Malware in version 3.0.7.2

(@martinoresansky)

Hello,
I got notified from webhosting provider about that we have malware in your plugin..
The informations from webhosting provider e-mail:

Dear customer,

we have found following files infected by malicious code on virtual server
xxxx-xxx.cz. We renamed them (added suffix .malware) in order to prevent
abuse of your web space to cyber attacks or sending spam.

But remember, that this is only a temporary measure that does not solve
the real vulnerability which was abused to infect your website. The
vulnerability is usually in outdated version of used CMS or any of its
plugins or themes.

Please go through renamed files and check or possibly delete them ASAP and
update your CMS including all plugins and themes to the latest available
versions. Otherwise it is just a matter of time when the abuse of your
website occours again. In that case we would have to suspend the hosting
services and their unlocking will be charged according to the valid price
list.

We have found the malware in following files:

www/wp-content/plugins/wp-members-master/widget-tag.php (obsahuje/contains {HEX}Malware.Expert.uname.bash)

I would like to get info about why is malware in your plugin..?

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Chad Butler
(@cbutlerjr)

4 years, 5 months ago
I would like to get info about why is malware in your plugin..?

The answer is: there’s not. Either your site was hacked and that’s where they inserted their payload, or you didn’t get the plugin from here (ww.wp.xz.cn).

I suspect it is the latter. The file you’ve noted does not exist in the plugin. The directory named as “wp-members-master” looks like you’re loading it from another repository, such as git. If you load the default install from here (ww.wp.xz.cn) it would simply be “wp-members”.

If you load open-source plugins from “non-official” sources, you need to be careful what you’re loading.

Other than my git repos at https://github.com/rocketgeek and https://github.com/butlerblog, the ONLY official repo for WP-Members is here at ww.wp.xz.cn. You can compare what you’ve got with the following and if it differs, then I wouldn’t use it.
- https://plugins.svn.ww.wp.xz.cn/wp-members/
- https://plugins.trac.ww.wp.xz.cn/browser/wp-members/
The development repo at https://github.com/rocketgeek/wp-members-dev may vary from time-to-time, because it is continually updated, but you can use it for comparison as well:
- https://github.com/rocketgeek/wp-members-dev
- This reply was modified 4 years, 5 months ago by Chad Butler.
Plugin Author Chad Butler
(@cbutlerjr)

4 years, 5 months ago
Sorry – I did not read your title closely enough. You noted version 3.0.7.2.

That also is part of the issue – you’re using a version that is so far out of date it isn’t even listed for download here on ww.wp.xz.cn. That means you’re running something that is 4-5 years old. I’d suspect that version doesn’t run (or run well) on the current 8.x or 7.4 versions of PHP, which may indicate that you also run an out-of-date PHP version and WordPress as well. Are there other plugins on the site that are out-of-date?

Probably the number one reason sites get hacked is that they run vulnerable versions of out-of-date software.

You need to do a serious evaluation of your site and make sure that you’re running up-to-date versions of everything that you use.
- This reply was modified 4 years, 5 months ago by Chad Butler.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Malware in version 3.0.7.2’ is closed to new replies.