php.php_.php7_.gif - WordPress Malware (Pink X Image in Media Library)

A strange thing was recently reported to me on several sites with WordPress.

Problem data php.php_.php7_.gif

The mysterious appearance of a .gif images with a black "X" on a pink background. In all cases, the file was named "php.php_.php7_.gif", Having the same properties everywhere. The interesting part is that this file has not been uploaded by a specific user / author. "Uploaded by: (no author)".

File name: php.php_.php7_.gif
File type: image / gif
Uploaded on: July 11th, 2019
File size:
Dimensions: 300 by 300 pixels
Title: php.php_.php7_
Uploaded By: (no author)

By default, this .GIF file that looks like contains a script, is loaded on the server in the current uploads folder from the chronology. In the given cases: / Root / wp-content / uploads / 2019 / 07 /.
Another interesting thing is that the base file, php.php_.php7_.gif, which was uploaded to the server, can not be opened by a photo editor. Preview, Photoshop or any other. Instead, thumbnailthe (icons) made automatically by WordPress on several dimensions, are perfectly functional .gifs and can be opened. A black "X" on a pink background.

What is "php.php_.php7_.gif" and how to get rid of these suspicious files?

Delete these files most likely malware / Virus, it's not a solution if we limit ourselves to just that. Sure php.php_.php7_.gif is not a legitimate WordPress file or created by a plugin.
On a web server it can be easily identified if we have Linux Malware Detect  installed. The anti-virus / anti-malware process of “maldet"Immediately detected it as a virus of the type:"{YARA} php_in_image"

{YARA}php_in_image : /web/blog/public_html/wp-content/uploads/2019/07/php.php_.php7_.gif

It is highly recommended to have one antivirus on the web server and update it to date. Additionally, the antivirus is set to permanently monitor changes to web files.
The WordPress version and all modules (plugins) also be updated. As far as I saw, all WordPress sites infected with php.php_.php7_.gif have as a common element the plugin "WP Review". Plugin that recently received an update in whose changelog we find: Fixed vulnerability issue.

For one of the sites affected by this malware, in error.log found the following line:

2019/07/11 13:08:10 [error] 25084#25084: *44118905 FastCGI sent in stderr: "PHP message: PHP Warning: array_filter() expects parameter 1 to be array, null given in /home/www/website.tld/public/wp-content/plugins/wp-review/includes/ajax.php on line 36" while reading response header from upstream, client: IP.IP.IP.IP, server: website.tld, request: "GET /wp-admin/admin-ajax.php?action=wpr-upload-comment-image HTTP/1.1", upstream: "fastcgi://", host: "website.tld", referrer: "website.tld"

It makes me think that the upload of false images was made through this plug-in. The error first arises from a fastcgi PORT error.
An important note is that this malware / WordPress does not really take into account the PHP version on the server. I found it both PHP 5.6.40 and the PHP 7.1.30.

The article will be updated as we find out more about the php.php_.php7_.gif malware file present in Media →  Library.

Passionate about technology, I like to test and write tutorials about operating systems macOS, Linux, Windows, about WordPress, WooCommerce and LEMP web server configuration (Linux, NGINX, MySQL and PHP). I write on since 2006, and a few years later I started writing on iHowTo.Tips tutorials and news about devices in the ecosystem Apple: iPhone, iPad, Apple Watch, HomePod, iMac, MacBook, AirPods and accessories.

Leave a Comment