Question Imunify has detected malware

[Hielko]

Server operating system version

Ubuntu 20 with an ESM license

Plesk version and microupdate number

18.0.74 Update #3

We have received 3 e-mails from Imunfy it has defected malware. Two e-mails mention the wp-monitor.php file in the httpdocs/wp-content/mu-plugins directory of the vhosts. The third mail mentions the functions.php in the httpdocs/wp-content/themes directory of the vhost. I checked the dates on those files and the files are not new. The last file is very old. So I wonder why Imunify now reports on those 3 files. In the e-mails there are no details on the malware, only that the files are Malicious.

Are we talking on false positives or on a real threat?

 

[Raul A.]

Hi,

Do you have a backup from where you can extract those 3 files? If you do, compare the files to see if you have injected code.

Did you also run a manual scan?

 

[Hielko]

I performed a manual scan on the file httpdocs/wp-content/themes/terrifico/functions.php and again it's marked as Infected. Below the reason column it states SMW-INJ-19302-php.bkdr.fakeadmin-1. I can delete the file but I think it will break the website.

 

[Hielko]

The date of the file is May 4 2018.

 

[Kaspar]

The last file is very old. So I wonder why Imunify now reports on those 3 files.

It could be that the specific vulnerabilities found in those files are only recently added to the Imunify database.

The Imunify documentations provides some details on the malware classification convention they are using. Which can help you better determine what type of malware is present. Based on the malware identifier you posted (SMW-INJ-19302-php.bkdr.fakeadmin-1.) it looks like the file possibly contains code for a fake (Wordpress) admin backdoor which has been injected into the file.

There is an Imunify blog article about cleaning malware manually that might be useful for you: Manual malware cleanup

 

[Hielko]

Ok. I'll have a look at it. We have a lot of user accounts on this Plesk server. How can I find a fake admin backdoor? Apart from the e-mails on the malware at the moment we don't have any issues with the Plesk server and the admin account we use is protected with 2FA.

 

[Raul A.]

Hi,

The functions.php file contains the malicious code. You can restore the file from an available backup, replace it with the functions.php from the theme package or try to remove the malicious code manually.

Removing the file will break the WordPress theme.