Compromised files on two plugins and template.

  • Resolved danjde

    (@danjde)


    8 years, 7 months ago

    Hi Staff,
    I’m using the free Wordfence version and it sent me two emails where it reported the presence of malicious files, before the site is being defaced.

    The first compromised was “easyrotator for wordpress” (that I was never installed)
    The second one was “responsive-add-ons” (that I was never installed)
    Then the template (Alexandria, installed by me), and then the site stopped working.

    This could be normal, but searching on the “easyrotator for wordpress” WordPress support page, I’ve found a post where a user reports the presence of viruses: https://ww.wp.xz.cn/support/topic/virus-32/

    Is this a simple coincidence? Or what?

    Thanks

    Davide

    • This topic was modified 8 years, 7 months ago by danjde.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • wfyann

    (@wfyann)

    8 years, 7 months ago

    Hi @danjde,

    If you didn’t install those plugins, then maybe they were bundled with a theme you installed.

    At this stage, I strongly advise you go through all the steps outlined in our site cleaning guide.

    Thread Starter danjde

    (@danjde)

    8 years, 7 months ago

    Thanks @wfyann!
    I restored from a few months ago backup. The database, however, I kept the current one, did I hurt in your opinion?

    For the plugins, I’ve look into the previous backup, and there wasn’t these two plugins, so these were not in the template and no in other software, they were installed by the hacker, surely. But I don’t know why.

    I read every time your blog, and looking into this, I had arisen doubts about the goodness of these plugins and their developers…

    Thanks!

    Davide

    wfyann

    (@wfyann)

    8 years, 7 months ago

    Hi @danjde,

    I wouldn’t necessarily incriminate the authors of either plugins you mentioned.

    As you suggested, hackers probably found a way to gain admin access to your site (through some PHP backdoor installed before you had Wordfence on your site or “simply” by cracking your password) and then installed compromised versions of the plugins.

    Then again this is only a possible explanation which doesn’t rule out your concerns.

    At this stage I would reiterate my advice to follow the procedure outlined in our site cleaning guide and I’d also strongly recommend changing all of the passwords (especially the database password).

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Compromised files on two plugins and template.’ is closed to new replies.