A couple of weeks ago we thought we had a vulnerability exposed with the Plugin, Real Estate Manager Pro… Upon doing some investigating we found a plugin that was installed but not showing up in my Plugins list on the child site.
I DirectAdmin in to the backend and went to the plugins folder, and found /xfrgp (or something like that, you think I would remember because it keeps coming back… The vulnerability was a pop up when viewing property listings and it was a “google recaptcha” where the person was asked to call a number to get a code to use to continue on in the site. Once we removed the /xfrgp folder, the pop up stopped.
I did some research and I believe /xfrgp folder is Wordpress Basic Cache plugin? This is where I get confused. Then we had a new plugin installed called Site Toolkit Services and I deleted that plugin as well as it didn’t come up in the plugins list on the child site, and I didn’t install it.
Today, I was going through WPMainPro settings and I found at the bottom of one of the setting pages where it confirms the versions that the WPMainPro Server is using and when I got to the bottom, there were the plugins I mentioned above, and they are Active… So does WPMainPro create a new user (which happened on this child site and it was set to administrator and was called wp_cache_mgr and in the logs I see that user installed Wordpress Basic Cache plugin again.
Now on that child site I’m having all images in the media folder convert to .html or .htm extensions and yet if you go in through the DirectAdmin they are named correctly and I can download them in .jpg format with no issue…
So as you can see, I’m spinning… I thought I caught the culprit and the malware plugin but now I see that plugin is yours?
Sorry to hear about that experience. It doesn’t seem to be related to MainWP, though.
We do not install anything in the xfrgp directory, so I very much doubt that the plugin is ours.
In fact, the MainWP Dashboard does not install anything on the child site without the user’s explicit intent.
In some cases, we will prompt the user to install a plugin on child sites (e.g., when setting up an add-on like MainWP UpdraftPlus we will prompt you to install UpdraftPlus plugin on Child sites), but even that has to be approved by the user.
Not sure I am following this. Can you send me a screenshot?
It is possible to create a user on Child Sites via the MainWP Dashboard, but it’s a manual process, and the MainWP Dashboard never creates them by itself.
WordPress basic cache plugin that you are seeing on MainWP System Info, is not ours.
That page simply lists all installed plugins on the MainWP Dashboard site.
I would start with your hosting support. Maybe that caching plugin is something they install on all sites hosted with them. Maybe the malware simply infected that otherwise legitimate plugin. It’s hard to speculate on what happened, but these plugins and events do not seem to be related to MainWP.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
WordPress® is a registered trademark of the WordPress Foundation, and WooCommerce® is a registered trademark of WooCommerce, Inc. MainWP is an independent product and is not affiliated, associated, or endorsed by the WordPress Foundation, WooCommerce, Inc., or Automattic Inc., except where noted under the Jetpack® API and Trademark License Agreement. All product names, logos, and brands are property of their respective owners and are used for identification purposes only.
