Host says website is infected

[michelled 0]

Many thanks in advance for your help.

 

I was recently informed by my web host that my site is infected, specifically they say file

 

/home4/mademer1/public_html/globalindieauthor/wp-includes/js/tinymce/utils/ossdl-cdn.php

 

 

which they say:

 

The malicious code detected is similar to:

 

Files with the following contents or MD5SUMs, which contain malicious code:

 

\$default_action\s*=\s*['"]FilesMan['"]\s*

 

 

When I posted on WP, I was told this was odd as there is no record of this file being affected by malware. I was also advised to check my site on sucuri. Sucuri found nothing. When I checked via my site's file manager, the named file was not present but may have been removed by my host server.

 

I was nevertheless instructed to remove and replace my files:

 

Try downloading WordPress again and delete then replace your copies of everything except the wp-config.php file and the /wp-content/ directory with fresh copies from the download. This will effectively replace all of your core files without damaging your content and settings. Some uploaders tend to be unreliable when overwriting files, so don't forget to delete the original files before replacing them.

 

 

Problem is, when I compared the files on my site server and those in the Wordpress 4.1 archive, my site had a great number of additional files. My concern was that these were added by my Pageline theme, Platform, and removing them would cause a complete malfunction of my site. I was advised that no theme should be modifying the core files and that these files may be the result of the alleged malware infection. Before I potentially destroy my website, could someone please confirm that the following files were not added by the Platform theme:

 

root directory:
fantversion.php
wp-atom.php
wp-commentsrss2.php
wp-feed.php
wp-pass.php
wp-rdf.php
wp-register.php
wp-rss.php
wp-rss2.php
wp-xmlrpc.php

wp-admin:
ajax-upload.php

wp-admin/includes:
install.php
options-reading.php

wp-admin/js:
default_folder.php

wp-admin/network:
details_up.php

wp-includes:
class-wp-smtp-bar.php
class.wp-dependencies.php
class.wp-scripts.php
class.wp-styles.php

wp-includes/certificates:
patfactory.php
tdomf-upload-functions.php

wp-includes/css:
mod_search.php
themes.php

wp-includes/js/crop:
default_ftp.php

wp-includes/js/jquery/ui:
jquery.ui.accordion.min.js
jquery.ui.autocomplete.min.js
jquery.ui.button.min.js
jquery.ui.core.min.js
jquery.ui.datepicker.min.js
jquery.ui.dialog.min.js
jquery.ui.draggable.min.js
jquery.ui.droppable.min.js
jquery.ui.effect-blind.min.js
jquery.ui.effect-bounce.min.js
jquery.ui.effect-clip.min.js
jquery.ui.effect-drop.min.js
jquery.ui.effect-explode.min.js
jquery.ui.effect-fade.min.js
jquery.ui.effect-fold.min.js
jquery.ui.effect-highlight.min.js
jquery.ui.effect-pulsate.min.js
jquery.ui.effect-scale.min.js
jquery.ui.effect-shake.min.js
jquery.ui.effect-slide.min.js
jquery.ui.effect-transfer.min.js
jquery.ui.effect.min.js
jquery.ui.menu.min.js
jquery.ui.mouse.min.js
jquery.ui.position.min.js
jquery.ui.progressbar.min.js
jquery.ui.resizable.min.js
jquery.ui.selectable.min.js
jquery.ui.slider.min.js
jquery.ui.sortable.min.js
jquery.ui.spinner.min.js
jquery.ui.tabs.min.js
jquery.ui.tooltip.min.js
jquery.ui.widget.min.js

wp-includes/js/tinymce/langs:
wp-langs-en.phtml

wp-includes/js/tinymce/plugins/colorpicker:
strspn.php

wp-includes/js/tinymce/plugins/compat3x/css:
folder.php

wp-includes/js/tinymce/plugins/fullscreen:
pdf.php

wp-includes/js/tinymce/plugins/tabfocus:
zip.php

wp-includes/js/tinymce/plugins/wpeditimage:
defines.php

wp-includes/js/tinymce/plugins/fullscreen:
DB.php

wp-includes/js/tinymce/plugins/wpgallery:
BBCode.php

wp-includes/js/tinymce/plugins/wplink:
frontpage.php

wp-includes/js/tinymce/plugins/wpview:
move.php

wp-includes/js/tinymce/skins/lightgray/fonts:
tdomf-subscribe-to-comments-widget.php

wp-includes/js/tinymce/skins/wordpress:
directory.php

wp-includes/js/tinymce/skins/wordpress/images:
dashicon-no-alt.png

wp-includes/SimplePie:
index.php

wp-includes/SimplePie/Content/Type:
nav-menu.php

wp-includes/SimplePie/HTTP:
InputFilter.php

wp-includes/SimplePie/XML/Declaration:
details_img.php
ms-users.php

wp-includes/Text/Diff:
admin.languages.html.php

wp-includes/Text/Diff/Engine:
xml_domit_xpath.php

wp-includes/Text/Diff/Renderer:
freesansbi.php

wp-includes/theme-compat:
string.php

[Danny+ 1,327]

Hi,

 

What version of Platform Pro were you using and for a full list of Platform Pro files, see here - https://github.com/pagelines/platformpro

Also, Platform Pro or any PageLines theme changes the core files of WordPress nor do we add additional files to WordPress. All files for our themes are in the themes folder itself.

