Critical – “This file appears to be installed or modified by a hacker…”

  • Resolved TeoAu

    (@teoau)


    2 years, 11 months ago

    Hi, I have this “critical”. What do you suggest? How could I verify if it’s a real vulnerability?

    Thanks

    Filename: wp-content/uploads/wcuf/error.php
File Type: Not a core, theme, or plugin file from www.remarpro.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: str_replace('DU','','cDUDUreateDU_fuDUnDUctDUion'

The issue type is: Suspicious:PHP/encodedcreatefunction.6752
Description: Encoded creation of new function via str_replace and create_function. Suspicious behavior

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter TeoAu

    (@teoau)

    For the record, it’s this plugin

    https://codecanyon.net/item/woocommerce-upload-files/11442983?_ga=2.36683171.2098797810.1639665827-877614754.1626313603

    Plugin Support wfpeter

    (@wfpeter)

    Hi @teoau,

    Firstly, you can have infected files checked out by our team by dropping an email to samples @ wordfence . com with the file attached and any other relevant information such as the information you have provided here (plugin, scan result text etc.)

    Once you have downloaded the file for our analysis, I would recommend removing the file from your site from the scan results if possible. Often a malicious file will be uploaded in the hope of being able to visit the upload path directly and making PHP execute the file. The execution in your uploads folder may not have occurred so removing this before any damage is done to your wider site is highly recommended.

    There was a vulnerability patched earlier this year in this plugin, so naturally always ensure your plugins are always up-to-date and your admin accounts are protected with complex passwords, 2FA and reCAPTCHA.

    Let me know how you get on!

    Peter.

    Thread Starter TeoAu

    (@teoau)

    Thank you Peter. I removed the files and updated the plugin. I will repeat WF scan and some other control.

    About this, I added (to this and other websites) the “SG Site Scanner powered by Sucuri” service (I am on SiteGround). Since day1, this scanner never found anything in any website is working on. In your opinion, is this infected files “not detectable” with this type of service?

    Thank you again.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Critical – “This file appears to be installed or modified by a hacker…”’ is closed to new replies.

Tags