[Resolved] Malware notification from webhoster

Home Forums Support Malware notification from webhoster

  • This topic has 3 replies, 2 voices, and was last updated 5 months ago by Leo.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #1295714
    generatepressuser

    Hello, I just received an email from my webhoster, saying that 6 php files are infected by malware and they blocked my website until I remove the malwares. All of those 6 php files belong to different plugins. As you can see, the second php file is from generatepress:

    ‘Troj/PHP-CM’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/elementor-pro/modules/xfukjdis.php
    ‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/gp-premium/blog/functions/migrate.php
    ‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/woo-floating-cart-lite/xt-woo-floating-cart.php
    ‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/woocommerce/includes/class-wc-meta-data.php
    ‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/wordpress-seo/inc/indexables/validators/class-link-validator.php
    ‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-includes/customize/class-wp-customize-nav-menu-locations-control.php

    All of those plugins are up to date. Of course none of them are malware, but just want to let you know because yours is there too. What could be the reason, any suggestion? Or do you know how I could scan those php files for malware?

    Thank you.

    #1295717
    Leo
    Staff
    Customer Support

    Hi there,

    It could be that your site is hacked.

    The easiest solution would be to reinstall GP Premium.

    Let me know if this helps 🙂

    #1295870
    generatepressuser

    ah yes I found out that inside the php file were a lot of more codes before the original code. Strange, I mean, how could someone know the login of that domain, its almost impossible. For now I have replaced those php files with a backup I had 2 weeks ago and the site should be available again.

    I really wonder how or where that issue startet. If one had access via database, or ftp, or wp login? Would be soo good to know. Now I better change all passwords ^^

    Thank you .

    #1295880
    Leo
    Staff
    Customer Support
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.