Support » Plugin: Kebo Twitter Feed » Website suspended for Spam

  • Hi

    our website has just been suspended for spam and we have had to remove kebo twitter feed as we are told it was being used to distribute it:-

    Your hosting account has been suspended by our system administrators as it is compromised and it was being used for spam.
    (15:14): /wp-content/plugins/kebo-twitter-feed/views/dirs98.php

    anyone know how this could happen and what we can do to prevent it?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Peter Booker

    (@peterbooker)

    Hi Chris,

    The file you mention /wp-content/plugins/kebo-twitter-feed/views/dirs98.php is not part of the Kebo Twitter Feed plugin. You can see the files in the views folder here.

    I have no idea how the file has been added to your hosting, there is no mechanism for files to be added through the Kebo Twitter Feed plugin. I had a quick search for dirs98.php and google returns lots of results, some WordPress sites (various plugins and core folders) and some non-WordPress. It looks to me like this is a general spam file which gets added to random folders to hide it.

    The easy answer is that you can safely delete it, either just the file dirs98.php or the entire plugin folder /kebo-twitter-feed/ and no harm will be done. If you contact your host they should be able to do this for you and to un-suspend your account. However, without identifying how the file was added it could happen again.

    To be confident that the problem is resolved there are many professional services that could help, like Sucuri. Alternatively, your host might be able to help too.

    Hi

    thanks for your reply, events have moved on it seems that the site has been infected with some malware called wp-darkshell so I assume that this added the file to Kebo plugin.

    We are on with fixing this with the help of the host but have no idea how it happened, if anyone has any advice on securing WP then we’d be glad to hear from them. Some info on this hack is below, we indeed had the notification from Google on search console

    Cheers
    Chris

    ——————————————————————————-
    #Dark Shell Injected via WordPress hacks to create a shell backdoor to your site/server. Allows uploading of arbitrary files or slingshot attacks. Typically used to edit .htaccess files and create SEO related hijacks. provides very basic interface which can be used to inject better shells.

    Symptoms

    Your site has weird Google results you do not recognize
    You get notification from Google Search Console that your site has new ownerhsip or changes made that you are unaware.
    Detection

    Filenames can differ. Don’t rely on filenames or directories.
    look for keywords like port_scan
    e.g. grep -rl “port_scan” <directory>

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Website suspended for Spam’ is closed to new replies.