Replies: 0
Hello
My friend’s site has been infected with some sort of redirecting virus (which is focused on the mobile devices). I’ve found that this virus resides in bb_press directory. I’ve deleted this directory and after a while it popped up again. So, I’ve deleted files and set chmod of that dir to 000. That way I’ve found that copy method from class-wp-filesystem-direct.php is being used to reinstall that “plugin”. Looks like that virus is using update mechanism:
1. copy_dir() class-wp-upgrader.php:566
2. WP_Upgrader->install_package() class-wp-upgrader.php:746
3. WP_Upgrader->run() class-plugin-upgrader.php:118
4. Plugin_Upgrader->install() update.php:162
So, the question is: where is that updating part of the virus that allows it to reinstall itself?
Edit: Oh, Wordfence couldn’t find any modified php files. Only some readme.txt.
