[wp-trac] [WordPress Trac] #50295: malware report

WordPress Trac noreply at wordpress.org
Mon Jun 1 16:12:06 UTC 2020 

#50295: malware report
--------------------------+-----------------------------
 Reporter:  aerta         |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  5.4.1
 Severity:  critical      |   Keywords:  needs-patch
  Focuses:                |
--------------------------+-----------------------------
 Hi,
 I have had half a dozen WP sites running the Blox theme and Padma themes
 infected with malware in the last few days. The theme developers insist
 that their themes aren't the cause, and the sites are hosted in two
 separate hosting companies - who also deny vulnerability.

 Common plugins are:
 akismet, classic editor, easy smooth scroll links, foogallery, foobox
 image lightbox, GDPR cookie consent banner, google xml sitemaps, imsanity,
 jetpack, loginizer, responsive menu pro, unique title checker, velvet
 blues, wordfence, yellow pencil pro, Yoast SEO, Padma services, padma
 updater, layerslider, disable comments, disable gutenberg, mobile menu,
 really simple ssl, widget content blocks, WP latest posts, disable
 comments, layerslider WP, WP responsive menu.

 Here are the reports from Wordfence. I'd be very grateful if you could
 give me some idea how the malware is getting into these sites so that I
 can stop it happening. Thanks, John

 Critical Problems:

 * File appears to be malicious: fdrdfu.php

 * File appears to be malicious: wp-content/themes/bloxtheme/library
 /visual-editor/scripts-src/deps/ckeditor/plugins/imageuploader/doc.php

 * File appears to be malicious: ucjovrw.php
 * File appears to be malicious: wp-content/themes/bloxtheme/library
 /visual-editor/scripts-src/deps/ckeditor/plugins/imageuploader/doc.php

 * File appears to be malicious: izbymjv.php
 * File appears to be malicious: wp-content/themes/bloxtheme/library
 /visual-editor/scripts-src/deps/ckeditor/plugins/imageuploader/doc.php

 {HEX}php.cmdshell.egyspider.240 : /home/schoolof/public_html/wso2.php

 * File appears to be malicious: khrgpjrm.php
 * File appears to be malicious: wp-content/themes/bloxtheme/library
 /visual-editor/scripts-src/deps/ckeditor/plugins/imageuploader/doc.php

 * File appears to be malicious: doc.php
 * File appears to be malicious: ognjlj.php

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50295>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list