Determine whether files are malicious

If you have just installed the plugin, it is likely that the plugin author uses a method of hiding their code, that is similar to the way code is hidden in malicious files — some paid plugins do this to make it harder for other people to redistribute the plugin as their own.

The best way to verify this is to contact the plugin author’s support staff, and ask if the files are valid, by showing them the portion of code in question (at least a few lines), or sending a whole file as an attachment by email (but don’t post the whole file in their forums).

If the plugin isn’t from a well-known plugin publisher/distributor, you can send me copies by email here: mattr [at] wordfence.com

Please also include a link to this post, if you email them.

Can someone help? I tried running the contents of the file through a decoder. The first part of the file I checked looks like normal PHP. But the bottom half looks like a bunch of random symbols…more that needs decoding!

The file starts with <?php $_F=__FILE__;$_X='Pz48P3B ...LONG STRING ...

We really would like to use this software, and it really seems legitimate. However several files look very much like what is described here as The Pharma Hack

Thank you in advance for your response

Thank you so much – More to come.

I just sent it, and it’s coming from “Heather”, a Gmail account.
Thanks again –

Heather,

Thanks for sending the files. I’ve only taken a quick look since it would take far too long to fully analyze them, but it appears that the files are probably what the plugin author intended — the bulk of what I see looks like it is related to each of the filenames. I would still recommend checking with the author to be sure they are intentionally hiding code this way (just in case someone hacked the site where they distribute the plugin) — but if it is intended, the plugin is probably ok to use. It still depends on if you trust the author.

If you do decide to keep the plugin, then you can go to the Wordfence Scan page, and click the option to ignore each of these files until they change, in the scan results at the bottom of the page. If you later install updates for the plugin, you may see the same warning again when updates are installed, but if you see warnings when you haven’t updated the plugin, there may be additional code added maliciously.

You might also want to turn on the Wordfence option “Scan files outside your WordPress installation” — if anything is added to your site in unusual places, this would help the scans find those as well.

-Matt R

Thank you so much – I really appreciate it. (I must have missed the reply notification). I do intend to contact the author and yes we will probably use it. I wanted to investigate first, because I don’t expect those with something to hide to be very truthful ??

Thanks again and have a great weekend
Heather