Quarantined
-
I’ve been having issues on an irregular basis over the last few months with my site loading slowly and timing out followed by wordpress being quarantined. I have been contacting my hosts HostingUK regarding this, but they only seem to provide a very short-term solution. This morning the site has gone completely AWOL! I have disabled all the nonessential plugins this morning but that didn’t work. I reloaded the WordPress core and that hasn’t resolved it. I really need some help here!
Regards
JohnThe page I need help with: [log in to see the link]
-
@nudgephelps Sorry to hear about your woes with files being quarantined. It’s possible a plugin or another service had a bug that was exploited. The most important thing to do at this point is to identify and try to remove the files that were added and are being quarantined and then try to identify what may have caused the vulnerability.
Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.
Thank you! I will certainly check the guide out, however, the site is working normally at the moment ?? Typical! I will let yo know how I get on. Thanks Again
Wordpress toolkit threw this up this morning?
WordPress Toolkit has found WordPress files at the following path:
Path
/var/www/vhosts/johnnysbackyard.co.uk/httpdocs_bak
However, it does not seem that this WordPress website is working. Try restoring the website from a backup or cleaning up the redundant files.I restored to a back up and I igt this message:
WARNING: (Restore domain object 'johnnysbackyard.co.uk') Failed to restore the extension wp-toolkit: Failed to reset cache for the instance #283: WordPress Toolkit was not able to finish running an operation on this site in 60 seconds, so the operation was terminated. This could mean that your WordPress installation might be infected with malware. Check the wp-config.php file of the installation for potential malware code or run an anti-virus scan. If you cannot find any traces of malware, try running the operation again later.
I would really like someone to take a look at my site and try an rectify the problem, the issue is beyond me ??
- This reply was modified 2 years, 3 months ago by nudgephelps.
I did an Internal Quttera Web Malware Scanner plugin for WordPress
This is the report.======================================================================= Quttera Web Malware Scanner plugin for WordPress Website Malware Scan Report Scanned Website: https://johnnysbackyard.co.uk Scan type: Internal Report generation time: 2022-08-13 13:18 Scan launch time: 2022-08-13 12:38 Scanned files: 22163 Clean: 22161 Potentially Suspicious: 0 Suspicious: 2 Malicious: 0 ? 2021 Quttera Ltd. All rights reserved. For any questions about this report: [email protected] ======================================================================= FILE: wp-content/languages/themes/twentytwentytwo-en_GB.po FILE_MD5: 7cdc7d54c4ec7a6d0619503e449d686d SEVERITY: enSuspiciousThreatType ENGINE: fscanner THREAT_SIG: 7cdc7d54c4ec7a6d0619503e449d686d THREAT_NAME: Heur.CoreFile.gen THREAT: Modified core file... DETAILS: Detected modified core file FILE: wp-content/languages/themes/twentytwentytwo-en_GB.mo FILE_MD5: 563f64c8b8f58d86848a8ce8ff05a92c SEVERITY: enSuspiciousThreatType ENGINE: fscanner THREAT_SIG: 563f64c8b8f58d86848a8ce8ff05a92c THREAT_NAME: Heur.CoreFile.gen THREAT: Modified core file... DETAILS: Detected modified core file
Hello @nudgephelps
Did you run internal scan in high sensitivity mode? If not please do it.
Also, please check wp-config.php if it contains any long encrypted string (which could be the infection itself)
Another step, go and disable plugins one of them could be infected. Go over plugins directory and verify you recognize all plugins located there.
In case one of plugins is infected this should help.
Next step, please switch to any default themes, if this helps to load site faster then infection locates in the theme sources.
OK Thanks for this. I ran the internal scan again in high sensitivity mode here’s what it found
======================================================================= Quttera Web Malware Scanner plugin for WordPress Website Malware Scan Report Scanned Website: https://johnnysbackyard.co.uk Scan type: Internal Report generation time: 2022-08-14 11:35 Scan launch time: 2022-08-14 10:21 Scanned files: 22164 Clean: 22154 Potentially Suspicious: 4 Suspicious: 4 Malicious: 2 ? 2021 Quttera Ltd. All rights reserved. For any questions about this report: [email protected] ======================================================================= FILE: phpinfo.php FILE_MD5: 53628903e3c9cf1593d4ef97067fba40 SEVERITY: enSuspiciousThreatType ENGINE: fscanner THREAT_SIG: 53628903e3c9cf1593d4ef97067fba40 THREAT_NAME: Heur.PHP.Dropper.gen THREAT: <?php phpinfo(); ?