Malware warning – what to do?

  • Resolved fabthi

    (@fabthi)


    8 years ago

    [ Moderator note: moved to Fixing WordPress. ]

    Hi all
    few days ago I received a mail from the Network Violations department of GoDaddy, my hosting service, telling me they have detected a series of files which they say have been flagged as containing malicious malware and for which they suggest me to remove the files listed.
    This is a screenshot of some of the files listed:

    What am I supposed to do? And how can I locate those files in case I want to remove them??
    Please notice meanwhile the blog site is still running regularly, with no evident issues.
    thanks

    • This topic was modified 8 years ago by fabthi.
    • This topic was modified 8 years ago by fabthi.
    • This topic was modified 8 years ago by Jan Dembowski.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    You need to start working your way through these resources:

    Additional Resources:

    Thread Starter fabthi

    (@fabthi)

    Hi Andrew
    both malware detection sites (Sucuri, Unmaskparasites) don’t find any malware within my blog.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Maybe worth liaising with GoDaddy about this. You could say you tried those popular scanning tools and they couldn’t find anything on the website itself.

    But for malware to exist it doesn’t have to be visible on your website.

    sinip

    (@sinip)

    If both of those sites don’t show any malware, and Google doesn’t complain either, then it might be false positive. Had similar experience with my Joomla! site and another hosting company. Certainly get in contact with GoDaddy and say that those sites don’t show any problems.

    barnez

    (@pidengmor)

    @fabthi

    You could also download a fresh copy of one of those themes and do a comparison between a flagged theme file in your installation and the fresh version (e.g. the functions.php file of the autofocus-lite theme). Notepad ++ or similar allows you to compare code if the file is lengthy. As an aside, are you using all those themes, or just one? It would reduce the possibility of future hacks if you deleted the themes that are not in use. (*Take a files and database backup first, before any deletion*)

    whitefirdesign

    (@whitefirdesign)

    Sites like Sucuri and Unmaskparasites scan the website from the outside, so at best they can only detect malicious content being served by the website and therefore they can’t be used to rule out the possibility of malicious code in files on a website.

    Based on the fact that that your web host detected malicious code in the functions.php file for numerous themes, it seems unlikely that this is a false positive as they shouldn’t all contain code that leads to a false positive. It is fairly common for hacks of WordPress websites to add code to that file in the themes installed on the website. Following barnez’s advice you should be able to take a look at one of those files and see if there has been some code added to it.

    I got the same mail from Godaddy – reporting possible violations with several of my websites in one hosting account (most of them with the functions.php file).

    I installed the plugin Wordfence Scan and ran a scan – it pointed to the possible problem code in the functions file.

    It says The infection type is: Backdoor:PHP/get_all_links. – When I compare the functions file with a none-infected file, the text is indeed different.
    Also, even all the inactive themes have problems with the functions.php. So I guess I’ll just delete the inactive ones and find a way to fix the ones in use.
    Any suggestions?

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Malware warning – what to do?’ is closed to new replies.