Recurring Modified theme image files

I’d use the scan images as executable options. It may be that the files have php code in them. On Linux systems, you can use vim to see the hidden code. I’m not sure what the windows equivalent would be (gvim seems to work ok https://www.vim.org/download.php ). I also might redownload the miaamaze theme and replacing the version you have with it.

tim

I just ran a scan recently with the ‘scan images as executable’ option selected and the image files came back. It doesn’t make that much of a difference, I am still seeing no code in the files when I click to ‘see how the file has changed’. Would restoring the files to the original version help instead of re-downloading the whole theme?

That might work, yes.

tim

Just a heads up, I used the vim command recently to see if there is any hidden code in the files and I didn’t find any. I also used the ll command on each image file to see the last time it was modified and its size. All these image files that popped up in wordfence said the issue appeared 8 hours and 30 minutes ago but the files were last modified in march 2015. Some files even before that in 2014. So it looks like it is a false positive.

Do you know what wordfence looks for in images when it scans them? Can you provide a fix for this?

Hi there!

I have been having the exact same problem for a while now. It actually only shows up when I receive my Wordfence ‘newsletter’.

Recently Modified Files

wp-content/uploads/2014/11/xxx-500×140.jpg
wp-content/uploads/2014/11/xxx-150×140.jpg
wp-content/uploads/2014/11/www-150×36.jpg

I am already using the ‘scan images as executable option’.

Looks like Wordfence is always picking up the same images. I have checked but it doesn’t seem that there is any hidden code in the files either.

When checking my FTP, it looks like the file has indeed been updated today but I have no idea why! There is also a jpg.prog version on the image. Again I have no idea what this is.

Thanks!

@puda: Are these images that you know about, that belong on your site? It’s unusual for older images to be modified, but some plugins may do it.

Can you also send me copies of the files and the “jpg.prog” version you mentioned? My email address is mattr (at) wordfence.com.

If they only show up in the email summary once every week or two, then they’re not being reported as malicious, but just as modified — but it still seems odd though. If you don’t have any plugins that would modify the images (like an image compression/optimization plugin), then there might be something strange going on.

-Matt R

Thanks Matt! I actually removed the prog files not knowing what it was. I will see if it’s coming back. I used EWWW in the past but I probably removed it a year ago. Still, the images kept being modified but not the prog file that was old. (2014)

If it comes back, I will send you the files for sure! Have you ever heard of such an issue?

Sorry yes images indeed belonged to my website. I also use WP Optimize.

I haven’t heard of an issue quite like this before, but we have seen images with malicious code in them. I’d be interested to see if the images are still modified the next time the summary email comes out, after you’ve removed that other unusual file.

-Matt R

Matt,

I just sent you a copy of the modified files. (They are back!)

Thanks ??

Thanks for sending the files — it doesn’t look like there is anything wrong with the images, and since they stopped being modified, since then, there probably isn’t any more we can find out. But if it starts happening again, let us know. Thanks!

-Matt R