Question Imunify has detected malware

[Hielko]

Server operating system version

Ubuntu 20 with an ESM license

Plesk version and microupdate number

18.0.74 Update #3

We have received 3 e-mails from Imunfy it has defected malware. Two e-mails mention the wp-monitor.php file in the httpdocs/wp-content/mu-plugins directory of the vhosts. The third mail mentions the functions.php in the httpdocs/wp-content/themes directory of the vhost. I checked the dates on those files and the files are not new. The last file is very old. So I wonder why Imunify now reports on those 3 files. In the e-mails there are no details on the malware, only that the files are Malicious.

Are we talking on false positives or on a real threat?

 

[Raul A.]

Hi,

Do you have a backup from where you can extract those 3 files? If you do, compare the files to see if you have injected code.

Did you also run a manual scan?

 

[Hielko]

I performed a manual scan on the file httpdocs/wp-content/themes/terrifico/functions.php and again it's marked as Infected. Below the reason column it states SMW-INJ-19302-php.bkdr.fakeadmin-1. I can delete the file but I think it will break the website.

 

[Hielko]

The date of the file is May 4 2018.

 

[Kaspar]

The last file is very old. So I wonder why Imunify now reports on those 3 files.

It could be that the specific vulnerabilities found in those files are only recently added to the Imunify database.

The Imunify documentations provides some details on the malware classification convention they are using. Which can help you better determine what type of malware is present. Based on the malware identifier you posted (SMW-INJ-19302-php.bkdr.fakeadmin-1.) it looks like the file possibly contains code for a fake (Wordpress) admin backdoor which has been injected into the file.

There is an Imunify blog article about cleaning malware manually that might be useful for you: Manual malware cleanup

 

[Hielko]

Ok. I'll have a look at it. We have a lot of user accounts on this Plesk server. How can I find a fake admin backdoor? Apart from the e-mails on the malware at the moment we don't have any issues with the Plesk server and the admin account we use is protected with 2FA.

 

[Raul A.]

Hi,

The functions.php file contains the malicious code. You can restore the file from an available backup, replace it with the functions.php from the theme package or try to remove the malicious code manually.

Removing the file will break the WordPress theme.

 

[Hielko]

I have copied both reported malware files to my Windows PC and performed a scan on it using ESET (which we use to protect our Windows PCs). The scan reported there where no infections.

 

[Raul A.]

The injected code might not be detected as malicious by a PC antivirus. However, the malicious code can potentially be used to execute arbitrary code on your website. That is why I suggested comparing it against an older version of the same file.

 

[Kaspar]

Ok. I'll have a look at it. We have a lot of user accounts on this Plesk server. How can I find a fake admin backdoor? Apart from the e-mails on the malware at the moment we don't have any issues with the Plesk server and the admin account we use is protected with 2FA.

I think you misunderstood my previous post. I wasn't referring to a backdoor in Plesk, but to the (possible) backdoor in the Wordpress installation you're running that Imunify alerted you about.

I have copied both reported malware files to my Windows PC and performed a scan on it using ESET (which we use to protect our Windows PCs). The scan reported there where no infections.

Imunify and the ESET security suite for PC's both serve very different purposes. Imunify is created specifically for server environments to detect all kinds of malware types hosted on servers. ESET on the other hand is just a PC virus scanner. It focuses on threads specifically for PC's. For what it's worth, I have ESET installed on my Windows laptop too and it never has recognized any of the infected files I found on my servers. I don't expect it to either, that is what I am using Imunify for.