Malware report from Bitninja

  • Resolved beachlizard

    (@beachlizard)


    2 years, 4 months ago

    Hello,

    Bitninja send me a report for several websites that use Really Simple SSL plugin with the following Malware: {SA-SNIPPET}PHP.Snippet.ecploit

    at this path /wp-content/plugins/really-simple-ssl/class-admin.php

    I use the latest version of Really Simple SSL plugin

    Can you check it and inform as?

    Thank you

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Support Aert Hulsebos

    (@aahulsebos)

    Hi @beachlizard,

    Could you send more information to support[at]really-simple-ssl.com. For now, it doesn’t really mean anything to us, as most of these scans return false positives.

    We will have a look, but sharing more information on this forum would be unwise,

    regards Aert

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    In addition to that: There is no malware in the plugin as available on the repository.

    If you can send us the actual snippet that triggered this we can tell you if it’s a false positive, or if you need to install a fresh copy from the repository.

    Plugin Support Aert Hulsebos

    (@aahulsebos)

    This is a false positive due to existing malware infecting other files on the server. In this case, it would be advised to install all themes and plugins from their original source again, including WordPress.

    Do not use any nulled, or plugins obtained from other sources than its author.

    Refer to this link for more information https://www.malcare.com/blog/wp-vcd-php-malware-removal/

    This topic will be closed.

    My hosting provider sent me the same notification on 3 websites. And now I cannot acces to WP-admin.

    I was dealing with the same problem yesterday. I couldn’t access to wp-admin.
    Really simple ssl plugin was updated to the latest version but it was buggy. I manually downloaded the plugin from www.remarpro.com and problem is solved.

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    Glad to hear that installing the plugin from the repository resolved your issue. If you have any questions, let us know.

    But how can there be malware in your plugin when I always updated via wordpress admin. It can’t be a coincidence that it appeared on more than 5 sites.

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    A malware injection usually comes from another plugin or theme, to hide the origin of the injection. For this reason it is always important to update all other plugins and themes on the site as well, and remove any nulled plugins as well, which are often the source of such issues.

    As you said, restoring the plugin to the original files from WordPress resolves the issue. The plugin on the repository does not contain any injected code. This means that the code has to be injected on your site.

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    Just had contact with BitNinja. It appears that BitNinja has a bug in their malware scanner, incorrectly reporting a malware infection in Really Simple SSL.

    We have been in contact with BitNinja and they have confirmed this is a FALSE POSITIVE and are working on a fix.
    In the meanwhile you can restore the the deleted files from the BitNinja dashboard or via CLI. If you have any further questions regarding this issue you can contact BitNinja support.

    Hope this explains!

    Plugin Support Aert Hulsebos

    (@aahulsebos)

    Hi @jarvindesign,

    BitNinja falsely reporting malware in Really-Simple SSL.

    Malware scanner BitNinja is currently incorrectly reporting a malware infection in Really Simple SSL. We have been in contact with BitNinja, and they have confirmed this is a FALSE POSITIVE and are working on a fix.
    In the meanwhile, you can restore the deleted files from the BitNinja dashboard or via CLI. If you have any further questions regarding this issue, you should contact BitNinja support at: [email protected].

    Really Simple SSL support.

    Same problem here and its not looks like False positive. Our host send us this waring for 3 websites: public_html/wp-content/plugins/really-simple-ssl/class-admin.php Malware {SA-SNIPPET}PHP.Snippet.ecploit
    Login to wp admin was not working (only white blank screen). After renaming Really simple folder via FTP, all starst works.
    File class-admin.php was modified and there was lot of new code startet with this:

    <?php

    /** no direct access **/
    defined(‘MECEXEC’) or die;
    use ICal\ICal;
    /**
    * Webnus MEC main class.
    * @author Webnus <[email protected]>
    */
    class MEC_main extends MEC_base
    {
    /**
    * Constructor method
    * @author Webnus <[email protected]>
    */
    public function __construct()
    {
    }
    /**
    * Returns the archive URL of events for provided skin
    * @author Webnus <[email protected]>
    * @param string $skin
    * @return string
    */
    public function archive_URL($skin)
    {
    return $this->URL(‘site’) . $this->get_main_slug() . ‘/’ . $skin . ‘/’;
    }`

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    If your host is bitninja, please contact them about this.

    Otherwise I would recommend to re-install all plugins from the repository. Please make sure all plugins, themes and WordPress are updated to the latest version.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Malware report from Bitninja’ is closed to new replies.

Tags