SiteLock reporting infected SQL Duplicator backup files

  • Resolved JPecsenyicki

    (@jpecsenyicki)


    5 years, 9 months ago

    Dear Sir or Madam,

    On three few WordPress installations on the same host, SiteLock is showing 15 infected files (all SQL files, all backed up by Duplicator). However, a Wordfence scan shows nothing.

    Is this a false positive issue that’s been seen before? Is it real? Should these files be deleted, or can they be safely moved to another folder not accessible to the public?

    The reports are similar to the following:

    /FILEPATH/DOMAINNAME/wp-snapshots/BACKUPNAME_20200125_594c3737e6ad7d815244_20200125205922_database.sql: SiteLock-JS-REDIRECT-xh.UNOFFICIAL FOUND

    /FILEPATH/DOMAINNAME2/wp-snapshots/BACKUPNAME2_20200229_a6fd4237a5de59bb6213_20200229233625_database.sql: SiteLock-JS-REDIRECT-xe.UNOFFICIAL FOUND

    /FILEPATH/DOMAINNAME3/wp-snapshots/BACKUPNAME3_20200607_682a8dc016e0bb413575_20200607205653_database.sql: SiteLock-PHP-EVAL_REQUEST-avfq.UNOFFICIAL FOUND

    /FILEPATH/DOMAINNAME3/wp-snapshots/BACKUPNAME3_20200510_35a607a6f8f7d7713773_20200510210411_database.sql: SiteLock-PHP-EVAL_REQUEST-ea.UNOFFICIAL FOUND

    All three sites are using Duplicator 1.3.36 and WordPress 5.4.2.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Cory Lamle

    (@corylamleorg)

    5 years, 9 months ago

    Hey @jpecsenyicki

    Thanks for the feedback! There are a few items in the FAQ that may provide a solution to this issue, this one may get you going.

        – A scanner says that a security issue/malware/threat was detected. Is this valid?
        – https://snapcreek.com/duplicator/docs/faqs-tech/#faq-trouble-070-q

    Let me know if this helps~

    Thread Starter JPecsenyicki

    (@jpecsenyicki)

    5 years, 9 months ago

    Hi @corylamleorg,

    The files in question were deleted from the server a couple days ago, though this isn’t a problem going forward because I download the backups whenever they’re made (so I still have the original, hopefully uninfected, backups).

    If I understand the information at the link correctly, if this happens again, we can submit a ticket to compare the original file to the supposedly infected file.

    (At this point, I tend to think it was case of false positives, given that the reports were on 3 different sites at the same time and were undetected by Wordfence on all 3 sites. Virustotal.com shows nothing wrong with any of the sites themselves.)

    Cory Lamle

    (@corylamleorg)

    5 years, 9 months ago

    Hey @jpecsenyicki,

    Thanks for the update! It would be rare that those hashed files actually get hacked. If they could get access to them then your server is probably already compromised and those files wouldn’t really make a difference. In the event however you installed a plugin and that plugin was hacked with code that affected the database then a scanner might pick that up as a flagable offense, but typically the other malware scanners would pick that up…

    Hope that helps~

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘SiteLock reporting infected SQL Duplicator backup files’ is closed to new replies.

Tags