Unattended files reappearing

  • Resolved jfeaz

    (@jfeaz)


    6 years ago

    Hi,

    My security scan shows 3 unattended files that keep reappearing in ever scan even after quarantining them. The path it shows doesn’t exist on my server, or at least I can’t see it via FTP, even above the web root. Does this mean I have malware somewhere else that’s regenerating these files?

    I originally started probing because I can’t figure out how hackers kept finding my custom login URLs.

    Unattended files
    /tmp/zip-recipes/cache/32/3207ae8548c79891ac45b4b6b01f81867cef4cad0b9bba8239d98a36ebc3cf66.php Suspicious code found High 55 KB March 20, 2019, 6:37 pm
    /tmp/zip-recipes/cache/90/908eb6165ca6534469758718ac53a4c206b3dd95946d1f0c55e194d2e2549a24.php Executable code found Medium 1 KB March 20, 2019, 9:16 am
    /tmp/zip-recipes/cache/3d/3d60d9794ae7c4325ceffd6b6700863431975c694d5809b53e414e32ea29e00d.php Executable code found Medium 9 KB March 20, 2019, 6:37 pm

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author gioni

    (@gioni)

    Hi!

    Based on the file path I can say that those files are not malware. Some of your poorly developed plugins use the temp folder for storing cache files with a PHP extension which is weird too.

    Try to add /tmp/zip-recipes/cache/ to the “Directories to exclude” field in the scanner settings.

    Thread Starter jfeaz

    (@jfeaz)

    Thank you!

    Upon looking at the content in those PHP files, they appear to be part of a script for posting food recipes, which has nothing to do with my site at all. Is it possible they’re spoofing an innocuous plugin to hide malicious code?

    Rogier Lankhorst

    (@rogierlankhorst)

    Hi @jfeaz,

    I’ve recently taken over development for Zip Recipes. These files are generated cache files for the Twig templating engine. As of the latest update these files are placed in a zip-recipes directory in the uploads folder, not in the tmp folder anymore.

    What seems very weird is that you say you don’t have zip-recipes plugin on your site. Possibly you have had this plugin active some time ago, or you have taken over this site from someone else?

    Thread Starter jfeaz

    (@jfeaz)

    Wow, thanks for reaching out! Well, my site’s never had anything to do with recipes or food, so I’m certain I’ve never had this plugin. I’m the original owner of the site. Is the Twig templating engine possibly something another plugin has used?

    Thread Starter jfeaz

    (@jfeaz)

    Also, I should be able to find this path via FTP, right? But I can’t.

    hi @jfeaz it’s certainly strange you never used Zip Recipes, as the plugin name appears in the path. There are other plugins using the Twig engine, but these would not use this path.

    It should normally be possible to access this folder using FTP, but it might be above the website root. Your hosting company can help you with that.

    Plugin Author gioni

    (@gioni)

    I suspect that the hosting company screwed it up. They simply share the system temp folder among all the websites on the server. That’s why you don’t see the folder via FTP but all website code have access to it.

    As a negative consequence, you have a risk to get your website infected if another website on the server will be hacked. Believe it or not, getting hacked via a vulnerability in a hosting control panel or due to a misconfigured web server is quite normal nowadays because many hosting companies install and use server software with default settings.

    @rogierlankhorst

    Thread Starter jfeaz

    (@jfeaz)

    Wow, okay, good to know.

    Thanks, Gioni!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Unattended files reappearing’ is closed to new replies.