May 26, 2018 at 01:56 UTC - Views: 26 #54764
a couple of weaver-theme scripts are setting off alerts in quttera virus scanner.
has anybody else ran into this?
they can be whitelisted of course, but i wanted to check here first.May 26, 2018 at 06:39 UTC - Views: 20 #54766
Did you do an internal or extrenal scan?
I tried an internal scan, and it found some “issues” in core WP, some other plugins, other themes, but nothing at all from Weaver.
Could you be more specific what was included in your reports?
But there are no known issues with Weaver’s code for the theme or associated plugins.May 26, 2018 at 17:36 UTC - Views: 18 #54774
hello, and once again, thank you for your prompt reply.
i ran the internal scan, and this file came up as suspect: weaver_xplus_actions.php
however, i ran it through virustotal.com and nothing showed up, as expected.
strangely, very little information is showing up. i have just un-whitelisted it again and am running internal-scan once again, but this time i will provide more information.
i am fighting one of the nastiest viruses i have ever come across. it turns out to be some sort of self-propagating ‘bit-coin’ miner. clamav didn’t even catch it, nor did virustotal.com this virus is changing the main index.php file, so i temporarily changed the ownership of it to root and gave it a 444 protection. hopefully whatever process is altering that file will trigger an entry in the error-log file.
the virus does not appear to be doing any harm, except for sucking up cpu cycles and occasionally contacting an IP number in France. out of desperation, i wrote a little bash-shell script that sweeps memory, killing it, deleting the temporary file (which passes clamav test, but not virustotal) and firewall blocking whatever addresses the virus tries to connect to.
bruce, i know what you are thinking: capture the output and steal the bitcoin. excellent idea…May 26, 2018 at 18:47 UTC - Views: 11 #54777
here are two using an internal scan:
Severity: enPotentiallySuspiciousThreatType File: /wp-content/plugins/weaver-xtr/…/weaver_xplus_actions.php File signature: ed1d8c7474698b20abd3435801fa2463 Threat signature: 5656f7d290a32293cb4dedc780325afd Threat: Severity: enMaliciousThreatType File: /wp-content/themes/weaver/wvr-includes/wvr-globals.php File signature: 80263e031a9e5b2f1dbedcced1f2cb2f Threat signature: c691d42b9443e4e94be31791f99ecac0 Threat: <?php define(‘we Details: Potentially Malicious obfuscated PHP threatMay 26, 2018 at 20:07 UTC - Views: 8 #54779
Well, you are running the very very old version of Weaver that is being scanned. Are you even using it as your question was about Weaver Xtreme?
But the first warning doesn’t give enough info.
The second one with a higher severity says the threat is part of a VERY save and ordinary piece of PHP code that has long been the theme.
That ‘we is where the message cuts off, and is actually ‘weaver…..
So it is definitely a false alarm.
I’m assuming you’ve gotten some virus on your server? One thing to try would be to hope it is not any kind of sql attack.
I would save my database, delete unused plugins, reinstall all the plugins. Then reinstall wordpress. That should replace essentially every running file.
Be sure there isn’t anything in your wp-config.php that should be there. Also, check the .htaccess file.
You must be logged in to reply to this topic.