Title: wtactics's Replies | WordPress.org --- # wtactics [ ](https://wordpress.org/support/users/wtactics/) * [Profile](https://wordpress.org/support/users/wtactics/) * [Topics Started](https://wordpress.org/support/users/wtactics/topics/) * [Replies Created](https://wordpress.org/support/users/wtactics/replies/) * [Reviews Written](https://wordpress.org/support/users/wtactics/reviews/) * [Topics Replied To](https://wordpress.org/support/users/wtactics/replied-to/) * [Engagements](https://wordpress.org/support/users/wtactics/engagements/) * [Favorites](https://wordpress.org/support/users/wtactics/favorites/) Search replies: ## Forum Replies Created Viewing 4 replies - 1 through 4 (of 4 total) * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[SiteOrigin Widgets Bundle] security vulnerability detected](https://wordpress.org/support/topic/security-vulnerability-detected/) * Thread Starter [wtactics](https://wordpress.org/support/users/wtactics/) * (@wtactics) * [10 years ago](https://wordpress.org/support/topic/security-vulnerability-detected/#post-7451018) * Hi Greg, * I will try to get the full .log file lists from hosting provider as it’s client’s control pannel and do not have full access to the files except for the last 3 days. And I have so-widgets-bundle zipped version for the dates of 2016 May 1st and current version 2016 june 8th. * How do you want me to share? Email or some upload place, but it still needs email so I could use for sending/sharing it with you. * Thanks * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[SiteOrigin Widgets Bundle] security vulnerability detected](https://wordpress.org/support/topic/security-vulnerability-detected/) * Thread Starter [wtactics](https://wordpress.org/support/users/wtactics/) * (@wtactics) * [10 years ago](https://wordpress.org/support/topic/security-vulnerability-detected/#post-7450919) * yes, log files clearly showed that increased traffic was coming to the site with 3-7 min interval, there was separate folder/dir created from which spam emails were coming out to spam and porn sites. * At the final stage, the site gets broken and page pops up and asks to enter login and password. Total site corruption. * Had to re-install, upload backup, make configurations. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[SiteOrigin Widgets Bundle] security vulnerability detected](https://wordpress.org/support/topic/security-vulnerability-detected/) * Thread Starter [wtactics](https://wordpress.org/support/users/wtactics/) * (@wtactics) * [10 years ago](https://wordpress.org/support/topic/security-vulnerability-detected/#post-7450845) * you are welcome. * Yes, exactly, I tested out. Once I enable the plugin, the file gets included again into server. Seeing via terminal and scanner that the file is included, I immediately deleted the file. * If I navigate to wp-content/uploads/siteorigin-widgets/ I see this file – take a look the link: [http://imgur.com/o6qOpTK](http://imgur.com/o6qOpTK) This is a .css file that I find and looking like a normal .css file, but some code strings slightly strange… When I delete the folder and its contents siteorigin-widgets/– I still get the issue after around 10 mins. This is exactly the time loop when virus attacks again. I mean different time intervals lik 5-10 mins, and the file is included again. * The permissions are set under required scope 0755 and 0644. Actually, I have re-installed the wordpress site with fresh install, and reinstalled the plugins, but getting the issue. * You can see the list of plugins I have on the site here: [http://imgur.com/5PSQNEO](http://imgur.com/5PSQNEO) * I believe thate there must be a cause and explanation, but so far, the deletion of the widgets bundle, solved the problem and the attacker cannot get into the site for 3 days starting from Thursday. * N. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[SiteOrigin Widgets Bundle] security vulnerability detected](https://wordpress.org/support/topic/security-vulnerability-detected/) * Thread Starter [wtactics](https://wordpress.org/support/users/wtactics/) * (@wtactics) * [10 years ago](https://wordpress.org/support/topic/security-vulnerability-detected/#post-7450834) * Hi Greg, * Thanks for prompt response. * I have read the article you have sent over regarding mobile detector. So our answer is “NO” we are not using WP Mobile detector. We used it for couple sites in the past, but not at the moment. The attack that is written in the article is very similar to our situation. We also had /gopni3g/ dir with story.php script. so this looks really familiar. Reading the hackers code it gets apparent that this code was written by Russian speaking people. * After the sites got infected, apparently, I was looking for the reasons the site got infected. My investigation started from plugins and since the infected sites did not have many plugins it was easy enough to catch the vulnerability and attackers IP addresses. After I blocked the attacks (IP addressees) as you might expect, the new attacks began after 5-7 hours. Obviously, using another proxy servers. * So after I have disabled all other plugins and left Widgets Bundle enabled – the website picked up the virus in 10-20 mins again. So yes, the site gets infected once the only plugin (Widgets bundle) gets enabled. * If widgets bundle is enabled – the virus is picked up, if plugin is disabled – then virus does not appear in the files. * If you interested, I could send/upload the actual virus for your investigation and I will do my best to help out on this investigation. Just let me know how how you want me to send the virus. * I installed fresh version vie plugins–>ad new plugin–>widgets bundle and then activation. * If you need any assistance, I will do my best. * Thank you! * N. Viewing 4 replies - 1 through 4 (of 4 total)