Home Forums Weaver Xtreme Theme quttera virus scanner and weaver theme

This topic contains 4 replies, has 2 voices, and was last updated by  Weaver 6 months, 2 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
  • #54764


    hello –

    a couple of weaver-theme scripts are setting off alerts in quttera virus scanner.

    has anybody else ran into this?

    they can be whitelisted of course, but i wanted to check here first.





    Did you do an internal or extrenal scan?

    I tried an internal scan, and it found some “issues” in core WP, some other plugins, other themes, but nothing at all from Weaver.

    Could you be more specific what was included in your reports?

    But there are no known issues with Weaver’s code for the theme or associated plugins.



    hello, and once again, thank you for your prompt reply.

    i ran the internal scan, and this file came up as suspect:   weaver_xplus_actions.php

    however, i ran it through virustotal.com and nothing showed up, as expected.

    strangely, very little information is showing up.  i have just un-whitelisted it again and am running internal-scan once again, but this time i will provide more information.



    i am fighting one of the nastiest viruses i have ever come across.  it turns out to be some sort of self-propagating ‘bit-coin’ miner.  clamav didn’t even catch it, nor did virustotal.com  this virus is changing the main index.php file, so i temporarily changed the ownership of it to root and gave it a 444 protection.  hopefully whatever process is altering that file will trigger an entry in the error-log file.

    the virus does not appear to be doing any harm, except for sucking up cpu cycles and occasionally contacting an IP number in France.  out of desperation, i wrote a little bash-shell script that sweeps memory, killing it, deleting the temporary file (which passes clamav test, but not virustotal) and firewall blocking whatever addresses the virus tries to connect to.

    bruce, i know what you are thinking:  capture the output and steal the bitcoin.  excellent idea…





    here are two using an internal scan:

    Severity: enPotentiallySuspiciousThreatType
    File: /wp-content/plugins/weaver-xtr/…/weaver_xplus_actions.php
    File signature: ed1d8c7474698b20abd3435801fa2463
    Threat signature: 5656f7d290a32293cb4dedc780325afd


    Severity: enMaliciousThreatType
    File: /wp-content/themes/weaver/wvr-includes/wvr-globals.php
    File signature: 80263e031a9e5b2f1dbedcced1f2cb2f
    Threat signature: c691d42b9443e4e94be31791f99ecac0
    Threat: <?php define(‘we
    Details: Potentially Malicious obfuscated PHP threat




    How strange.

    Well, you are running the very very old version of Weaver that is being scanned. Are you even using it as your question was about Weaver Xtreme?

    But the first warning doesn’t give enough info.

    The second one with a higher severity says the threat is part of a VERY save and ordinary piece of PHP code that has long been the theme.

    That ‘we is where the message cuts off, and is actually ‘weaver…..

    So it is definitely a false alarm.

    I’m assuming you’ve gotten some virus on your server? One thing to try would be to hope it is not any kind of sql attack.

    I would save my database, delete unused plugins, reinstall all the plugins. Then reinstall wordpress. That should replace essentially every running file.

    Be sure there isn’t anything in your  wp-config.php that should be there. Also, check the .htaccess file.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.