Malware/Virus found in Cornerstone File

mattmintun · December 15, 2017, 1:59am

Hey guys,

Not sure if this is any fault of yours or someone got into our site but wanted to send it your way just in case. I installed a fresh copy of X Theme:

Our systems performed a routine malware/virus scan on your account and
unfortunately located infected/malicious files. We’ve automatically moved
the infected files(s) out of your public_html directory into a safe,
quarantined directory. Below is the file our scanners were able to locate:

/home/grammysm/public_html/kayaclinics.org/wp-content/themes/x/framework/plu
gins/cornerstone.zip
(quarantined to
/home/hawkinfected/cxsuser/grammysm/cornerstone.zip.1513300406_1) ClamAV

XSupport · December 15, 2017, 2:59am

Hi there,

I’m sorry to hear you’re running into this. This is something we’ve seen a few cases of today. After investigating, we’ve found this to be a false positive with the ClamXAV scanner.

That file (cs-vendor.js) contains all of the javascript dependencies needed for Cornerstone’s Ember.js application. It’s not dangerous, but does have some advanced data manipulation libraries, including client-side base64 encoding/decoding. Similar technology is used by viruses that wish to obscure data, so I can see why a false positive may be occurring. I’ve reached out to ClamXAV to add the file to their whitelist.

Bests,

mattmintun · December 15, 2017, 5:17pm

thank you! good to know that it will be fixed

jade · December 15, 2017, 5:25pm

You’re welcome.

suzanneeassom · December 16, 2017, 7:10pm

Any update on status?

ruenel · December 16, 2017, 7:28pm

Hey There,

Thanks for updating this thread. Please check out this thread:

We will post a news updates once we hear from ClamXAV.

Regards.

suzanneeassom · December 17, 2017, 6:15pm

Is there a recommended workaround on this in the meantime?

ruenel · December 17, 2017, 7:29pm

Hello There,

Thanks for updating this thread. If the server detects that there is a malware, the first thing it does is to delete the file from the server. What you can do is to upload it back again. You may do the following:
1.) Go to your dashboard (https://theme.co/apex/dashboard)
2.) Download the .zip file for a fresh copy of the theme.
3.) Unzip the .zip file and browse to /x/framework/plugins/ and you will find cornerstone.zip.
4.) Unzip cornerstone.zip and browser to the folder cornerstone/assets/dist-app/js/cs-vendor.js/
5.) Upload this file to your server by logging in to your ftp. You can browse to the folder wp-content/plugins/cornerstone/assets/dist-app/js/

Hope this helps.

suzanneeassom · December 18, 2017, 5:31pm

The files are intact/uploaded. Still not working.

rad · December 18, 2017, 5:38pm

Hi there,

It will not work if your host anti-virus or security will keep deleting it. Hence, the additional step is to temporarily disable your hosting’s anti-virus/security. Or contact your hosting provider and exclude/whitelist that file. I’m just not sure if they can do that, but you may still contact them.

Thanks!

suzanneeassom · December 18, 2017, 5:47pm

They aren’t deleted. What is the status of the ClamXAV situation? I don’t have the functionality I need to make this work, and I’m out of time. Should I go to another theme provider?

alexander · December 18, 2017, 5:54pm

I’m sorry, we’ve not heard back from ClamAV on the matter yet.

To followup from our suggestions above: Did you ask your host to whitelist the file, or did you try manually installing the plugin?

suzanneeassom · December 18, 2017, 6:00pm

I reuploaded the .js files manually per the step-by-step from RueNel

mldarshana · December 18, 2017, 6:53pm

Hi There,

If you’re still having this issue after uploading the file manually, you need to contact your hosting provider and ask them to ignore/white-list this file from the virus scanner.

Thanks!

paul.r · December 19, 2017, 1:36am