Support » Plugin: Wordfence Security - Firewall & Malware Scan » wp-emoji-release.min.js

  • I have an issue where someone is injecting code into the WordPress file wp-emoji-release.min.js.

    Wordfence catches the file change, but it does not come up as malicious code in other scans, such as my host’s scan, Jetpack, or even Google.

    In its behaviour, it tries to be stealthy. When a person clicks an internal link, they are also treated to a popup page. However, it looks to only occur once, or at least only once in a given timeframe. It also does not occur with logged-in users.

    However the code injection is happening, they are getting around both Wordfence and Cloudflare.

    Are there any suggestions of how to stop this from occurring? Are you aware of some vulnerability?

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @tjalexander70 and thanks for reaching out to us!

    Could you provide some screenshots of this scan result in expanded details view (click on the result)? Send them to wftest @ wordfence . com with subject “tjalexander70 for WFADAM”. I would like to review these.

    Let me know once they have been sent!

    Thanks again!

    Thread Starter tjalexander70

    (@tjalexander70)

    I’m not sure I know what you are asking for… VIEW FULL LOG? The log does not appear to have data going back that far. I do have a copy of the changed file. Do you want that? I can email that to you on Monday.

    Thread Starter tjalexander70

    (@tjalexander70)

    Do you want me to send that file?

    Plugin Support WFAdam

    (@wfadam)

    Sorry for the delayed response!

    If you could click on the scan result on the Scan page, it will expand the details for this result. Then screenshot that for me to review. It should have details on what it found to be malicious.

    Thanks again!

    Thread Starter tjalexander70

    (@tjalexander70)

    A scan just found the change happen again to file wp-includes/js/wp-emoji-release.min.js. I emailed the activity log to wftest @ wordfence . com and I downloaded a copy of the file if you need it.

    Plugin Support WFAdam

    (@wfadam)

    Could you send the file to wftest @ wordfence . com as well? Please make the subject “tjalexander70 for WFADAM”.

    Thanks again!

    tillieb20

    (@tillieb20)

    Sorry to bump into another thread and feel free to direct me elsewhere…
    However, this just happened to one of the sites that I maintain. Same file. Wordfence picked it up and was able to repair it, but I worry that it will happen again.

    Did you ever find how how/why this was able to happen and fix it?

    What was your outcome? Thanks so much.

    mbstia

    (@mbstia)

    I am also having an issue with this file on Dreamhost. It’s preventing a staging site from being created and also making 1 Click backup take hours.

    From Dreamhost

    Upon checking the logs, I can see that the reason why the site is unable
    to create a staging is because of a file that has an incorrect set of
    permission, the system is unable to copy the file thus making the whole
    process stop.
    
    The file is "wp-includes/js/wp-emoji-release.min.js"
    
    If you need this file for the functionality of your site, please check
    its permission, you can set it to 644 and retry creating the staging.

    Is it safe to change permissions to 644 or can I just delete this file? We don’t use emoji on the site. I see file permissions are set to 200 currently.

    • This reply was modified 3 months ago by mbstia.
    martinhkeller

    (@martinhkeller)

    My Security Programm “Gdata Internet Securuty” also found the Virus “JS:Trojan.Cryxos.7726 (2x) (Engine A)” in this file two days ago.
    I did delete this file it and didn’t find any negative effect when this file is missing.
    Doese anyone know what was the intended function of it?
    Thank you!

Viewing 9 replies - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.