Support » Fixing WordPress » WordPress File Monitor report

  • Resolved Steve D

    (@steve-d)


    Is this normal? I did absolutely nothing but update my akismet plugin a while ago. Then this

    This email is to alert you of the following changes to the file system of your website.
    Timestamp: Tue, 08 Jun 2010 02:12:27 +0000

    Added:
    wp-content/plugins/sidebar-login/sidebar-login.pot
    wp-content/plugins/sidebar-login/langs/alternate/lang_HU_old/sblogin-hu_HU.mo
    wp-content/plugins/sidebar-login/langs/alternate/lang_HU_old/sblogin-hu_HU.po
    wp-content/plugins/sidebar-login/langs/alternate/lang_HU_young/sblogin-hu_HU_2.po
    wp-content/plugins/sidebar-login/langs/alternate/lang_HU_young/sblogin-hu_HU_2.mo
    wp-content/plugins/antivirus/css/style.css
    wp-content/plugins/antivirus/js/script.js

    Removed:
    wp-content/plugins/sidebar-login/langs/alternate/sblogin-hu_HU.mo
    wp-content/plugins/sidebar-login/langs/alternate/sblogin-hu_HU.po
    wp-content/plugins/antivirus/css/global.css
    wp-content/plugins/antivirus/inc/wplize.class.php

    Changed:
    wp-content/plugins/sidebar-login/style.css
    wp-content/plugins/sidebar-login/sidebar-login.php
    wp-content/plugins/sidebar-login/readme.txt
    wp-content/plugins/antivirus/screenshot-1.png
    wp-content/plugins/antivirus/antivirus.php
    wp-content/plugins/antivirus/uninstall.php
    wp-content/plugins/antivirus/readme.txt
    wp-content/plugins/antivirus/lang/antivirus-ru_RU.po
    wp-content/plugins/antivirus/lang/antivirus-de_DE.po
    wp-content/plugins/antivirus/lang/antivirus-de_DE.mo
    wp-content/plugins/antivirus/lang/antivirus-ru_RU.mo
    wp-content/plugins/antivirus/img/icon32.png
    wp-content/plugins/akismet/akismet.php
    wp-content/plugins/akismet/readme.txt

Viewing 15 replies - 1 through 15 (of 16 total)
  • Or am I just going nuts?

    What sent you the email? That’s not standard WP. Is it from your VPS or another plugin?

    Also … I’d check those files to make sure they match what a clean backup (or fresh install) has.

    My WordPress File Monitor plugin alerted me to these changes. I have it send me an automatic email alert if any changes are made without my knowledge and permissions.

    So with this alert I noticed something or someone the next day ahead of me did something.

    (Timestamp: Tue, 08 Jun 2010 02:12:27 +0000)

    Ah. Yeah, I’d check those files ASAP. WordPress doesn’t update files like that without user intervention.

    Ah. Yeah, I’d check those files ASAP. WordPress doesn’t update files like that without user intervention.

    Yip, yup, yep . . That’s kind of what I was thinking.

    Guess it time to call the Host Company and say “Guess What?”

    Again

    So if this a hack of some sort, the little demon-scumbag is apparently targeting AntiVirus for WordPress and Sidebar Login Plugin wouldn’t that be the bottom line?

    Steve:

    Can you post the contents of these files for us to check? It looks like a valid update (see the readme files changing, png, etc). But since you didn’t do it yourself, someone did 🙂

    dd@sucuri.net . .

    I did run your scan and everything came up clean. It did occur to me that it could have been some normal and valid plugin upgrade changes. Everything looks normal on the server. Permissions are set properly.

    At second glance I am noticing that all this hu_HU.mo – ru_RU.po – lang stuff appears to be part of these plugins architecture.

    I’m hoping these plugin authors might be able to confirm and clarify this is normal stuff.

    Let me see if I can put some file contents together.

    Okay I ran an exploit scan.

    Now per the list above I noticed . .

    Timestamp: Tue, 08 Jun 2010 02:12:27 +0000
    Added:
    wp-content/plugins/antivirus/js/script.js

    My exploit scan just produced the following . .

    /wp-content/plugins/antivirus/js/script.js:1
    Could be JavaScript code used to hide code inserted by a hacker.

    t){var item=$(‘#av_template_’+id);if(input){input=eval(‘(‘+input+’)’);if(!input.nonce||input.nonce !=av_nonce){return;}item.addClass(‘danger’);var i=0;var lines=input.data;var len=lines.length;for(i;i<len;i=i+3){var nu

    e_list’},function(input){if(!input){return;}input=eval(‘(‘+input+’)’);if(!input.nonce||input.nonce !=av_nonce){return;}var parent=$(‘#’+input.data[0]).parent();if(parent.parent().children().length<=1){parent.parent().hide(&

    _files’},function(input){if(!input){return;}input=eval(‘(‘+input+’)’);if(!input.nonce||input.nonce !=av_nonce){return;}var output=”;av_files=input.data;av_files_total=av_files.length;av_files_loaded=0;jQuery.each(av_files,fun

    Okay check this out. I just did a SFTP check and here is what I see.

    On the left is my known clean backup copy local. The right side is what is on the server today. I notice a js folder added to Antivirus that is not part of my clean backup. Inside it is a script.js file dated 5/29.

    Here’s the snip.

    Download a fresh copy of that plugin from the repository and check it against what you have on your server.

    Okay fresh download that folder is in this latest package yet the script.js file in it is reported as “unknown publisher”.

    Obviously the next question is why and who added the js folder to this when it was not a part of the original package. Or am I missing something or forgetting something here?

    Are there other admins of your WP install?

    Is there a possibility you ran the ‘upgrade all plugins that need upgrading’ version and not the just one?

    I’m the only administrator.

    I only upgrade a plugin one at a time. I approach everything in standardized checklist like procedures. No seat of the pants flying.
    So when something happens, I notice very quickly.

    This could be nothing, maybe I’m over reacting.

    I’ll have to leave it to the pro’s in Blog Traffic Control and Technical to advise at this point.

    I can’t figure it out.

    That tells me that both the sidebar-login and antivirus plugins have been updated, either by you clicking to automatically update all plugins with new versions.

    Whether or not that is the correct set of file updates is up to you to determine.

    I would download the plugin zip files from the wp repository to a local directory and check what files are actually in the latest versions.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘WordPress File Monitor report’ is closed to new replies.