Community

Forums » 3rd Party Product Discussions

Malicious code in SE 3rd party plugin folders

    • 9 posts
    May 11, 2018 3:45 AM EDT

    Hi everyone,

     

    I chose SiteGround to host my website, however, they said I have malicious code in my files and that I have to clean this first after they will unblock it.

    I did run Virusdie and deleted "license" files that were found as infected but now the site won't work anymore.

    Read siteground's response below:

     


    Important:. I am afraid to say however, that during our regular security audit we also detected a number of malicious files within your website. It seems it was compromised, and here is a complete list of suspicious our malware scans detected:

    Code:

    [GEN]obfuscated_globals [20/01/17] /home/mahubcom54/public_html/temporary/package/sdk/module-sitegateway-4.8.13.tar
    [GEN]obfuscated_globals [24/02/17] /home/mahubcom54/public_html/temporary/package/packages/module-sitemulticurrency-4.9.4p2/application/modules/Sitemulticurrency/controllers/license/license1.php
    [GEN]obfuscated_globals [05/04/17] /home/mahubcom54/public_html/temporary/package/packages/module-sitemulticurrency-4.9.4p2/application/modules/Sitemulticurrency/controllers/license/license2.php
    [GEN]obfuscated_globals [24/02/17] /home/mahubcom54/public_html/temporary/package/packages/module-seaocore-4.9.4p8/application/modules/Seaocore/controllers/license/request.php
    [GEN]obfuscated_globals [29/07/16] /home/mahubcom54/public_html/temporary/package/packages/module-seaocore-4.9.4p8/application/modules/Seaocore/controllers/license/license1.php
    [GEN]obfuscated_globals [05/12/16] /home/mahubcom54/public_html/application/modules/Sitegateway/controllers/license/license1.php
    [GEN]obfuscated_globals [05/12/16] /home/mahubcom54/public_html/application/modules/Sitegateway/controllers/license/license.php
    [GEN]obfuscated_globals [05/12/16] /home/mahubcom54/public_html/application/modules/Sitegateway/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Communityad/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Communityad/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Communityad/controllers/license/license2.php
    [GEN]obfuscated_globals [13/11/17] /home/mahubcom54/public_html/application/modules/Sitemulticurrency/controllers/license/license1.php
    [GEN]obfuscated_globals [13/11/17] /home/mahubcom54/public_html/application/modules/Sitemulticurrency/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitebusiness/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitebusiness/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitebusiness/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitealbum/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitealbum/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitealbum/controllers/license/license2.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Siteusercoverphoto/controllers/license/license1.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Siteusercoverphoto/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitereview/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitereview/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitereview/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitecoupon/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitecoupon/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitecoupon/controllers/license/license2.php
    [GEN]obfuscated_globals [14/07/16] /home/mahubcom54/public_html/application/modules/Seaocore/controllers/license/request.php
    [GEN]obfuscated_globals [06/10/16] /home/mahubcom54/public_html/application/modules/Seaocore/controllers/license/license1.php
    [GEN]obfuscated_globals [18/10/16] /home/mahubcom54/public_html/application/modules/Sitegroup/controllers/license/license1.php
    [GEN]obfuscated_globals [18/10/16] /home/mahubcom54/public_html/application/modules/Sitegroup/controllers/license/license.php
    [GEN]obfuscated_globals [18/10/16] /home/mahubcom54/public_html/application/modules/Sitegroup/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteforum/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteforum/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteforum/controllers/license/license2.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Sitemenu/controllers/license/license1.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Sitemenu/controllers/license/license.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Sitemenu/controllers/license/license2.php
    [GEN]obfuscated_globals [14/07/16] /home/mahubcom54/public_html/application/modules/Sitestore/controllers/license/license1.php
    [GEN]obfuscated_globals [14/07/16] /home/mahubcom54/public_html/application/modules/Sitestore/controllers/license/license.php
    [GEN]obfuscated_globals [14/07/16] /home/mahubcom54/public_html/application/modules/Sitestore/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteevent/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteevent/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteevent/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitevideo/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitevideo/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitevideo/controllers/license/license2.php



    Due to this we had to deny web access for the time being. We’ve only allowed access for your own IP address.

