
THREAT_NAME: Heur.PHP.Encoded.gen.271C
THREAT: \73\73\73\73\73...
DETAILS: Potentially suspicious obfuscated PHP threat
FILE: wp-content/plugins/woocommerce-payments/vendor/woocommerce/subscriptions-core/changelog.txt
FILE_MD5: 1be9d9b13d32b0bfa5257973321f4d17
SEVERITY: enPotentiallySuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987
THREAT_NAME: Heur.HTML.Defacement.gen.F4248
THREAT: Fatal Error...
DETAILS: Website Potentially Defaced
FILE: wp-content/plugins/woocommerce-payments/vendor/woocommerce/subscriptions-core/includes/upgrades/class-wc-subscriptions-upgrader.php
FILE_MD5: f39835da3804dd9297b51d576cc7b09a
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: b9dabf14014fb7becc2a63a6cb482a55
THREAT_NAME: Heur.PHP.Cron.gen
THREAT: delete_transient( 'doing_cron' );...
DETAILS: Cron PHP scheduler
Thank you for the provided information.
1 – Please remove phpinfo.php from the website as it presents details of installed PHP which further could be for exploitation
2 – Please send us all detected PHP files in a zip archive for support|at|quttera.com, we will investigate them and provide more details if files infected of heuristic scanner generated false positive
3 – Please review all plugins, remove unused and update outdated ones. As well as go over the wp-content/plugins directory and try to find/remove unused plugins
4 – Replace the currently used theme with any theme provided by WordPress, if theme is infected, this change can help to speed up the website
5 – Here https://blog.quttera.com/post/website-malware-removal-guide-part-1-preparation/ you can find other tips which could help to identify and cure the infection
Thank you!!
zip file sent
I have removed the file phpinfo.php and deactivated nonessential plugins but I’m a bit reluctant to change the theme as I don’t want that to screw any of the content up and leave me with a nightmare to untangle.
Thank you Again
I’m still having big issues! it seems that the site goes down around 5:30am to 7am each morning.
I had these messages from Plesk85.hosingUK.net
7:10 am 2. The following WordPress installations are quarantined:
Website “Johnny’s Back Yard” (https://johnnysbackyard.co.uk/wordpress): WordPress Toolkit was not able to finish running an operation on this site in 60 seconds, so the operation was terminated. This could mean that your WordPress installation might be infected with malware. Check the wp-config.php file of the installation for potential malware code or run an anti-virus scan. If you cannot find any traces of malware, try running the operation again later.`
7:13 am 1. Website “/httpdocs_bak” (https://johnnysbackyard.co.uk/_bak): Failed to reset cache for the instance #432: Error: Error establishing a database connection.
I have scanned for malware several times and refreshed site state
It seems that it was a few images that caused the problem. They were not showing up on the web page nor on the edit product page, so I deleted them from the edit page and went through all of the product pages, and checked all the images. Quite a few were missing and just showing the palace holder error image. Now ll is good and the site has had no problems for about 10 days. All I can think is that the database got screwed up and didn’t know where to put these images. But time will tell if this was the definite solution
