harmful code duplicator 1.1.20

We didn’t get any line number with the message. Only shell.generic (Web shell)
/var/www/vhosts/<domain>/subdomains/<subdomain>/httpdocs/wp-content/plugins/duplicator/installer/build/assets/inc.libs.js.php
and a generic “this could be spam, bot, hacks …” message. I will ask the host if they can provide more info.

Personally I’m using a reseller package on a shared webhost.

Hi guys, to reiterate this is most likely a false flag due to detection update of Patchman. However we would like to work with individuals to resolve individual cases. Could you guys submit tickets to snapcreek.com\ticket and we’ll work with you directly. Thanks

Bob

P.S. When submitting a ticket if possible please attach a copy of your inc.lib.js.php file

Hello everyone,

My name is Jelmer Verkleij, CTO at Patchman. This issue was brought to our attention about 30 minutes ago and after some quick research we noted that these detections are the result of an error in our definition development process. All detections of the installer/build/assets/inc.libs.js.php file in the duplicator plugin folder seem to be false positives at this point. My sincere apologies for the confusion – this should of course not have happened and naturally we have immediately started looking into how and why this went wrong, and what needs to be done to prevent this from happenening again in the future.

In the meantime, we have deployed a definition update to all our Patchman customers that rolls back any automated quarantine actions that took place for these files, and retracts the associated detections. This should automatically restore all websites to their original state without problems.

Once again, I sincerely apologize for this inconvenience, and I would like to reiterate that we are taking this matter very seriously. If you have any further questions or comments you have regarding this incident, please don’t hesitate to let me know here or by sending an e-mail to [email protected]. I will make sure to address each response as soon as possible.

Best regards,

Jelmer Verkleij
Patchman B.V.

Thank you so much for resolving the issue quickly and coming onto the forum and explaining the situation. We’re all software developers so we understand how problems happen. Thanks again for your professionalism, myself, Cory and our customers appreciate it.

Bob

Hi

If i understood this right the problem is now solved.

Do you still want that we create a new ticket at snapcreek.com\ticket and upload the inc.libs.js.php file?

Hey @andreaslindgren,

Please no tickets to snapcreek, this is something we do not have control over. The issue resides with the detection algorithm for Patchman which the are working on to update. In the meantime you may want to contact your hosting provider to try the following:

1. Turn off Patchman on your host until they get there new update released
2. If possible see if Patchman can be disabled just for the Duplicator files
3. Contact Patchman to see if they have any other possible work-a-rounds and post them back to the forum for others who face this issue.

Hope that helps~

Hello @corylamleorg, @andreaslindgren,

Just to clarify, the definition update that included the rollback of these detections was already released at the time of my previous post. No manual action or workaround should be required by either you or your hosting provider at this point.

Of course, if you do think that something is still wrong, feel free to contact us at [email protected]. However I advise you to first check in and verify whether the issue is really still present before doing so.

Best regards,

Jelmer Verkleij
Patchman B.V.

I’m getting the same response from my host (A2 Hosting). Patchman is throwing the flag based on phpBB. Everything seems to key on javascript (inc.libs.js.php). As of yesterday (11/14) the issue on Patchman service has been marked as retracted, which means: The detection has been resolved, because the file was changed (outside of Patchman) or has been removed. Most likely the end user has updated his CMS to a newer version.

I did not intervene so this was driven by a system update or java update.