Hi,
I’ve manually downloaded a plugin and ran it through VirusTotal and 2 of them were triggered.
Bkav: VEX.Webshell
Cyren: Trojan.TOCH-41
Can you please check and confirm this is just a false alarm?
https://www.virustotal.com/#/file/be238e89c77a380733222ca3f973a52b92553b8299f90931a8a3400ad264ced4/
Thanks!
WARNING!
When I tried to download the plugin, the Windows Defender found a trojan named Win32/Sprisky.U!cl in the zipfile and quarantained it.
Detected in container file: classic-editor.1.4.zip
Detected in classic-editor/js/block-editor-plugin.js
I hope this is a false positive, but I am not taking any risks.
I downloaded this plugin and it did what it was supposed to do but it also gave me trojan that infected my site as well as another 10 or so sites on the same hosting account. It also redirected my site to a malicious site.
I deleted this plugin as well as a couple of others I thought might be the cause of the virus that I had downloaded at the same time and cleaned up the mess and got it off all of my sites.
The sites remained clean for about a week and a half, and then after second guessing what had infected the sites, I tried downloading the plugin again. Immediately after download, I ran a scan with WordFence and found the virus was back.
Don’t download. You will get a virus if you do.
FILE: wp-content/plugins/appful/singletons/api.php
FILE_MD5: 052d258ad9b3771a61d6ee8856717e88
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: ff4de7a1abea2095a747d235b4c08680
THREAT_NAME: Trojan.PHP.Shell.gen.13c
THREAT: <?php class Appful_API { var $wpml; function __construct…
DETAILS: malicious PHP shell
FILE: wp-content/plugins/appful/singletons/api.php
FILE_MD5: 052d258ad9b3771a61d6ee8856717e88
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: 052d258ad9b3771a61d6ee8856717e88
THREAT_NAME: Trojan.PHP.Shell.gen.22a
THREAT: <?php class Appful_API { var $wpml; function __construct…
DETAILS: Detected malicious PHP shell
Can’t visit the demo site because it’s blocked as a malicious site with trojans. So I’m gonna pass on even looking at this one.
Just had this alert appear
Trojan:JS/Foretype.A!ml
Alert level: Severe
Date 01/12/2020 14:23
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.
Affected items
\woocommerce-admin\dist\data\index.min.js
Any ideas why this might alert my AV?
Has anyone experienced this before? I got a notification from Wordfence that twice someone from Germany had requested a password change for the above site. I didn’t worry too much as the email comes to me. However, I decided to sign in to make sure all was well, and my password didn’t work! I was able to request a password change and change it to a new password and I scanned it and found some back door trojan and deleted it. But I’m a bit freaked out how they were able to change the password.
I’m glad I was notified and have access to the cpanel if anything had gone wrong and back up all my sites often. I’ve also tried hiding the login section but that didn’t slow anyone down from finding the admin username or the place they were to sign in either.
How could they change the password without getting the email? Everything is up to date apart from the WordPress version, I’ve updated the theme and the plugins, I’m just waiting a week or so before updating WordPress as I have a lot of sites to do and I want to be sure that the plugins have had a chance to update and fix bugs.
Is there another plugin I should be using on all my sites that is priced so I can protect all of my sites?
Hello,
I was unable to download Pods from the WP repository since I encountered an issue with my desktop anti-malware software (Emsisoft). The download didn’t complete and I received the following message from the Emsisoft prompt window:
“Malware “Trojan.GenericKD.45613828 (B)” detected and blocked on behalf of chrome.exe”
Not sure if this was a false positive, but it would be great if you could check. I will add that initially I attempted to update the plugin (from a fairly old version) on a local development site and it caused several errors. I changed the plugin folder name to access the WP Dashboard and attempted to replace the Pods plugin folder content manually with a fresh download from the repository. That’s when Emsisoft blocked the download.
Love Pods, been using it for quite some time.
Thank you,
Miguel
https://medicarequick.com/new-to-medicare-checklist-landing/
Hello,
I need help with this page. Whenever I access this page on our site a warning message pops out saying, WEBSITE BLOCKED DUE TO TROJAN (Website blocked: www.landpage.co)
Can someone please help me resolve this problem? Thank you in advance.
I’m interested in your plugin, however when I went to your demo site my web anti-virus detected and blocked what it believes is a Trojan. Is this an issue with the demo site itself or the plugin?
Name: Trojan-Downloader.JS.Agent.oms
Precision: Exactly
Threat level: High
Object type: File
Object name: country-select.min.js?ver=5.1.0
Object path: https://demo.flycart.org/woo-discount-rules/demo1619700111/wp-content/plugins/woocommerce/assets/js/frontend
MD5: 20C744DF0572B693CD5ABC0D9B200996`
Hi guys,
Everytimes I have tried to login in my website(admin) my antivirus gave me the alert of Trojan.Cryxos.
If I connect to my website there is no problem.