    You can follow the steps below to resolve the situation:

    1. Inspect and remove all malicious files and code from your account.

    Alternatively, you can also employ a third party security expert to clean up the website for you. We can recommend the service of our partners at Sucuri.

    2. Scan your local computer for malware using a reputed an up-to-date anti-virus software.

    3. Upgrade the application that powers your website to its latest release, including any plugins, modules, templates, etc. you might be using. This also includes upgrading any other applications hosted on your account, whether they are a part of the transfer or not.

    4. Change all of your administrative passwords. This includes changing your cPanel/FTP password, as well as the administrative password for any application installed on your account.

    I am leaving this ticket open, in ARC (awaiting response from customer) status, so you can easily update it once the site has been cleaned up, all your applications updated, and passwords changed. 

    Kind regards,

    Dimitar Galabov
    Technical Support Team

    • 1999 posts
    May 11, 2018 5:15 AM EDT

    I've moved this to 3rd party section as all of those are third party plugins, not SocialEngine official plugins.

    • 9 posts
    May 11, 2018 5:23 AM EDT

    thank you Donna, any idea why this would happen?

    • 1999 posts
    May 11, 2018 5:25 AM EDT

    We've contacted SocialEngineAddOns to respond here.

    • 1999 posts
    May 11, 2018 5:26 AM EDT

    All of those plugins look to be SocialEngineAddons. Can you confirm? We are trying to find out what's in those license files.

    Have you given server access to anyone lately? Have you installed anything new?

    • 9 posts
    May 11, 2018 5:33 AM EDT

    I got "cpmove-mahubcom54" from the company that developed the website and restored with SiteGround, they did the restore and blocked the website straight away because their scan detected malicious code.

    Nobody touched my files, but i did scan locally and kaspersky found some suspicious files under microsoft azure folder.

    I'm sure this is no malware it's just license files that are encoded, but no hosting provider would keep my site live until i remove those suspicious files.

    I'm so stuck at the moment.

    • 1999 posts
    May 11, 2018 5:38 AM EDT

    We are not saying they have the malware encoded in their code. We are wondering what's in those files and whether there's a hole that allowed a hack or any open connection. It's very hard to say without knowing what's in them.

    • 9 posts
    May 11, 2018 5:40 AM EDT

    it's encoded text, not much to read there to be honest. i could share it here if you think this may help

    • 1999 posts
    May 11, 2018 5:54 AM EDT

    No please don't post it here. We need them to let us know what's in the file. 

    • 1999 posts
    May 11, 2018 7:07 AM EDT
    pandroid said:

    Hi everyone,

     

    I chose SiteGround to host my website, however, they said I have malicious code in my files and that I have to clean this first after they will unblock it.

    I did run Virusdie and deleted "license" files that were found as infected but now the site won't work anymore.

    Read siteground's response below:

     


    Important:. I am afraid to say however, that during our regular security audit we also detected a number of malicious files within your website. It seems it was compromised, and here is a complete list of suspicious our malware scans detected:

    Code:

