A strange thing was recently reported to me on several sites with WordPress.
Problem data php.php_.php7_.gif
The mysterious appearance of a .gif images with a black "X" on a pink background. In all cases, the file was named "php.php_.php7_.gif", Having the same properties everywhere. The interesting part is that this file has not been uploaded by a specific user / author. "Uploaded by: (no author)".
File name: php.php_.php7_.gif
File type: image / gif
Uploaded on: July 11, 2019
File size:
Dimensions: 300 by 300 pixels
Title: php.php_.php7_
Uploaded By: (no author)
By default, this .GIF file that looks like contains a script, is loaded on the server in the current uploads folder from the chronology. In the given cases: / Root / wp-content / uploads / 2019 / 07 /.
Another interesting thing is that the base file, php.php_.php7_.gif, which was uploaded to the server, can not be opened by a photo editor. Preview, Photoshop or any other. Instead, thumbnail(icons) made automatically by WordPress on several sizes, .gifs are perfectly functional and can be opened. A black "X" on a pink background.
What is "php.php_.php7_.gif" and how to get rid of these suspicious files?
Delete these files most likely malware / Virus, is not a solution if we limit ourselves to just that. Certainly php.php_.php7_.gif is not a legitimate file of WordPress or created by a plugin.
On a web server it can be easily identified if we have Linux Malware Detect installed. The anti-virus / anti-malware process of “maldet"Immediately detected it as a virus of the type:"{YARA} php_in_image"
FILE HIT LIST:
{YARA}php_in_image : /web/blog/public_html/wp-content/uploads/2019/07/php.php_.php7_.gif
It is highly recommended to have one antivirus on the web server and update it to date. Additionally, the antivirus is set to permanently monitor changes to web files.
Version of WordPress and all modules (plugins) also be updated. From what I've seen, all the sites WordPress infected with php.php_.php7_.gif have as a common element the plugin "WP Review". Plugin that recently received an update in whose changelog we find: Fixed vulnerability issue.
For one of the sites affected by this malware, in error.log found the following line:
2019/07/11 13:08:10 [error] 25084#25084: *44118905 FastCGI sent in stderr: "PHP message: PHP Warning: array_filter() expects parameter 1 to be array, null given in /home/www/website.tld/public/wp-content/plugins/wp-review/includes/ajax.php on line 36" while reading response header from upstream, client: IP.IP.IP.IP, server: website.tld, request: "GET /wp-admin/admin-ajax.php?action=wpr-upload-comment-image HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "website.tld", referrer: "website.tld"
It makes me think that the upload of false images was made through this plug-in. The error first arises from a fastcgi PORT error.
An important mention is that this virus / WordPress malware doesn't pay much attention to the PHP version on the server. I found both PHP 5.6.40 and the PHP 7.1.30.
The article will be updated as we find out more about the php.php_.php7_.gif malware file present in Media → Library.
