A strange thing was recently reported on multiple sites with WordPress.
PHP.php_.php7_.gif problem data
The mysterious appearance of a .GIF images with a “X” black on a pink background. In all cases, the file had the name “php.php_.php7_.gif“, having the same properties everywhere. The interesting part is that this file does not have the upload by a user / author. “Uploaded by: (no author)“.
File name: php.php_.php7_.gif
File type: image/gif
Uploaded on: July 11, 2019
File size:
Dimensions: 300 by 300 pixels
Title: php.php_.php7_
Uploaded By: (no author)
By default, this .gif file that seems a contine un script, is loaded on the server in the current uploads folder from the chronology. In the given cases: /root/wp-content/uploads/2019/07/.
Another interesting thing is that the basic file, php.php_.php7_.gif, the one who was climbed on the server, cannot be opened by a photo editor. Preview, Photoshop or any other. Instead thumbnailThe (icons) made by WordPress on several dimensions, are perfectly functional and can be opened. A “X” black on pink background.
What is it “php.php_.php7_.gif” and how can we get rid of these suspicious files
Delete these files most likely malware / virus, it is not a solution if we limit ourselves to that. Definitely php.php_.php7_.gif is not a legitimate file of WordPress or created by a plugin.
On a web server he can be identified very easily, if we haveLinux Malware Detect installed. The anti-virus / anti-malware process of “lunch” immediately detected it as a type virus: “{YARA}php_in_image“
FILE HIT LIST:
{YARA}php_in_image : /web/blog/public_html/wp-content/uploads/2019/07/php.php_.php7_.gif
It is highly recommended to have a antivirus on the web server and it is updated up to date. In addition, the antivirus should be set to permanently monitor the changes made to web files.
Wordpress version And all modules (plugins) to be updated too. As far as I saw, all WordPress websites virus with php.php_.php7_.gif au ca element comun plugin-ul “WP Review“. Plugin that has just received for a while an update in which Changlog we find: Fixed vulnerability issue.
For one of the websites affected by this malware, in Error.log the following line was found:
2019/07/11 13:08:10 [error] 25084#25084: *44118905 FastCGI sent in stderr: "PHP message: PHP Warning: array_filter() expects parameter 1 to be array, null given in /home/www/website.tld/public/wp-content/plugins/wp-review/includes/ajax.php on line 36" while reading response header from upstream, client: IP.IP.IP.IP, server: website.tld, request: "GET /wp-admin/admin-ajax.php?action=wpr-upload-comment-image HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "website.tld", referrer: "website.tld"
It makes me go with the thought that the upload of the false image was made through this plugin. Eroarea aparand initial dintr-o eroare de PORT fastcgi.
An important mention is that this virus / WordPress malware does not take into account the PHP version on the server. I found it so much onPHP 5.6.40 as well as onPHP 7.1.30.
The article will be updated as we find data on the Malware PHP.php_.php7_.gif file present in Media →Library.
