php.php_.php7_.gif - WordPress Malware (Pink X Image in Media Library)

A strange thing was recently reported to me on several sites with WordPress.

Problem data php.php_.php7_.gif

The mysterious appearance of a .gif images with a black "X" on a pink background. In all cases, the file was named "php.php_.php7_.gif", Having the same properties everywhere. The interesting part is that this file has not been uploaded by a specific user / author. "Uploaded by: (no author)"

File name: php.php_.php7_.gif
File type: image / gif
Uploaded on: July 11th, 2019
File size:
Dimensions: 300 by 300 pixels
title: php.php_.php7_
Uploaded By: (no author)

By default, this .GIF file appears to be a contains a script, is loaded on the server in the current uploads folder from the chronology. In the given cases: / Root / wp-content / uploads / 2019 / 07 /.
Another interesting thing is that the base file, php.php_.php7_.gif, which was uploaded to the server, can not be opened by a photo editor. Preview, Photoshop or any other. Instead, thumbnail(icons) made automatically by WordPress on multiple sizes, are perfectly functioning .gifs and can be opened. An "X" black on a pink background.

What is "php.php_.php7_.gif" and how can we get rid of these suspicious files

Delete these files most likely malware / Virus, it's not a solution if we limit ourselves to just that. Sure php.php_.php7_.gif is not a legitimate WordPress file or created by a plugin.
On a web server it can be easily identified if we have Linux Malware Detect installed. The anti-virus / anti-malware process of "maldet"Immediately detected it as a type virus:"{YARA} php_in_image

FILE HIT LIST:
{YARA}php_in_image : /web/blog/public_html/wp-content/uploads/2019/07/php.php_.php7_.gif

It is highly recommended to have one antivirus on the web server and update it to date. Additionally, the antivirus is set to permanently monitor changes to web files.
The WordPress version and all modules (plugins) also be updated. As far as I saw, all WordPress sites infected with php.php_.php7_.gif have as common plugin element "WP Review". Plugin that just received an update in the changelog we find: Fixed vulnerability issue.

For one of the sites affected by this malware, in the error.log, the following line was found:

2019/07/11 13:08:10 [error] 25084#25084: *44118905 FastCGI sent in stderr: "PHP message: PHP Warning: array_filter() expects parameter 1 to be array, null given in /home/www/website.tld/public/wp-content/plugins/wp-review/includes/ajax.php on line 36" while reading response header from upstream, client: IP.IP.IP.IP, server: website.tld, request: "GET /wp-admin/admin-ajax.php?action=wpr-upload-comment-image HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "website.tld", referrer: "website.tld"

It makes me think that the upload of false images was made through this plug-in. The error first arises from a fastcgi PORT error.
An important note is that this malware / WordPress does not really take into account the PHP version on the server. I found it both PHP 5.6.40 and the PHP 7.1.30.

The article will be updated as we find out more about the php.php_.php7_.gif malware file present in MediaLibrary.

php.php_.php7_.gif - WordPress Malware (Pink X Image in Media Library)

About the author

Stealth

Passionate about everything that means gadgets and IT, I write with pleasure stealthsettings.com from 2006 and I like to discover with you new things about computers and operating systems macOS, Linux, Windows, iOS and Android.

Leave a Comment