Aquoid Forum

[braiswick]

Just a warning: Wordfence reports malware in Suffusion - it's appearing on several of my sites.

File contains suspected malware URL: /wp-content/themes/suffusion/admin/theme-options-templates.php

Filename: wp-content/themes/suffusion/admin/theme-options-templates.php
Bad URL: http://robm.me.uk/projects/plugins/word ... ow-reading
File type: Not a core, theme or plugin file.
Issue first detected: 9 secs ago.
Severity: Critical
Status New

This file contains a suspected malware URL listed on Google's list of malware sites. Wordfence decodes base64 when scanning files so the URL may not be visible if you view this file. The URL is: http://robm.me.uk/projects/plugins/word ... ow-reading - More info available at Google Safe Browsing diagnostic page.

[drake]

???
Yes, your SITES are infected, but what this is related with Suffusion???? Just because you use the theme??? Switch to default theme (Twenty Eleven)... the infection is still on your site...

Plus, as I can see, the infection is related to a plugin... what plugins you use isn't also related to theme...

As one which have some good experience in cleaning sites I can assure you that Suffusion is safe, don't have vulnerabilities which can be exploited by hackers, but the plugins used can't be controlled by theme, only by you...

[sayontan]

Please note:
1. The malware warning is bogus. It is definitely not critical.
2. The link it is pointing to is a site that has been infected. That doesn't mean by any stretch of information that your site is infected.
3. The link being pointed to is not accessible via your site. The link shows up in your site's back-end and no visitor of your site gets to see it. They can't even see it if they tried their best to open the said file.

Your "security" plugin is trying to spread FUD.

Please read this: http://aquoid.com/news/2012/06/suffusio ... mment-4893.

[braiswick]

Thank you both - that's given me reassurance. It was a plugin I've never used before that said the sites were infected.

Perhaps I should remove that plugin?

Having add all my sites attacked, and severely damaged, I'm now very cautious - and grateful. Thank you,

[sayontan]

I don't believe any of your sites is attacked or damaged - you might be misreading the report. What I am trying to point out to you is that the report from your security plugin is a false alarm.

[drake]

As a first step of caution... or precaution
Never... but never don't install or keep on server a plugin or a theme which was reported with vulnerabilities... It is a matter of time for hackers to exploit a reported vulnerability... They know already for what to looking for... They have scripts which look for all themes or plugins copied on your site which have variants of timthumb.php or tdomf by eg...

Look also at the last update time... a plugin or a theme which wasn't updated in years is most likely to have vulnerabilities than Suffusion with 3 huge updates and 6 bugfixes just in last year...

Also, you can install "Bad Behavior" plugin, with it's default settings, no more, no less... (with more you will have a lot of false positives, with less you will not have security). If you look at it's log after a week you will be amazed what "visitors" tried to "visit" your site

[sayontan]

Drake,
While I agree with your suggestions, they probably are not applicable here. Note:

1. In the Suffusion file, theme-options-templates.php, there is a link to Rob Miller's "Now Reading" home page. It is just a link to Rob's page and it is not a link to a corrupt executable. It is a link I put in more than a year back, when I added the templates for Now Reading to Suffusion.
2. Somehow Rob's site got infected with malware. That malware isn't present in Suffusion, but if you click on the link, Firefox will warn you that there are issues with the site. Again, unless a user is clicking on the link and ignoring Firefox or Chrome's warnings, there are no issues.
3. This link is only visible to an admin user who is visiting the configuration page for "Now Reading" under Suffusion Options -> Templates. Nobody else sees it.
4. The WordFence plugin's report makes it appear like the user's site is infected - that is a lie. It is also making it sound like Suffusion carries malware. That is yet another lie. There is absolutely no infection in either case.

[drake]

No, no... I just made general suggestions for keeping it's site safe... I understand from the topic how stay the story with infection... Also, in my first post I stated that the infection don't have anything to do with Suffusion (On my first post I was "scared" by the red screen returned when I accessed the link - then I don't continue to talk here because I saw and I understand your answer)

[sayontan]

Yup, the plugin messages can be best explained with an example.

You go to a doctor for a physical. On your way you pick up a pamphlet for a nightclub, which some people were distributing. You land at the doctor's office, and he sees the pamphlet. Now, he knows that people in this nightclub deal prohibited drugs, and since you are carrying the pamphlet, he incorrectly assumes that you are a drug addict.

[tzdk]

Many of these services are more scams than protection but unless presentation by Wordfence is deliberately FUD´ing away to make someone pay for removal I dont see how it does anything wrong. If what ever link to a malware site it should of course warn. File IS infected, the end. In that way site IS infected, also the end. Does not matter link is not visible on front or only to certain people.

The real problem is lazy or careless admin

The last time Google visited this site was on 2012-06-16, and the last time suspicious content was found on this site was on 2012-06-03.

So nothing found for 2 weeks. He also have had 2 weeks to inform about this yet nothing. There is no reason to believe site has not been infected - but he just go Meh! He should submit site for a new security review to speed up being white listed. Can be done via Google webmaster tools I think.

Now he is also blocked by WOT http://www.mywot.com/en/scorecard/robm.me.uk - blocked once, blocked many times. How it goes. And certain companies are very well aware of the power they have with these lists. Certainly WOT is. Think online businesses and premium "services" where they are protected against ending up in such a mess. Lovely... Now Suffusion is feeling a bit of that too with this issue.