Theme Files Getting Tampered With

  • Resolved SuperZambezi

    (@superzambezi)


    6 years ago

    Switching to another thread. Although I had and potentially still have issues with the “ofgogoatan” malware, I did not share the same the same solutions or explanations for the problem.

    I have a new issue. Two days ago my theme gave me a critical error and would not load. I couldn’t find the source of the problem so I removed and reuploaded the theme and everything went back to normal. Today the same error occurred. This time I found that all the files in my “inc” folder of the reuploaded theme were modified. All files pointed to one single file in the same folder that did not exist before.

    Reuploaded the theme and it works again but I fully expect it to happen a third time. Not sure what to do from here but thought I would share two examples of the affected files along with the file they were pointing to:

    https://www.mediafire.com/file/a3qfc7suuh6ot1t/generatepressthemefiles.zip/file

Viewing 1 replies (of 1 total)
  • Plugin Author Eli

    (@scheeeli)

    6 years ago

    Here is an outline of the infection you are seeing:
    A malicious class called WPPlugingsOptions is created in the newly planted files ‘/inc/inc.php’ and ‘/inc/class_theme-functions.php’, then those files are included in your theme execution with a few line of PHP code injected into the top of your theme’s block-editor.php and class-css.php files.

    Your solution works fine for removing the infection and me plugin will also remove this threat from your theme. The bigger issue here is that this infection keeps coming back and there are a number of reasons why that might be happening.

    The most likely cause of repeated infections if your site is on a shared hosting account is that there is another infected site on that server that is not being cleaned and is responsible for continuing to reinfect your site (and probably other sites on that server too). Less likely but still common enough is the possibility that your site has some major security flaw or vulnerability that has been exploited to plant these files and this infection could continues until the breach is found and fixed.

    The only way to be sure of where this infection is coming from is to do a little searching in the log files on your server. The first and most important this you will need is the exact times that the infections occurred. If you used my plugin to clean up these infections then the original infection times will be recorded in the Anti-Malware Quarantine in your wp-admin. If you have been cleaning this threat manually by deleting these files and replacing your theme from the original source then you have erased all the evidence that your would need to find the cause and you will need you wait until you get infected again, then stat those infected files before you clean them so that you get the exact infection times from the changed/modified times on the altered files.

    Armed with the knowledge of the precise time of the infection you should be able to find something in the server logs to indicate how the infection was written to your site. You may need help from your hosting provider to access and/or make sense of the information in the log files. If your hosting provider is unwilling or unable to help you with this investigation then I would strongly advise that you find a new host. A secure host with proactive helpful support can make all the difference in stopping these attacks.

Viewing 1 replies (of 1 total)

The topic ‘Theme Files Getting Tampered With’ is closed to new replies.

  • 1 reply
  • 2 participants
  • Last reply from: Eli
  • Last activity: 6 years ago
  • Status: resolved