    [GEN]obfuscated_globals [20/01/17] /home/mahubcom54/public_html/temporary/package/sdk/module-sitegateway-4.8.13.tar
    [GEN]obfuscated_globals [24/02/17] /home/mahubcom54/public_html/temporary/package/packages/module-sitemulticurrency-4.9.4p2/application/modules/Sitemulticurrency/controllers/license/license1.php
    [GEN]obfuscated_globals [05/04/17] /home/mahubcom54/public_html/temporary/package/packages/module-sitemulticurrency-4.9.4p2/application/modules/Sitemulticurrency/controllers/license/license2.php
    [GEN]obfuscated_globals [24/02/17] /home/mahubcom54/public_html/temporary/package/packages/module-seaocore-4.9.4p8/application/modules/Seaocore/controllers/license/request.php
    [GEN]obfuscated_globals [29/07/16] /home/mahubcom54/public_html/temporary/package/packages/module-seaocore-4.9.4p8/application/modules/Seaocore/controllers/license/license1.php
    [GEN]obfuscated_globals [05/12/16] /home/mahubcom54/public_html/application/modules/Sitegateway/controllers/license/license1.php
    [GEN]obfuscated_globals [05/12/16] /home/mahubcom54/public_html/application/modules/Sitegateway/controllers/license/license.php
    [GEN]obfuscated_globals [05/12/16] /home/mahubcom54/public_html/application/modules/Sitegateway/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Communityad/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Communityad/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Communityad/controllers/license/license2.php
    [GEN]obfuscated_globals [13/11/17] /home/mahubcom54/public_html/application/modules/Sitemulticurrency/controllers/license/license1.php
    [GEN]obfuscated_globals [13/11/17] /home/mahubcom54/public_html/application/modules/Sitemulticurrency/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitebusiness/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitebusiness/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitebusiness/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitealbum/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitealbum/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitealbum/controllers/license/license2.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Siteusercoverphoto/controllers/license/license1.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Siteusercoverphoto/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitereview/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitereview/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitereview/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitecoupon/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitecoupon/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/17] /home/mahubcom54/public_html/application/modules/Sitecoupon/controllers/license/license2.php
    [GEN]obfuscated_globals [14/07/16] /home/mahubcom54/public_html/application/modules/Seaocore/controllers/license/request.php
    [GEN]obfuscated_globals [06/10/16] /home/mahubcom54/public_html/application/modules/Seaocore/controllers/license/license1.php
    [GEN]obfuscated_globals [18/10/16] /home/mahubcom54/public_html/application/modules/Sitegroup/controllers/license/license1.php
    [GEN]obfuscated_globals [18/10/16] /home/mahubcom54/public_html/application/modules/Sitegroup/controllers/license/license.php
    [GEN]obfuscated_globals [18/10/16] /home/mahubcom54/public_html/application/modules/Sitegroup/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteforum/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteforum/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteforum/controllers/license/license2.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Sitemenu/controllers/license/license1.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Sitemenu/controllers/license/license.php
    [GEN]obfuscated_globals [09/11/16] /home/mahubcom54/public_html/application/modules/Sitemenu/controllers/license/license2.php
    [GEN]obfuscated_globals [14/07/16] /home/mahubcom54/public_html/application/modules/Sitestore/controllers/license/license1.php
    [GEN]obfuscated_globals [14/07/16] /home/mahubcom54/public_html/application/modules/Sitestore/controllers/license/license.php
    [GEN]obfuscated_globals [14/07/16] /home/mahubcom54/public_html/application/modules/Sitestore/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteevent/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteevent/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Siteevent/controllers/license/license2.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitevideo/controllers/license/license1.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitevideo/controllers/license/license.php
    [GEN]obfuscated_globals [27/09/16] /home/mahubcom54/public_html/application/modules/Sitevideo/controllers/license/license2.php



    Due to this we had to deny web access for the time being. We’ve only allowed access for your own IP address.

    You can follow the steps below to resolve the situation:

    1. Inspect and remove all malicious files and code from your account.

    Alternatively, you can also employ a third party security expert to clean up the website for you. We can recommend the service of our partners at Sucuri.

    2. Scan your local computer for malware using a reputed an up-to-date anti-virus software.

    3. Upgrade the application that powers your website to its latest release, including any plugins, modules, templates, etc. you might be using. This also includes upgrading any other applications hosted on your account, whether they are a part of the transfer or not.

