harmful code duplicator 1.1.20

  • Resolved andreaslindgren

    (@andreaslindgren)


    8 years ago

    Hi

    My server provider reported today that the following file in duplicator spreads harmful code.

    /wp-content/plugins/duplicator/installer/build/assets/inc.libs.js.php

    Can you check if there is something wrong with the plugin?

    There is more than one site that i have on the same server that has reported about this.

Viewing 15 replies - 1 through 15 (of 23 total)
  • kosmiq

    (@kosmiq)

    I just got the same message from my host.

    We have detected malicious PHP scripts on your webhosting package. To prevent system abuse, our system has automatically quarantined these files. This concerns the following scripts:

    shell.generic (Web shell)
/wp-content/plugins/duplicator/installer/build/assets/inc.libs.js.php

    Existence of these scripts generally points to third parties having gained access to your webhosting package through means of e.g. stolen passwords or exploiting a vulnerability in one of the software packages you are using. We strongly recommend you check the entire webhosting package for other files that appear out of place, which our detection system might have missed.

    • This reply was modified 8 years ago by kosmiq.
    ge-sehen

    (@ge-sehen)

    Same here!

    Nikolaii

    (@nikolaii)

    Same situation

    masta76

    (@masta76)

    Same here!

    MarionFW

    (@marionfw)

    Same here. I removed the plugin temporarily, but would like to know what to do, I have no idea if there is any harm done to my site, don’t know how to find out about this.

    flipper1960

    (@flipper1960)

    Same here: 3 webshops

    Marc Bijl

    (@newoceans)

    Same here.

    The harmful script that has been place in quarantaine is:

    shell.generic (Webshell)
    /home/*debnr*/domains/*domain*/public_html/wp-content/plugins/duplicator/installer/build/assets/inc.libs.js.php

    xxxLesy

    (@xxxlesy)

    Same. The detection software these webhosts are using is Patchman.

    Marc Bijl

    (@newoceans)

    Indeed, my host also uses Patchman

    JenJohnston

    (@jenjohnston)

    Same exact thing going on here. Host uses Patchman as well.

    It’s not gonna be fun to do, but I’ll be going into every site and removing Duplicator until there’s a definitive answer and fix.

    ge-sehen

    (@ge-sehen)

    Same here. Just removed Duplicator from every site. As if I had nothing else to do on a monday afternoon ??

    marcmagnenat

    (@marcmagnenat)

    Is it enough to remove the plugin? If there is such a code running, wouldn’t it be safest to change all passwords of the wp-logins? I would have to do this on like 20 sites; including customer accesses…

    An Answer of the developer would be helpful.

    Nikolaii

    (@nikolaii)

    Just checked. File wp-content/plugins/duplicator/installer/build/assets/inc.libs.js.php in core file in version 1.16. As i understand, there is no virus.

    Bob Riley

    (@bobriley)

    Also – what web hosts are you guys using and levels? (Shared/VPS/Dedicated) Thanks

    Bob

    Bob Riley

    (@bobriley)

    Hi guys, we haven’t updated the plugin in 2 weeks so we are pretty sure this is a false flag. Can someone give me detail about line number of inc.libs.js.php that is triggering the problem? Thanks

    Bob

Viewing 15 replies - 1 through 15 (of 23 total)
  • The topic ‘harmful code duplicator 1.1.20’ is closed to new replies.

Tags