 

What I would recommend is you upgrade to DMS and also make sure that your WordPress installation is always up to date, as too are any plugins you use. Also, you will want to check all the plugins you're using are maintained by their creator and have been updated in the last year.

[michelled 0]

Hi, my version of PageLines was 1.3.7. I will have to update it after I perform the cleanse.

 

Wordpress, however, is the latest version, 4.1. When I updated I got an error message saying the update failed, yet when I logged out and back in again, WP said I was now up to date. But attempts to update some of the plug-ins/widgets have failed.

 

I do not know what DMS is (document management system?), how I can upgrade to it, or why I need to. Could you please explain.

 

Thank you for your help thus far. It is appreciated.

[Simon 248]

The latest version is available here: http://www.pagelines.com/themes-requiring-updates/

There is also a link to a plugin to protect you from the recent vulnerability in PlatformPro

[michelled 0]

I have removed then replaced all my WP files except the wp-config.php file and the /wp-content/ directory, as directed.

 

My site works but I cannot update the theme. Repeated attempts fail due to an inability to remove the old theme. Worse still, when I attempt to do so and then visit my site, I get this:

Briefly unavailable for scheduled maintenance. Check back in a minute.

A minute or so later the site comes back on its own accord.

 

Now what do I do?

 

Secondly, when I spoke with my site host about this problem they advised me to scan via Sucuri. When I did, it returned the notice that the site is infected in a totally different way:

 

Website Malware malware-entry-mwhjck3123?se1 http://mademers.com/404testpage4525d2fdc

Website Malware malware-entry-mwhjck3123?se1 http://mademers.com/404javascript.js.

 

When one clicks on the View Payload button, this is returned:

Known javascript malware. Details: http://sucuri.net/malware/malware-entry-mwhjck3123?se1

<iframe src="http://dsnextgen.com/?a_id=106367&domainname=referer_detect"

 

When I went to look for the 404testpage4525d2fdc and 404javascript.js files, they did not exist on my site. A call to my host also turned up nothing. They told me the iframe bit of code must be embedded in a file somewhere. I went through almost all the files on my website but so far nothing has come up.

 

Is this familiar at all to you with regards to the vulnerability in Platform?

 

Lastly, I have only one plug-in that is not up to date, and that is WangGuard. It also fails to update properly. Do you know of any incompatibility issues with Platform?

 

Thank you.

[Danny+ 1,327]

As Platform Pro has been considered a legacy theme for over three years, we can't really comment on the compatibility of plugins, especially ones I have never used or heard of before.

Also, I ran a scan on your domain which doesn't appear to be powered by WordPress at all and that is the one that Securi is detecting issues with. However, if you go add your domain where WordPress is installed there is no issue.

Therefore, this doesn't appear to be an issue with your WordPress installation as far as I am aware, but with your other website that doesn't use WordPress. I think the best course of action is to speak to your web host provider and ask them to investigate further, as this really isn't something we can assist with, if the scan results from Securi are accurate.

 

Non-WordPress website - https://cloudup.com/czHaFhIQts6

WordPress powered website - https://cloudup.com/cHY_1Mtg8aE

[Simon 248]

https://wordpress.org/support/topic/alleged-malicious-code/

[michelled 0]

Hi Danny,

 

Do you have any idea why WP cannot update the theme? It says there is an update available, but every time I attempt to update it, the update fails.

[michelled 0]

I have managed to update Platform by changing the permission for the folder, deleting the old files, and FTPing new ones. WP now says I have Platform 1.4.4. Still  doesn't explain why the theme would not update automatically, but at least my problem is solved.

 

Time to consider a redesign.

 

P.S. Just found a bug: when one updates, the contents of the Secondary Sidebar disappear and are replaced by Categories and Blog Post months. To get my widgets to display, I had to go into PageLine Settings > Sidebar Options > click on "Hide Sidebar When Empty (no widgets)".

[Danny+ 1,327]

I don't believe that is a bug, if you're clicking "Hide Sidebar When Empty (no widgets)" option then no sidebar should be displayed. Therefore, it is likely that your widgets were removed upon updating as WordPress only stores things like Widgets and Menus on a theme basis.

[michelled 0]

As soon as I clicked on Hide Sidebar When Empty, my original Secondary Sidebar content was restored. My Primary and Tertiary Sidebars, as well as that of footers, were fine; it was just the Secondary Sidebar that was affected by the update. Sounds like a bug to me. But what do I know?

[Danny+ 1,327]

Can you provide a screenshot of how you have your sidebars configured both in:

 

WordPress Admin Dashboard > Appearance > Widgets

 

and what you have set in your PageLines settings. Also, please bear in mind that if this is indeed a bug, it will not be fixed. As Platform Pro is no longer support by PageLines. Unless, a security flaw presents itself.