Malware found in Envira Gallery

agentnightingale · September 3, 2018, 9:22am

Hi there

Re: http://www.jeanpaulmartinon.nightingalewebsites.co.uk/

I am using Wordfence and just discovered that a file in Envira contains suspected malware called “http://www.vonio.ed/tablets” here:
URL: wp-content/plugins/envira-gallery/src/Utils/Mobile_Detect.php

This is a very new website (this is the development site and I have also just discovered the main site: http://jeanpaulmartinon.net/ has this same malware.

Please advise me what I can do - I have no idea how the malare would have got in first place!

Many thanks
Sam

Cean · September 3, 2018, 10:11am

I have the same problem this morning. I deleted the file and it killed my whole site. Removed Envira and clean installed it, did another Wordfence scan and it picked up the same file. I thought it was a hacker but now I’m not so sure. Any feedback would be much appreciated.

rad · September 3, 2018, 10:29am

Hi @agentnightingale,

Thanks for reaching out.

I checked the content of the file wp-content/plugins/envira-gallery/src/Utils/Mobile_Detect.php and there is nothing there related to http://www.vonio.ed/tablets. Maybe your site is already infected and it just infecting other files such as Movile_Detect.php. That’s just my assumption, would you mind providing the file Mobile_Detect.php? I’ll compare it to my copy, and please upload it in any file sharing site like Dropbox then provide the download URL in your reply.

And if possible, please provide your admin login credentials in a secure note so we could check the Wordfence logs about it.

@Cean, Please start a new thread and link it here, and then provide the URL and credentials in a secure note too.

Thanks!

agentnightingale · September 3, 2018, 10:51am

Hi Rad

I will send you a secure note with login details.

I copied the wp-content/plugins/envira-gallery/src/Utils/Mobile_Detect.php file from my server and you can access it here: https://www.dropbox.com/sh/rd4jspp29ocdn23/AADXaE1TfbqH7fQThGSaLWdKa?dl=0

This is also a link to the file that Wordfence indicate is infected: http://www.jeanpaulmartinon.nightingalewebsites.co.uk/?_wfsf=view&nonce=03e3b7c13f&file=wp-content%2Fplugins%2Fenvira-gallery%2Fsrc%2FUtils%2FMobile_Detect.php

Thanks for the help.
Sam

christian · September 3, 2018, 12:52pm

Hey Sam,

The Mobile_Detect.php file you posted does not have any difference with the one I have in my test site so there’s no malicious code inserted in it.

I installed Wordfence in my test site and did a scan and got the same result though.

This could be a false positive since Mobile_Detect.php includes some device detection code which is not necessarily bad. This could be a false assumption by Wordfence so please contact WordFence support to notify them too.

I’ll also post this to our issue tracker for review. That is the only thing we can do as support regarding this matter.

Please stay tuned.

Thanks.

agentnightingale · September 3, 2018, 4:05pm

Many thanks for the update and very good to know there is no malicious code.

I really hope this is just a false positive in that case.

All the best
Sam

rad · September 3, 2018, 4:16pm

You’re most welcome!

spedney · September 4, 2018, 9:00am

I got the same problem this morning. It is actually the following comment line in the file (line #382) which is:

// Vonino Tablets - http://www.vonino.eu/tablets

It seems this website has been classed recently by Google safesearch as potentially containing malware. But that does not mean the file in Envira gallery is corrupt or hacked in any way. You can just click ignore on the Wordfence scan for that report.

paul.r · September 4, 2018, 9:21am

Hi,

Thanks for that info.

Have a nice day!

system · September 14, 2018, 9:21am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.