Support » Everything else WordPress » Malware in plugin folder

Malware in plugin folder

  • mayschwp

    (@mayschwp)


    2 days ago

    First: I considered that the following issue is something I should report here: https://hackerone.com/wordpress, but after registering I receive no confirmation email or anything else, so I put it here.

    Second: It is a malware issue and I will report as less information as possible to prevent other hackers from using this for doing the same sh*t.

    About 3 weeks ago, my best friend detected that she was suddenly redirected to a kind of “happy congratulations you are a millionaire now” site when moving to her wordpress site.

    So we started a scan with wordpress fence and detected that there was a directory created in the wp-content/plugins folder called [folder_name] with a file named [file_name] in it masked/disguised as a plugin file.

    We deleted the file and I advised her doing the following steps:

    – change wp admin url

    – change admin user name

    – use powerful passwords

    – change db prefix (was already done)

    – use the plugins limit login attempts + security protection

    Today the issue appeared again. Same directory, same file created.

    What makes me wondering is, that the description in the header of the (malicious) file equals to a very popular und often used wordpress plugin.

    For now we fixed the issue again by using wordfence, I advised her updating wordpress temporarily via FTP.

    We also created a cronjob which has a look at the creation of a folder/file like hat.

    I also deleted the transient entry in the options table where the plugin information are stored (which I did not when the issue first occured).

    But we really have no idea, why this happened again.

    We did not know where to report this kind of issue, as there are very confusing information regarding this in the www and this is the third try reporting it.

    Of course we can send your all detailled information regarding the content/name/s of the malicious file/folders and the report of the health check.

    First we decided not doing this because of the reason stated above and your advise regarding such issues.

    All the best,

    Lola

    • This topic was modified 2 days ago by mayschwp.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Yui

    (@fierevere)

    ゆい

    2 days ago

    hackerone is for reporting security problems with WordPress itself.

    Your site malware is not likely related to WP core or any plugin distribution,
    but came from elsewhere, please read this article

    FAQ My site was hacked

    Thread Starter mayschwp

    (@mayschwp)

    1 day, 23 hours ago

    I have read this article very often.

    But thanks for the hint that this issue is been coming in from somewhere else.

    Thanks for your reply :-).

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Views