Website compromised via cornerstone

Hello
My hosting provider has suspended my website and says that it has been compromised via the following files:

/www1/0f4/www.relaxedmindtherapy.co.uk/web/wp-content/themes/x/framework/cornerstone.zip
{CAV}Sanesecurity.Malware.27490.XmlHeur.Actx :

/www1/0f4/www.relaxedmindtherapy.co.uk/web/wp-content/plugins/cornerstone/assets/dist-app/js/cs-vendor.js

My husband also uses X/ Cornerstone for his website and has had the same issue.
As of this morning, all of my plugins were up to date.

I need to get in touch with my hosting provider to regain access to my WP dashboard . When I regain access, what should I do to remove these files and replace with correct with the correct ones? Do these files related to the most up to date Cornerstone plugin or they old ones?

Thanks very much
Mimi

Hi Mimi,

Thanks for writing in! I’m sorry to hear that you’re having this issue. It could be false positive alarm as well.

Is it possible to upload the infected files cs-vendor.js and cornerstone.zip, so that we can investigate the issue further. You can use a third party service like this (https://uploadfiles.io/) to upload and share your files.

Thanks!

Thanks
Link to the files is here:
https://ufile.io/e1jiq

I’ve run a wordfence scan and no malware was detected.
What should I do? Can I delete these files? Do I need to reinstall anything?

Thanks!
Mimi

Hello Mimi,

I’m sorry to hear you’re running into this. After investigating, we’ve found this to be a false positive with the ClamXAV scanner.

That file (cs-vendor.js) contains all of the javascript dependencies needed for Cornerstone’s Ember.js application. It’s not dangerous, but does have some advanced data manipulation libraries, including client side base64 encoding/decoding. Similar technology is used by viruses that wish to obscure data, so I can see why a false positive may be occurring. We’ve reached out to ClamXAV to add the file to their whitelist.

Thank you for your understanding.

Thanks so much for checking that.
My hosting co. also found an issue with the cornerstone theme zip file www1/0f4/www.relaxedmindtherapy.co.uk/web/wp-content/themes/x/framework/cornerstone.zip
{CAV}Sanesecurity.Malware.27490.XmlHeur.Actx :

I think I sent that to you as well (at least, I tried to!) - did you check that one as well?

thanks again
Mimi

Hello

I’ve spoken to my hosting company again and they have given me the following info:

"Hi,
Thanks for patience. We’ve performed another malware check, unfortunately the results show the site as infected still.

/www1/0f4/www.relaxedmindtherapy.co.uk/web/wp-content/themes/x/framework/cornerstone.zip

/www1/0f4/www.relaxedmindtherapy.co.uk/web/wp-content/plugins/cornerstone/assets/dist-app/js/cs-vendor.js

/www1/0f4/www.relaxedmindtherapy.co.uk/web/wp-content/updraft/plugins-old/cornerstone/assets/dist-app/js/cs-vendor.js

/www1/0f4/www.relaxedmindtherapy.co.uk/web/wp-content/updraft/themes-old/x/framework/cornerstone.zip

As a last resort we can perform a clean up on the files, however it may break the website, if you want this done it’s very important to get a back up of the site"

I have forwarded on your response re: the cs-vendor.js file but have not yet heard whether they are happy with that yet.
Can you let me know about the others? I’m assuming they are all in the .zip file I sent over.

My husband also has an x theme site with the same host and his website has also been suspended by them, so it’s not just affecting me.

Thanks
Mimi

Hello Mimi,

cs-vendor.js is in the cornerstone.zip file. The zip file is in the theme files because it is a bundled plugin. Simply ask your hosting to whitelist this files as it does not contain any malwares. And by the way, please make sure that you have updated to the latest version which is X theme 6.3.8 and Cornerstone 3.3.8.

Hope this helps.

Thanks very much - will let the hosting co know and hope that this satisfies them!
Mimi

You’re most welcome!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.