How to Clean & Fix WordPressCore Malware - Magefix.com

A new malware contamination campaign was identified by Sal Aguilar. Since malware returns after automatic scans, a thorough manual cleanup is recommended followed by a firewall setup.

MAGEFIX SecurityMalware cleanup & protection

Try our Free site check.

Cleanup steps:

Backup the site before running any tools, including web files and database;
Check to see if there are any other sites hosted on the same server;
For each site, review the core folder, plugins and themes;
Make sure the core files and all the site components are re-installed and up to date;
Check admin users list, FTP accounts and Cron jobs;

Malicious files and folders:
/wp-content/plugins/WordPressCore/
/wp-content/plugins/WordPressCore/crypto.txt
/wp-content/plugins/wp-doft/
/wp-content/plugins/WordPressCore/include.php
/wp-links.php
/wp-includes/theme.php
/wp-admin/network/upfile.php
/simple.php
/class.api.php
/wp-signup.php

Other files detected: admin-ajax.php ( in the root folder ), css.php, qb.js.php.
Malicious URLs:
https://bsc-dataseed1.binance.org
https://stats-best.site/fp.php
https://reedx51mut.com/ZgbN19Mx
https://cdn.ethers.io/lib/ethers-5.2.umd.min.js
https://ojhggnfbcy62.com/vvmd54/
https://98ygdjhdvuhj.com/ZgbN19Mx

Malicious IPs
109.248.206.49
AS203493, 109.248.206.118
AS211252, 95.214.24.51
AS211252, 94.156.6.221
AS211252, 193.42.33.53

New #WordPress #Malware #Infection #campaign pushing fake #plugins with name:

WordPressCore
wp-doft

Look at your logs for requests against:

/wp-content/plugins/WordPressCore/
/wp-content/plugins/wp-doft/

Top 3 IPs looking for these are:
95.214.24.51
94.156.6.221
193.42.33.53

— Sal Aguilar (@riper81) September 21, 2023

Server logs
103.176.152.33 – – [22/Sep/2023:07:40:54 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 67 “https://.net/wp-admin/post.php?post=3704&action=edit&app=uxbuilder&type=media” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36”
45.140.207.73 – – [25/Sep/2023:05:29:54 +0000] “GET /wp-content/plugins/WordPressCore/include.php HTTP/1.1” 200 217 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36”

Identifying whether a WordPress plugin is malicious can be challenging, but there are several steps you can take to assess a plugin’s trustworthiness – check the folder’s date, review the plugin code, run a malware scanner and check the plugins list from a previous backup.

Need help?

Ask for a site check.