|
Chris Keller
|
December 1, 2016 at 11:46 am
Please read the below email from our website security service company and the malware warning from wordfence.
Please advise if you agree with our website security service company or if this does infact pose a threat.
*********wordfence warning****************
This email was sent from your website “Acute” by the Wordfence plugin.
Wordfence found the following new issues on “Acute”.
Alert generated at Wednesday 30th of November 2016 at 04:00:55 PM
Critical Problems:
* This file is suspected malware: wp-content/plugins/event-espresso-core-reg/core/libraries/messages/defaults/default/email_payment_cancelled_to_admin.template.php
* This file is suspected malware: wp-content/plugins/event-espresso-core-reg/core/libraries/messages/defaults/default/email_payment_declined_to_admin.template.php
* This file is suspected malware: wp-content/plugins/event-espresso-core-reg/core/libraries/messages/defaults/default/email_payment_failed_to_admin.template.php
NOTE: You are using the free version of Wordfence. Upgrade today:
Receive real-time Firewall and Scan engine rule updates for protection as threats emerge
Other advanced features like IP reputation monitoring, country blocking, an advanced comment spam filter and cell phone sign-in give you the best protection available
Remote, frequent and scheduled scans
Access to Premium Support
Discounts of up to 90% for multiyear and multi-license purchases
*****web security company response**********
Hi Chris!
Thank you for passing this alert on, since you are the Wordfence contact and we do not receive these messages.
We looked into this yesterday and it is most likely a false positive from Wordfence, as our security scans did not pick up malware. However, if you are the owner of the Event Espresso licence, then I would suggest putting in a support ticket to see what the developers have to say. You could also download a clean copy of the plugin and compare the mentioned files between the clean and installed copy to check for any code injections (or just install a fresh copy onto the site, if you are concerned).
Let us know how it goes, and continue forwarding on any additional alerts like this so that we are aware.
Many thanks!
Anna
|
|
Tony
|
December 1, 2016 at 11:56 am
Hi Chris,
The 3 files mentioned above should basically be empty template files (they may have a PHP comment within them but other than that nothing else), they are used to tell EE that those sections of messages should be empty.
If you download those 3 files from the site, do they have any content?
|
|
Josh
|
December 1, 2016 at 11:56 am
Hi Chris,
You should probably take the time tocheck your copies of email_payment_cancelled_to_admin.template.php
email_payment_declined_to_admin.template.php
email_payment_failed_to_admin.template.php
to ensure that they match what ships with Event Espresso core. That’s what the email from the security company said to do:
You could also download a clean copy of the plugin and compare the mentioned files between the clean and installed copy to check for any code injections (or just install a fresh copy onto the site, if you are concerned).
If you take the time and actually look at the files in question as shipped with Event Espresso, you’ll see that they are virtually empty files. So if your copies have actual PHP code, then that’s a good indication that your server has been compromised.
|
