|
pzmarinesa
|
November 7, 2018 at 1:40 am
Hello
I recently scanned my website for Malwares and found about 180+ infected files from which ~165 files belongs to EE4 Plugin. Could you please tell me why is it happening?
|
|
Tony
|
November 7, 2018 at 3:27 am
Hi there,
We can’t provide any further details on why/how/if the site is infected from the details above, most malware is designed to self-propagate through your site by infecting other files so, for example, malware may have been present elsewhere and injected code into various files within your plugins directory…. or the above may also be false positives from the malware scanner.
I can tell you that there is no malware within Event Espresso by default, I’ve also ran scans using the scanners provided by a couple of my hosts, one of which runs Imunify360 which shows no issues with EE’s code.
Based on the fact that your scanner is finding malware in other files within EE I would say you have 2 possibilities:
1. The scanner is throwing false positives on all of those files (unlikely in my opinion)
2. Your site may have bee infected and whatever has infected the site is self-propagating throughout the files on your server.
Which scanner are you using?
Did it provide any details of the ‘infected files’, for example, what are they infected with and what line numbers (usually if everything shows from the beginning of the file on all files it’s a good indicator that code has just been injected into that file)?
—
Just to note, we (Event Espresso) cannot help with malware removal on a site, if it turns out your site has been infected you’ll need to at least contact your host and see what options they have to fix or you may need to hire a professional, for example Securi:
https://sucuri.net/website-security-platform/malware-removal
|
|
pzmarinesa
|
November 7, 2018 at 5:22 am
Hi Tony,
I used “Anti-Malware from GOTMLS.NET” plugin. It created a quarantined folder where it’s showing all the infected files. We are getting our website developed by a third party and according to them, the website got infected because of Event Espresso plug-in (which I highly doubt). Is there any way you can check the infected files to confirm whether it actually infected the site or not.
Thank You!
|
|
Tony
|
November 7, 2018 at 5:36 am
We are getting our website developed by a third party and according to them, the website got infected because of Event Espresso plug-in (which I highly doubt).
If they have any details of how they know the infection is from Event Espresso and can provide any form of report on the code used, I’m more than happy to investigate this further.
If the are assuming the attack was done through Event Espresso based on then number of files the scan found within EE that doesn’t actually mean very much (EE will more than likely a LOT more files within it than any other plugin on your site so can easily show as having the ‘most’ infections).
To be honest, it’s more likely to be an outdated theme or plugin, than it is Event Espresso although it’s always possible to have an unknown exploit in any software so no-one can say with 100% certainty (although some will try).
Is there any way you can check the infected files to confirm whether it actually infected the site or not.
Look over the files that have been quarantined you mean?
I can take a look and confirm if something looks suspicious within some of the files (seems likely with the number of files its quarantined) but to find find the actual attack vector you’ll need someone more familiar doing so (such as securi).
If you’d like to place some of the files in a zip file and host it somewhere (Dropbox for example) I’ll take a look.
|
|
Josh
|
November 7, 2018 at 5:43 am
Hi,
If you do a fresh install of EE4, (you can download a fresh copy from your account page) and then run the scan, does the scanner still detect infected files within the EE4 core plugin?
|
|
pzmarinesa
|
November 7, 2018 at 6:05 am
This reply has been marked as private.
|
|
Tony
|
November 7, 2018 at 6:09 am
Thanks for your reply Tony, as I mentioned there are more than 160 files and they’re in different directories.
I don’t need to view all 160 files, just a couple, usually injected malicious code sticks out so if those couple have it its likely the others do.
You can send login details over if you prefer using this form:
https://eventespresso.com/send-login-details/
However as mentioned, I won’t be able to tell how the site was infected, I can just confirm if there’s some code injected in the files.
|
|
pzmarinesa
|
November 7, 2018 at 6:20 am
Sent the credentials.
Thank you for giving your time.
|
|
Tony
|
November 7, 2018 at 7:01 am
Ok, so I’ve had a look at the site.
The files that have been quarantined are all basically the same file being added to various directories throughout your site with various filenames. It’s not just within EE but everywhere, they were within multiple plugin directories, root and various other locations, it’s all malicious code, but none of it is from EE.
In short, your site has been hacked and there’s code to now just add files wherever it can on the site to increase the chance of the files being accessible externally.
My advice is to temporarily take the site down and looking into how to clean the files. You can start here: https://codex.wordpress.org/FAQ_My_site_was_hacked
Then look at getting someone familiar with cleaning sites to take a look.
At the very least your going to need to remove all of those files (they can be used to log everything on the server and do pretty much whatever a person would want to on your site) and confirm there are no more. The code used to initially add the files will need to be found an removed and a review of the site’s theme, plugins etc to confirm the code there is valid. It’s not as simple as just deleting the quarantined files, you also need to find the source and remove/prevent it, which is why you need someone familiar with doing so.
|
|
pzmarinesa
|
November 7, 2018 at 7:09 am
Thanks Tony for taking a deeper look into the problem. I appreciate the swift response from EE Support Staff. Lastly, thank you for your valuable suggestion, I’ll forward the copy of this conversation to our developer team to take things further.
|
|
pzmarinesa
|
November 7, 2018 at 7:12 am
Lastly, thank you Josh* for your valuable suggestion
|
|
Tony
|
November 7, 2018 at 7:29 am
You’re most welcome.
I’m sorry it’s bad news, nobody likes bad news.
|
