Support » Plugin: iThemes Security (formerly Better WP Security) » Teaserguide virus in header.php not found

Viewing 4 replies - 1 through 4 (of 4 total)
  • Why didn’t iThemes Security find that virus?

    As of release 5.0.1 the iTSec plugin Malware Scanning feature performs a Sucuri SiteCheck scan. So your question should be “Why didn’t Sucuri SiteCheck find that virus?”. I guess that question can only be answered by Sucuri.
    Do note the iTSec plugin Malware Scanning feature includes the following info:

    Although the Sucuri team does its best to provide the best results, 100% accuracy is not realistic and is not guaranteed.

    It seems the Wordfence security plugin was also having difficulties detecting the Teaserguide infection. You may be interested in reading this topic in their forum (if you haven’t already done so).

    The iTSec plugin File Change Detection feature must have reported file changes related to the infection.

    It seems the Teaserguide infection makes several file changes which should normally be detected by the File Change Detection feature.
    Please check the iTSec plugin Logs page. Select “File Change History” from the “Select Filter:” drowpdown listbox.

    Below a short list of the Teaserguide infection file changes I gathered from various sources on the internet:

    Type: Changed File: Theme(s) header.php
    Type: Changed File: WP root .htaccess
    Type: Added File: openx-adm.php

    This list is most probably not complete. To make the list as complete as possible please report any additional suspicious files in this topic.

    It seems at this stage it is unknown how this infection is spreading.
    Found some reports that indicate setting the correct WP file\folder permissions helps protect against infection.

    dwinden

    Type: Changed File: wp-includes/nav-menu.php

    dwinden

    Does iThemesSecurity have the ability to scan files at the root level? I have this same problem and found “payload” files in my public_html root and edits made to my Jetpack SQL file that removed the ‘protect’ value in its table. I think it’s a cPanel vulnerability.

    Sorry, I said the payload files were in public_html, but they were level above that in root. Is there any software you have that can do a malware scan at the root level of a cPanel hosting account? Or is that something only the web host can do?

    One other thing I noticed was that I use the plugin “BackupWordpress” and there is a “backupwordpress” folder on the root of cPanel’s File Manager. I don’t think the plugin of a WordPress site should have the ability to write to that directory.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Teaserguide virus in header.php not found’ is closed to new replies.