DreamShield False Positive?

Hi @iammarchhare,

Could you please share the system info of your site? For this, please go to?WPForms ? Tools ? System Info. Also, please share the report from DreamShield.

That way, we can investigate that “malicious content” alert.

Thanks!

I’m got the same error from DreamHost, but there wasn’t many more details on it. Message below:

We have recently scanned one or more users on your DreamHost account for potential security threats. Unfortunately, we found some potential indications that your website(s) *may* be compromised.

We understand that this may not be the best news you can get. This notification is intended to help you through the process and serve as a starting point to assist you in getting your account cleaned and secured. While we won’t be able to complete these processes for you, if you have any questions about the items that follow please don’t hesitate to reply to this email and we will be happy to clarify any points or offer any further guidance to help you through getting your account back to normal.

We have identified malicious content on your account, added by an outside entity, which may include malware such as backdoor shells, adware, botnet, and spammer scripts.

The following file(s) specifically have been identified as attacker-added malware. We have DISABLED these files by setting their permissions to 200 (Owner write-only). You will need to audit these files and either replace them with known good versions or remove them altogether:

/home/USER/SITE/wp-content/plugins/wpforms-lite/assets/js/integrations/divi/formselector.es5.js

And, as @iammarchhare mentioned, the file I have is binary identical (according to BeyondCompare) to what is packaged in wpforms-lite.1.8.2.2.zip.

Hi @rsouzaam

This morning, I also got the same email from Dreamshield, the DreamHost Security Bot. I am in the process of changing all my passwords, but I’m not sure what to do about the .js file they are reporting. In addition to what @iammarchhare reported, the email says:

• …/wp-content/plugins/wpforms-lite/assets/js/integrations/divi/formselector.es5.js

• The existence of this known attacker content indicates that your website or user password has been compromised. You or a trusted webmaster will need to determine the attack vector and then take actions to mitigate further exploits:

• https://help.dreamhost.com/hc/en-us/articles/215604737-hacked-site

How do we send you the system info?

Hi @dmoonfire and @prmyapps,

Thanks for all the information!

I’d like to let you know that this is a false positive alert, and we have already talked to the Dreamshield / Dreamhost?and?Sucuri teams to exclude the file from their malware scanner reports.

I hope in the next few days you won’t see this alert anymore.

Thanks!

Thanks for the followup @rsouzaam, that’s certainly a relief. But because the Dreamhost CSR kept urging me to remove the plugin, I already did so and am trying to move on to something very simple like VS Contact Form.

Let me also echo a thanks for getting back to us. I figured it was probably a false positive, but I wanted to wait for confirmation before changing the permissions back.

Hi @iammarchhare and @prmyapps,

Thanks for the feedback, and I’m glad I could help.

As the definitive solution depends on the?Dreamshield/Dreamhost?and?Sucuri?teams, I’m going to go ahead and close this thread for now. I really hope in the next few days that alert will have been removed.

But if you’d like us to assist further, please feel welcome to continue the conversation.

Thanks!