Here below some alert.
https://pozie.co.za/wp-includes/js/tinymce/tinymce.min.js?ver=49110-2020111
https://pozie.co.za/wp-includes/js/tinymce/langs/wp-langs-en.js?ver=49110-20201110
https://pozie.co.za/wp-includes/js/tinymce/plugins/compat3x/plugin.min.js?ver=49110-20201110
https://pozie.co.za/wp-includes/js/wp-embed.min.js?ver=5.7.1
https://pozie.co.za/wp-includes/js/wplink.min.js?ver=5.7.1
https://pozie.co.za/wp-includes/js/wplink.min.js?ver=5.7.1`
How can I solve it?
Hi there,
Today when I opened a post on my website, I received prompt from Avast that connection has been aborted from the CDN URL of my website because it found it infected with Script:SNH-gen [Trj]
When I looked further, I found this in the URL field of Avast — /wp-content/plugins/contact-form 7/includes/js/index.js?ver-5.4.1
Is this a false positive alert? Or did someone inject the virus through contact form? But file upload was not allowed on the contact form.
I didn’t ever face any such issue. The contact form 7 is also installed on my other websites.
As of now, I deleted contact form 7 and scanned the website from several tools but couldn’t find any problem. I also tried sucuri plugin and it was saying the site is safe.
Should I be worried about this? Is this a known vulnerability?
My WordPress and contact form 7 were both running on the latest version at the time of the issue.
The file
/wp-content/plugins/wpcf7-redirect/build/js/wpcf7-redirect-frontend-script.js
Threat: HTML:Phishing-BVN [Trj]
Type: Trojan
I have reported it to AVG as possible false positive, and asked for manual review, but wanted you to be aware of this issue
O plugin da melhor envio está com o trojan denominado JS:Trojan.Cryxos faz quase um mês, e mesmo eu entrando em contato com o suporte e tendo provado isso por diversas vezes, o plugin continua disponível para download com o Trojan. Meu site foi retirado do ar cinco vezes pela wordpress.com e chegou a ter 645 arquivos contaminados por esse malware.
Yeah, sorry, but that’s really bullshit. Subscription model for a crummy SEO plugin would be bad enough, but the fact that it installs a secondary plugin – “MonsterInsights” – without asking is the mark of a scammer. What else did it install, or will it install in the future? A backdoor, perhaps? Will it perhaps add content to my site without telling me?
No, thanks. Do not trust this developer!
Hello,
WordFence (free version) did not prevent and did not locate malware in index.php in the root. I restored my site’s files and recovered successfully.
Would you like the file for your signature dev team?
There doesn’t seem to be anywhere on your site to upload a file like this.
Thank you,
John
Al intentar actualizar en local el plugin: Elementor Header & Footer Builder 1.6.12.
Windows Defender detecta y elimina el fichero
Detectado: Trojan:Script/Wacatac.B!ml
Fecha: 12/07/2022 12:11
Detalles: Este programa es peligroso y ejecuta comandos de un atacante.
Elementos afectados:
File:…Temp\header-footer-elementor.1.6.12-fwtnKz.tmp
Hello.
It seems that Bitdefender detects wpsd-front.js script as trojan:
https://i.postimg.cc/QNqkpmMj/trojan.png
but that’s a false positive, because the content of the script is this:
(function(window, $) {
// USE STRICT
"use strict";
//$('ul#wpsd_donate_amount li:first-child').addClass('active');
$('ul#wpsd_donate_amount li.amount').click(function() {
$('ul#wpsd_donate_amount li').removeClass('active')
$(this).addClass('active');
var wpsdRadioVal = $(this).data("amount");
if (wpsdRadioVal !== undefined) {
$("#wpsd_donate_other_amount").val(wpsdRadioVal);
}
});
var form = document.getElementById('wpsd-donation-form-id');
var stripe = Stripe(wpsdAdminScriptObj.stripePKey);
var elements = stripe.elements();
var wpsdDonateAmount = 0;
var style = {
base: {
color: wpsdAdminScriptObj.card_element_color,
'::placeholder': {
color: wpsdAdminScriptObj.card_element_color,
},
}
};
var card = elements.create('card', {
hidePostalCode: true,
style: style,
});
if (form != null) {
card.mount("#card-element");
card.addEventListener('change', ({ error }) => {
const displayError = document.getElementById('card-errors');
if (error) {
displayError.textContent = error.message;
} else {
displayError.textContent = '';
}
});
form.addEventListener('submit', function(e) {
e.preventDefault();
var wpsdShowCheckout = true;
if ($("#wpsd_donate_other_amount").val() == '') {
$('#card-errors').show('slow').addClass('error').html('Amount Missing');
$("#wpsd_donate_other_amount").focus();
return false;
}
if ($("#wpsd_donate_other_amount").val() !== '') {
wpsdDonateAmount = $("#wpsd_donate_other_amount").val();
}
if (($("#wpsd_donation_for").val() == '') || ($("#wpsd_donation_for").val() == null)) {
