Hello, I just received an email from my webhoster, saying that 6 php files are infected by malware and they blocked my website until I remove the malwares. All of those 6 php files belong to different plugins. As you can see, the second php file is from generatepress:
‘Troj/PHP-CM’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/elementor-pro/modules/xfukjdis.php
‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/gp-premium/blog/functions/migrate.php
‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/woo-floating-cart-lite/xt-woo-floating-cart.php
‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/woocommerce/includes/class-wc-meta-data.php
‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-content/plugins/wordpress-seo/inc/indexables/validators/class-link-validator.php
‘PHP/WebShell-W’ in /var/www/vhosts/MYDOMAIN/httpdocs/wp-includes/customize/class-wp-customize-nav-menu-locations-control.php
All of those plugins are up to date. Of course none of them are malware, but just want to let you know because yours is there too. What could be the reason, any suggestion? Or do you know how I could scan those php files for malware?
ah yes I found out that inside the php file were a lot of more codes before the original code. Strange, I mean, how could someone know the login of that domain, its almost impossible. For now I have replaced those php files with a backup I had 2 weeks ago and the site should be available again.
I really wonder how or where that issue startet. If one had access via database, or ftp, or wp login? Would be soo good to know. Now I better change all passwords ^^