Facebook
Twitter
Gene Steinberg
Regular Pleskian
- Server operating system version
- AlmaLinux 9.3
- Plesk version and microupdate number
- Version 18.0.58 Update #2
Riddle me this: After switching to a new Plesk server, and installing the paid version of Plesk Email Security, I began seeing one of my WordPress databases, which is sent via email as a backup via a WP add-on, being flagged as having a virus and it was quarantined.
The warnings:
INFECTED, message contains virus: Porcupine.Phishing.52261.UNOFFICIAL
Or:
INFECTED, message contains virus: sigs.InterServer.net.HEX.Topline.include.of.malware.wp-vcd.php.358.UNOFFICIAL
Unfortunately, the extension doesn’t have a “clean” function.
The extension that does, the paid version of ImmunifyAV, finds nothing. The WP backup add-on keeps databases inside a Backups folder in the WP-Contents folder, so they should be available for scanning.
I tried a couple of additional Plesk antivirus extensions, including Warden Anti-spam and Virus Protection.
Only the ones that use ClamAV reported a problem. Not any of the others.
I also scanned the WordPress installation with half a dozen malware/firewall protection add-ons, the first ones when you do a search for them on the WordPress site. They found a handful of possibly suspicious files, but nothing related to the database.
Plesk support provided the following insights:
“The sigs.InterServer.net.HEX.Topline.include.of.malware.wp-vcd.php.358.UNOFFICIAL detection indicates that in the database there is a parameter set to include the malware file wp-vcd.php into pages of the WordPress website, as described on this page. This malware also goes by the names wp-feed.php, mplugin.php, ccode.php, and wp-tmp.php.”
Indeed, one of the tables had instances of the wp-feed.php. I deleted the commands with those references. I checked for the other file names listed above, and did not find them.
All the searches of that database show zero matches.
Please note: I had Plesk Email Security installed on a previous server which developed an OS problem and was removed from service two weeks ago. It didn’t report a problem then. I also restored a copy of the database from a backup server that was a month old. Same problem, even though it never showed up before.
Is this a false positive from ClamAV? I can’t confirm it anywhere else. This database, in its original form, dates back to 2005. I also tried exporting and importing into a blank database, same problem. Over the years, in transferring to new hosts or servers, this and my other databases have been backed up and restored several times at the least. The others test OK.
Answers anyone?
Peace,
Gene
The warnings:
INFECTED, message contains virus: Porcupine.Phishing.52261.UNOFFICIAL
Or:
INFECTED, message contains virus: sigs.InterServer.net.HEX.Topline.include.of.malware.wp-vcd.php.358.UNOFFICIAL
Unfortunately, the extension doesn’t have a “clean” function.
The extension that does, the paid version of ImmunifyAV, finds nothing. The WP backup add-on keeps databases inside a Backups folder in the WP-Contents folder, so they should be available for scanning.
I tried a couple of additional Plesk antivirus extensions, including Warden Anti-spam and Virus Protection.
Only the ones that use ClamAV reported a problem. Not any of the others.
I also scanned the WordPress installation with half a dozen malware/firewall protection add-ons, the first ones when you do a search for them on the WordPress site. They found a handful of possibly suspicious files, but nothing related to the database.
Plesk support provided the following insights:
“The sigs.InterServer.net.HEX.Topline.include.of.malware.wp-vcd.php.358.UNOFFICIAL detection indicates that in the database there is a parameter set to include the malware file wp-vcd.php into pages of the WordPress website, as described on this page. This malware also goes by the names wp-feed.php, mplugin.php, ccode.php, and wp-tmp.php.”
Indeed, one of the tables had instances of the wp-feed.php. I deleted the commands with those references. I checked for the other file names listed above, and did not find them.
All the searches of that database show zero matches.
Please note: I had Plesk Email Security installed on a previous server which developed an OS problem and was removed from service two weeks ago. It didn’t report a problem then. I also restored a copy of the database from a backup server that was a month old. Same problem, even though it never showed up before.
Is this a false positive from ClamAV? I can’t confirm it anywhere else. This database, in its original form, dates back to 2005. I also tried exporting and importing into a blank database, same problem. Over the years, in transferring to new hosts or servers, this and my other databases have been backed up and restored several times at the least. The others test OK.
Answers anyone?
Peace,
Gene
