Did not find some files that Quttera did

Oh, Yes! Please send me these new threats so that I can add them to my malware definition, then they too can be automatically cleaned with my plugin ??

Ok Eli,

where can I find a way to contact you / send those files?

eli AT gotmls DOT net

I’ve mailed you a zip with screenshots and source files with the infection.

It’ll come from a gmail address with my user name (you can see above) + 71 in it.

• This reply was modified 1 year, 10 months ago by dfumagalli.

I’ve just found out one last trick of this infection: it uploaded a zipped fake plugin in the media uploads directory and inside it there was (also) an obfuscated infector.

Neither your antivirus nor Quttera found it, but when I backed up the “supposedly cleaned up” website and tried to download it on my main computer, my AVG antivirus blocked the download and pointed out at the infected file inside the zip file.

.

Apparently in the future you need to also unzip compressed files to look for infections.

• This reply was modified 1 year, 10 months ago by dfumagalli.
• This reply was modified 1 year, 10 months ago by dfumagalli.
• This reply was modified 1 year, 10 months ago by dfumagalli.

@dfumagalli can we ask you to send us content of the missed plugin?

If you send it in password protected zip AVs will bypass it.

Thank you

Yes, Please send me this new zip file too.

I am currently working through the first batch you sent me…

@scheeeli and @quttera thank you both for your continued interest!

Since I really had to put the website back online (600+ paying fixed service users must use it every day) I deleted the affected plugin, so the persistent infection got away.

However, every day since then, the website gets infected again, so “something” is still in.
Does not help that I completely deleted WordPress, plugins themes, reinstalled everything and in 3-5 hours it becomes infected again.
This, despite I have installed:

– Quttera scanner
– Your Scanner
– WordFence
– Stop Spammers

Alone, in combinations and (ATM) all 4 together. The hack just goes through like an hot knife in butter.

Does not help that the users must log in, so I cannot hide wp-login and so on.

PS. @quttera I also used your online scan and it finds 4 suspicious files. However they are 4 CSS files with legit Thrive Themes code, so I suspect it’s a false positive.

Best regards,
D. Fumagalli

Perhaps you (not me!) got lucky.

• First I enabled a plugin that only allows my IP to see and use the website (just in case).
• Then I made a full scan and clean.
• Then I immediately zipped the whole website
• Then I copied it to my computer by FTP.
• Scanned it and… voilà… AVG found infections again!

.

.

Now I am going to see if I can somehow recover the infected files from the quarantine and then I’ll send them.

Best regards,
D. Fumagalli

• This reply was modified 1 year, 10 months ago by dfumagalli.

@quttera I could extract two bad files from quarantine from the screenshot above.
If you want, I can send several others I saved in the past days.

Do I send them to support AT quttera DOT com?

@dfumagalli yes please send it to support AT quttera DOT com with the title “Samples missed by WP plugin”

Thank you so much.

@dfumagalli, Regarding reinfection,

• please check cronjobs list in cPanel
• if you have ssh/shell to your hosting account, check output of (#crontab -l) command
• Check website access logs maybe one of used plugins suffers from 0-day vulnerability getting exploited

Sucuri found another file that AMS did not detect and Quttera (in my opinion) only finds via heuristics (shows as warning) but not by precise signature.

This time AVG did not show it as infected either! Despite the clear “malicious header code” prepended at the top of the original file comments.

I am going to send it to both of you.
Yes, I am really deep in this “stuff”.

By the way, @quttera keeps showing File signature == threat signature. Shouldn’t the original file signature have a hash code different from the infected file?

• This reply was modified 1 year, 10 months ago by dfumagalli.
• This reply was modified 1 year, 10 months ago by dfumagalli.
• This reply was modified 1 year, 10 months ago by dfumagalli.
• This reply was modified 1 year, 10 months ago by dfumagalli.

I recorded a Youtube video where I show how malware “hides” over the screen / window corners.

This way, someone checking for malware could easily miss that the PHP file is infected.

Thanks Dario,

This latest threat you found was actually a new variant of one of the previous ones. All there rest were already in my definitions and I just added this one too so they can now all be automatically fixed using my plugin.