    4. Change all of your administrative passwords. This includes changing your cPanel/FTP password, as well as the administrative password for any application installed on your account.

    I am leaving this ticket open, in ARC (awaiting response from customer) status, so you can easily update it once the site has been cleaned up, all your applications updated, and passwords changed. 

    Kind regards,

    Dimitar Galabov
    Technical Support Team

    I believe they will post about this or answer here soon.

    • 115 posts
    May 11, 2018 7:44 AM EDT

    Hello @pandroid. It seems that your hosting company is detecting our SocialEngineAddOns non-certified plugins' license files as malicious.

    Our non-certified plugins have a license check to verify that the installation is using a valid license key, and is not a pirated product. These files just make one call to our server with: License key, module name and website URL.

     

    These files are encoded so that pirates are not able to bypass the license check. Because of these files being encoded, certain hosting companies detect them as malicious. Advanced malware detection softwares do not detect these files as malicious. In the past, our Clients facing this problem have asked their hosting company to add exception for these license files so that they are not detected as malicious. Thus, we recommend you to ask your hosting provider to do the same.

     

    For any help from our Support Team regarding this, please send us an email at: sales@socialengineaddons.com, or file a Support Ticket from your SocialEngineAddOns Client Area.

    • 9 posts
    May 11, 2018 8:20 AM EDT
    SocialEngineAddOns said:

    Hello @pandroid. It seems that your hosting company is detecting our SocialEngineAddOns non-certified plugins' license files as malicious.

    Our non-certified plugins have a license check to verify that the installation is using a valid license key, and is not a pirated product. These files just make one call to our server with: License key, module name and website URL.

     

    These files are encoded so that pirates are not able to bypass the license check. Because of these files being encoded, certain hosting companies detect them as malicious. Advanced malware detection softwares do not detect these files as malicious. In the past, our Clients facing this problem have asked their hosting company to add exception for these license files so that they are not detected as malicious. Thus, we recommend you to ask your hosting provider to do the same.

     

    For any help from our Support Team regarding this, please send us an email at: sales@socialengineaddons.com, or file a Support Ticket from your SocialEngineAddOns Client Area.

     

     

     

    I am afraid the company that built my site is out of business now, and I can't retrieve the email and password for the account that they used to purchase those plugins.

    What do I do if the hosting company won't agree to whitelist those license files?

     

    And I'm in the same situation with SocialEngine license, I only have the key that's shown in the admin panel, license file I don't have.

     

     

    • 1999 posts
    May 11, 2018 8:23 AM EDT

    There is no error showing for SocialEngine files. If you need your license transferred into your account we do have an amnesty going on or we did. If the person you bought it from was an authorized reseller. Please contact us via support to find out.

    • 9 posts
    May 11, 2018 8:28 AM EDT

    Thank you so much Donna, I will email support with the license key that i have and hopefully, we can transfer the license in my account.

    • 115 posts
    May 11, 2018 8:40 AM EDT

    @pandroid, please send us an email at: sales@socialengineaddons.com with the URL of your community, and we'll take it from there.

    • 53 posts
    May 16, 2018 3:00 PM EDT

    Were you able to get this resolved? If these are not SocialEngine AddOns plugins I would not let them touch your site. Contact me and I can try and help you 

  • gs
    • 597 posts
    May 16, 2018 6:52 PM EDT

    @SEAO

    ==> '...Our non-certified plugins have a license check to verify that the installation is using a valid license key, and is not a pirated product. These files just make one call to our server with: License key, module name and website URL...'

    How often and/or when is this performed PER Plugin?

    • 115 posts
    May 17, 2018 4:51 AM EDT

    @gs, This is never performed during the normal working of a plugin. This is only performed in the respective plugin's admin panel, and whenever license key is changed. SocialEngine's new plugin guidelines that come with certification now already perform anti-piracy checks, and as we're gradually making our plugins certified, these checks performed in the admin panel will also get removed.