Home › Forums › BulletProof Security Pro › Hidden Plugin Folder|Files (HPF) Alert
- This topic has 7 replies, 2 voices, and was last updated 3 years, 6 months ago by Pablo Parrado.
-
AuthorPosts
-
Pablo ParradoParticipant
Hello!
I received this alertHidden Plugin Folder|Files (HPF) Alert
and I deleted the files via FTP but they keep showing up.
I activated a plugin and then I got these two files showing up even if I delete them. Can I place them in quarantine or delete them for good somehow? This is my alert message :BPS Hidden Plugin Folder|Files (HPF) Alert An unrecognized/non-standard WP file was found in your /plugins/ folder. This file may be a hacker file or contain hacker code. If you recognize this file and/or it is safe to ignore this file you can ignore this file check by adding the HPF Ignore Rule shown below in the Ignore Hidden Plugin Folders & Files textarea box option to make this Alert go away. File Path: xxxx/wp-content/plugins/mplugin.php HPF Ignore Rule: mplugin.php Last Modified Time: 19 octobre 2020 @ 22h45 Last Change Time: 19 octobre 2020 @ 22h45 Last Access Time: 19 octobre 2020 @ 22h40
And the other one :
BPS Hidden Plugin Folder|Files (HPF) Alert An unrecognized/non-standard WP file was found in your /plugins/ folder. This file may be a hacker file or contain hacker code. If you recognize this file and/or it is safe to ignore this file you can ignore this file check by adding the HPF Ignore Rule shown below in the Ignore Hidden Plugin Folders & Files textarea box option to make this Alert go away. File Path: xxxxx/wp-content/plugins/admin_ips.txt HPF Ignore Rule: admin_ips.txt Last Modified Time: 19 octobre 2020 @ 22h40 Last Change Time: 19 octobre 2020 @ 22h40 Last Access Time: 19 octobre 2020 @ 22h40
Any help very appreciated !
Thanks in advance !AITpro AdminKeymasterSounds like the plugin that is automatically creating these files needs them for something. What is the name of the plugin? I’ll test it to see what the files are for. If the files are legitimate and not malicious you would just create an HPF ignore rule for both of these files.
Pablo ParradoParticipantI don’t know whedre they coe from, I installed 8 of them. They are definitely malicious.
AITpro AdminKeymasterSend me the files so I can check them > info at ait-pro dot com.
AITpro AdminKeymasterJeez opening your zip file was like opening a Russian Babushka doll. LOL What I wanted was the 2 files that were being created in the /plugins/ folder > mplugin.php and admin_ips.txt. It will take me a while to test all the plugins you sent to me in your Babushka zip file. 😉 I will either reply later today or tomorrow after testing them.
AITpro AdminKeymasterWell I take that back. I just did a file contents search through all the TranslatePress plugins you sent to me and the main TranslatePress Multilingual plugin is where the files are being created. 3 files: /translatepress-multilingual/class.plugin-modules.php, /translatepress-multilingual/includes/class.plugin-modules.php and /translatepress-multilingual/includes/google-translate/class.plugin-modules.php.
It is literally a “hidden plugin”. The code removes the mplugins.php file from the list of plugins installed on the WordPress Plugins page. Technically the mplugins.php file is not a plugin though. It looks like it is some kind of troubleshooting file. It gets all your installed and activated plugins and themes and lists them. The admin_ips.txt file collects visitor IP addresses to your website. In general it looks like both of these files work together with some kind of Ads. So either this is some kind of shady Ad thing or something that was not in the original TranslatePress plugin. Did you get the TranslatePress plugin from a reputable source?
Yeah something is fishy with those 3 files. These things stick out right away. All the other TranslatePress files are named using this file naming convention: class-advanced-tab.php. There is a dash not a dot after class. The code in the 3 files definitely does no look like it was created by the same person who created all other TranslatePress code. Even though those 3 files are named “class” they are not classes. They have basic amateurish code in them.
AITpro AdminKeymasterI am 100% sure that these 3 files were added by someone else and not the TranslatePress folks. At the top of the main TranslatePress file this amateurish include has been added…
<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>
I downloaded the free version of TranslatePress from the WP Plugin Repository and checked the files. The 3 files do not exist in the free version and the include to the files is also not in the free version. I guess it’s possible that TranslatePress added those files in their premium version, but I seriously doubt that.
Pablo ParradoParticipantI saw what you said in the files, and I deleted the entire set. I asked for a refund in paypal, will see it trough. Thanks for your time and thanks again for your awesome support.
-
AuthorPosts
- You must be logged in to reply to this topic.