>... DETAILS: Generic PHP information dropper FILE: wp-content/languages/themes/twentytwentytwo-en_GB.po FILE_MD5: 7cdc7d54c4ec7a6d0619503e449d686d SEVERITY: enSuspiciousThreatType ENGINE: fscanner THREAT_SIG: 7cdc7d54c4ec7a6d0619503e449d686d THREAT_NAME: Heur.CoreFile.gen THREAT: Modified core file... DETAILS: Detected modified core file FILE: wp-content/languages/themes/twentytwentytwo-en_GB.mo FILE_MD5: 563f64c8b8f58d86848a8ce8ff05a92c SEVERITY: enSuspiciousThreatType ENGINE: fscanner THREAT_SIG: 563f64c8b8f58d86848a8ce8ff05a92c THREAT_NAME: Heur.CoreFile.gen THREAT: Modified core file... DETAILS: Detected modified core file FILE: wp-content/plugins/woocommerce-payments/readme.txt FILE_MD5: 6ac5aadd162a87a663fba6d5c63db48e SEVERITY: enPotentiallySuspiciousThreatType ENGINE: fscanner THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987 THREAT_NAME: Heur.HTML.Defacement.gen.F4248 THREAT: Fatal Error... DETAILS: Website Potentially Defaced FILE: wp-content/plugins/woocommerce-payments/changelog.txt FILE_MD5: f93887562e6ac324f90fbbdab90325b3 SEVERITY: enPotentiallySuspiciousThreatType ENGINE: fscanner THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987 THREAT_NAME: Heur.HTML.Defacement.gen.F4248 THREAT: Fatal Error... DETAILS: Website Potentially Defaced FILE: wp-content/plugins/wp-stats-manager/includes/wsm_cron.php FILE_MD5: 9f586af83113716e072e2e7fdb7168b6 SEVERITY: enSuspiciousThreatType ENGINE: fscanner THREAT_SIG: c820ee601de1cf2c2258b8494baaf844 THREAT_NAME: Heur.PHP.Redirect.gen THREAT: <?php /* if ( ! defined( 'ABSPATH' ) ) exit; class wsmCr... DETAILS: suspicious PHP redirection FILE: wp-content/plugins/woocommerce-services/images/payment-logos/brazil-tef.svg FILE_MD5: 9da2ceca8668b7155bfae1e66219657e SEVERITY: enMaliciousThreatType ENGINE: fscanner THREAT_SIG: 39e187127514ba3d80daaf528521932e THREAT_NAME: Heur.JS.Encoded.gen THREAT: 9.16.68.06.69.08.67.12.66.16.65.18.64.22.62.25.6.28.59.3.57.... DETAILS: Malicious obfuscated JavaScript threat (JS Trojan Downloader) FILE: wp-content/plugins/woocommerce/client/legacy/css/twenty-twenty-two.scss FILE_MD5: 99dd499cf6c98b8829505cea502758a3 SEVERITY: enPotentiallySuspiciousThreatType ENGINE: fscanner THREAT_SIG: 077ed38850a47bae3e86bec24784fd6a THREAT_NAME: Heur.PHP.Encoded.gen.271C THREAT: \73\73\73\73\73... DETAILS: Potentially suspicious obfuscated PHP threat FILE: wp-content/plugins/woocommerce-payments/vendor/woocommerce/subscriptions-core/changelog.txt FILE_MD5: 1be9d9b13d32b0bfa5257973321f4d17 SEVERITY: enPotentiallySuspiciousThreatType ENGINE: fscanner THREAT_SIG: 65b0f2becffb61cb9f5fba232f7b9987 THREAT_NAME: Heur.HTML.Defacement.gen.F4248 THREAT: Fatal Error... DETAILS: Website Potentially Defaced FILE: wp-content/plugins/woocommerce-payments/vendor/woocommerce/subscriptions-core/includes/upgrades/class-wc-subscriptions-upgrader.php FILE_MD5: f39835da3804dd9297b51d576cc7b09a SEVERITY: enMaliciousThreatType ENGINE: fscanner THREAT_SIG: b9dabf14014fb7becc2a63a6cb482a55 THREAT_NAME: Heur.PHP.Cron.gen THREAT: delete_transient( 'doing_cron' );... DETAILS: Cron PHP scheduler
Thank you for the provided information.
1 – Please remove phpinfo.php from the website as it presents details of installed PHP which further could be for exploitation
2 – Please send us all detected PHP files in a zip archive for support|at|quttera.com, we will investigate them and provide more details if files infected of heuristic scanner generated false positive
3 – Please review all plugins, remove unused and update outdated ones. As well as go over the wp-content/plugins directory and try to find/remove unused plugins
4 – Replace the currently used theme with any theme provided by WordPress, if theme is infected, this change can help to speed up the website
5 – Here https://blog.quttera.com/post/website-malware-removal-guide-part-1-preparation/ you can find other tips which could help to identify and cure the infection
Thank you!!
zip file sent
I have removed the file phpinfo.php and deactivated nonessential plugins but I’m a bit reluctant to change the theme as I don’t want that to screw any of the content up and leave me with a nightmare to untangle.
Thank you AgainI’m still having big issues! it seems that the site goes down around 5:30am to 7am each morning.
I had these messages from Plesk85.hosingUK.net
7:10 am 2. The following WordPress installations are quarantined:
Website “Johnny’s Back Yard” (https://johnnysbackyard.co.uk/wordpress): WordPress Toolkit was not able to finish running an operation on this site in 60 seconds, so the operation was terminated. This could mean that your WordPress installation might be infected with malware. Check the wp-config.php file of the installation for potential malware code or run an anti-virus scan. If you cannot find any traces of malware, try running the operation again later.`
7:13 am 1. Website “/httpdocs_bak” (https://johnnysbackyard.co.uk/_bak): Failed to reset cache for the instance #432: Error: Error establishing a database connection.I have scanned for malware several times and refreshed site state
It seems that it was a few images that caused the problem. They were not showing up on the web page nor on the edit product page, so I deleted them from the edit page and went through all of the product pages, and checked all the images. Quite a few were missing and just showing the palace holder error image. Now ll is good and the site has had no problems for about 10 days. All I can think is that the database got screwed up and didn’t know where to put these images. But time will tell if this was the definite solution
- The topic ‘Quarantined’ is closed to new replies.