$('#card-errors').show('slow').addClass('error').html('Please Enter Donation For');
$("#wpsd_donation_for").focus();
return false;
}
if ($("#wpsd_donator_name").val() == '') {
$('#card-errors').show('slow').addClass('error').html('Please Enter Name');
$("#wpsd_donator_name").focus();
return false;
}
if ($("#wpsd_donator_email").val() == '') {
$('#card-errors').show('slow').addClass('error').html('Please Enter Email');
$("#wpsd_donator_email").focus();
return false;
}
if (!wpsd_validate_email($("#wpsd_donator_email").val())) {
$('#card-errors').show('slow').addClass('error').html('Please Enter Valid Email');
$("#wpsd_donator_email").focus();
return false;
}
if ($("#wpsd_captcha_content").val() == '') {
$('#card-errors').show('slow').addClass('error').html('Capcha Missing!');
$("#wpsd_captcha_content").focus();
return false;
}
if ($("#wpsd_captcha_content").val() != $("#wpsd_captcha_content_check").val()) {
$('#card-errors').show('slow').addClass('error').html('Wrong Capcha Number!');
$("#wpsd_captcha_content").focus();
return false;
}
// Address Processing
var address = [{
'address_street': $('#wpsd_address_street').val(),
'address_line2': $('#wpsd_address_line2').val(),
'address_city': $('#wpsd_address_city').val(),
'address_state': $('#wpsd_address_state').val(),
'address_postal': $('#wpsd_address_postal').val(),
'address_country': $('#wpsd_address_country').val()
}];
//var address = $.serialize(address);
if (wpsdShowCheckout) {
$("#wpsd-pageloader").fadeIn();
$.ajax({
url: wpsdAdminScriptObj.ajaxurl,
type: "POST",
dataType: "JSON",
cache: false,
data: {
action: 'wpsd_donation',
name: $("#wpsd_donator_name").val(),
email: $("#wpsd_donator_email").val(),
amount: wpsdDonateAmount,
donation_for: $("#wpsd_donation_for").val(),
currency: wpsdAdminScriptObj.currency,
idempotency: wpsdAdminScriptObj.idempotency,
security: wpsdAdminScriptObj.security,
stripeSdk: wpsdAdminScriptObj.stripe_sdk,
address: address
},
success: function(response) {
if (response.data.status === 'success') {
stripe.confirmCardPayment(response.data.client_secret, {
payment_method: {
card: card,
billing_details: {
name: $("#wpsd_donator_name").val(),
email: $("#wpsd_donator_email").val(),
}
}
}).then(function(result) {
if (result.error) {
$("#wpsd-pageloader").fadeOut();
$('#card-errors').text(result.error.message);
} else {
if (result.paymentIntent.status === 'succeeded') {
afterPaymentSucceeded($("#wpsd_donator_email").val(), wpsdDonateAmount, $("#wpsd_donation_for").val(), $("#wpsd_donator_name").val(), wpsdAdminScriptObj.currency, $("#wpsd-comments").val(), address);
}
}
});
}
if (response.data.status === 'error') {
$("#wpsd-pageloader").fadeOut();
$('#card-errors').show('slow').removeClass('success').addClass(response.data.status).html(response.data.message);
}
}
});
}
});
}
$("#wpsd-donation-form-id input[type='radio']").on("click", function() {
var wpsdRadioVal = $(this).val();
if (wpsdRadioVal !== undefined) {
$("#wpsd_donate_other_amount").val(wpsdRadioVal);
}
});
$('#wpsd_donate_other_amount').on('keyup', function(e) {
$("#wpsd-donation-form-id input[type='radio']").prop("checked", false);
if (/^(\d+(\.\d{0,2})?)?$/.test($(this).val())) {
$(this).data('prevValue', $(this).val());
} else {
$(this).val($(this).data('prevValue') || '');
}
});
function wpsd_validate_email($email) {
var emailReg = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,6})?$/;
return emailReg.test($email);
}
function afterPaymentSucceeded(email, amount, donateFor, name, currency, comments, address) {
$.ajax({
url: wpsdAdminScriptObj.ajaxurl,
type: "POST",
dataType: "JSON",
data: {
action: 'wpsd_donation_success',
email: email,
amount: amount,
donation_for: donateFor,
name: name,
currency: currency,
comments: comments,
address: address
},
success: function(response) {
if (response.status === 'success') {
var url = new URL(wpsdAdminScriptObj.successUrl);
url.searchParams.set('donation', 'success');
window.location.href = url.href;
}
if (response.status === 'error') {
$('#card-errors').show('slow').removeClass('success').addClass(response.status).html(response.message);
}
}
});
}
// searchable dropdown select
$('div.wpsd-form-item-half-right select#wpsd_address_country').selectize({
sortField: 'text'
});
})(window, jQuery);WP Featured Content and Slider won’t let me skip the sharing of “non-sensitive data” to essentialplugin.com. It says it’s okay to skip, but when you press the Skip button, nothing happens. I can’t try out the plugin, because it won’t let me past this point. Please advise.
Local install of woo, tried to update to current version and Windows Defender blocked Trojan:Win32/Email.A!cl