Hidden Plugin Folder|Files (HPF) Alert

Home Forums BulletProof Security Pro Hidden Plugin Folder|Files (HPF) Alert

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • October 19, 2020 at 2:01 pm #39453
    Pablo Parrado
    Participant

    Hello!
    I received this alert Hidden Plugin Folder|Files (HPF) Alert and I deleted the files via FTP but they keep showing up.
    I activated a plugin and then I got these two files showing up even if I delete them. Can I place them in quarantine or delete them for good somehow? This is my alert message :

    BPS Hidden Plugin Folder|Files (HPF) Alert
An unrecognized/non-standard WP file was found in your /plugins/ folder. This file may be a hacker file or contain hacker code. If you recognize this file and/or it is safe to ignore this file you can ignore this file check by adding the HPF Ignore Rule shown below in the Ignore Hidden Plugin Folders & Files textarea box option to make this Alert go away.
File Path: xxxx/wp-content/plugins/mplugin.php
HPF Ignore Rule: mplugin.php
Last Modified Time: 19 octobre 2020 @ 22h45
Last Change Time: 19 octobre 2020 @ 22h45
Last Access Time: 19 octobre 2020 @ 22h40

    And the other one :

    BPS Hidden Plugin Folder|Files (HPF) Alert
An unrecognized/non-standard WP file was found in your /plugins/ folder. This file may be a hacker file or contain hacker code. If you recognize this file and/or it is safe to ignore this file you can ignore this file check by adding the HPF Ignore Rule shown below in the Ignore Hidden Plugin Folders & Files textarea box option to make this Alert go away.
File Path: xxxxx/wp-content/plugins/admin_ips.txt
HPF Ignore Rule: admin_ips.txt
Last Modified Time: 19 octobre 2020 @ 22h40
Last Change Time: 19 octobre 2020 @ 22h40
Last Access Time: 19 octobre 2020 @ 22h40

    Any help very appreciated !
    Thanks in advance !

    October 19, 2020 at 2:10 pm #39454
    AITpro Admin
    Keymaster

    Sounds like the plugin that is automatically creating these files needs them for something.  What is the name of the plugin?  I’ll test it to see what the files are for.  If the files are legitimate and not malicious you would just create an HPF ignore rule for both of these files.

    October 19, 2020 at 2:23 pm #39456
    Pablo Parrado
    Participant

    I don’t know whedre they coe from, I installed 8 of them. They are definitely malicious.

    October 19, 2020 at 2:34 pm #39457
    AITpro Admin
    Keymaster

    Send me the files so I can check them > info at ait-pro dot com.

    October 19, 2020 at 3:39 pm #39458
    AITpro Admin
    Keymaster

    Jeez opening your zip file was like opening a Russian Babushka doll.  LOL  What I wanted was the 2 files that were being created in the /plugins/ folder > mplugin.php and admin_ips.txt.  It will take me a while to test all the plugins you sent to me in your Babushka zip file.  😉  I will either reply later today or tomorrow after testing them.

    October 19, 2020 at 4:08 pm #39459
    AITpro Admin
    Keymaster

    Well I take that back.  I just did a file contents search through all the TranslatePress plugins you sent to me and the main TranslatePress Multilingual plugin is where the files are being created.  3 files: /translatepress-multilingual/class.plugin-modules.php, /translatepress-multilingual/includes/class.plugin-modules.php and /translatepress-multilingual/includes/google-translate/class.plugin-modules.php.

    It is literally a “hidden plugin”.  The code removes the mplugins.php file from the list of plugins installed on the WordPress Plugins page. Technically the mplugins.php file is not a plugin though.  It looks like it is some kind of troubleshooting file.  It gets all your installed and activated plugins and themes and lists them.  The admin_ips.txt file collects visitor IP addresses to your website.  In general it looks like both of these files work together with some kind of Ads.  So either this is some kind of shady Ad thing or something that was not in the original TranslatePress plugin.  Did you get the TranslatePress plugin from a reputable source?

    Yeah something is fishy with those 3 files.  These things stick out right away.  All the other TranslatePress files are named using this file naming convention:  class-advanced-tab.php.  There is a dash not a dot after class.  The code in the 3 files definitely does no look like it was created by the same person who created all other TranslatePress code.  Even though those 3 files are named “class” they are not classes.  They have basic amateurish code in them.

    October 19, 2020 at 4:21 pm #39462
    AITpro Admin
    Keymaster

    I am 100% sure that these 3 files were added by someone else and not the TranslatePress folks.  At the top of the main TranslatePress file this amateurish include has been added…

    <?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>

    I downloaded the free version of TranslatePress from the WP Plugin Repository and checked the files. The 3 files do not exist in the free version and the include to the files is also not in the free version. I guess it’s possible that TranslatePress added those files in their premium version, but I seriously doubt that.

    October 20, 2020 at 5:44 am #39467
    Pablo Parrado
    Participant

    I saw what you said in the files, and I deleted the entire set. I asked for a refund in paypal, will see it trough. Thanks for your time and thanks again for your awesome support.

  • Author
    Posts
Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.