Malware/Virus inserted into uploads/rtMedia folder?


#1

Three days ago, our web host alerted us that the file “wp-content/uploads/rtMedia/tmp/rt.php” had “likely been uploaded by others.” We didn’t see the message until this morning when our site went down. At that point we saw the message along with another one from this morning alerting us of several other new, suspicious files on our site (in the main directory this time). I deleted/restored all the affected files our host found and got our site back online. I don’t know how the malware got on our site or whether this morning’s hack was related to the wp-content/uploads/rtMedia/tmp/rt.php file from 3/28, but I thought I should mention it on this forum. I don’t know if the plugin might have a vulnerability or if the problem lies elsewhere. We have always had some trouble with this plugin’s functionality on our site, though.

We are using rtMedia 4.3.1, BuddyPress 2.8.2, and WordPress 4.7.3, which should all be the latest versions. (We do have several other plugins though.) We were using the theme Woffice 2.3.5, which I plan to update now.


#2

Hello @FrizL123,

Many customers are using this product but we never heard such issue from any of the customers before this. The issue might not be related to rtMedia plugin. It looks like someone targeted your website to add random files inside rtMedia plugin.

Please, update the password, and re-install plugins/update them ASAP.

Thanks.


#3

Thanks! Yes, I’ve changed our passwords and updated plugins. Our website is hidden/private and theoretically requires a login to even view. Like I said, I have no idea how the hacker got in, maybe through some vulnerability elsewhere. I’m posting this here “just in case” it’s important. Here is the access log of the hacker’s activity. (The /wp-content/uploads/rtMedia/tmp/ folder did not exist before the attack, and rt.php was the only file in the tmp folder when I found it.) I’m inexperienced in interpreting such things, but if I understand correctly, he didn’t go to the login page until after he "POST"ed on rtUploadattachment.php (I found no record of suspicious FTP activity either.) The second attack that happened 3 days after this one came from a different IP in a different country. (It added files to the main WordPress folder, not an rtMedia folder.)

5.149.249.10 - - [28/Mar/2017:08:36:46 -0400] “POST /wp-content/plugins/buddypress-media/app/helper/rtUploadAttachment.php HTTP/1.1” 200 118 ourdomain.orghttp://ourdomain.org” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.4) Gecko/2008102920 AdCentriaIM/1.7 Firefox/3.0.4” “-” 5.149.249.10 - - [28/Mar/2017:09:17:12 -0400] “GET /wp-content/uploads/rtMedia/tmp/wp.php.docx HTTP/1.1” 200 107571 ourdomain.orghttp://ourdomain.org/wp-content/uploads/rtMedia/tmp/wp.php.docx” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” “-” 5.149.249.10 - - [28/Mar/2017:09:54:44 -0400] “GET /wp-content/uploads/rtMedia/tmp/wp-rt.php.docx HTTP/1.1” 302 - ourdomain.orghttp://ourdomain.org/wp-content/uploads/rtMedia/tmp/wp-rt.php.docx” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” “-” 5.149.249.10 - - [28/Mar/2017:09:54:47 -0400] “GET /login/?redirect_to=http%3A%2F%2Fourdomain.org%2Fwp-content%2Fuploads%2FrtMedia%2Ftmp%2Fwp-rt.php.docx HTTP/1.1” 200 120799 ourdomain.orghttp://ourdomain.org/wp-content/uploads/rtMedia/tmp/wp-rt.php.docx” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” “-” 5.149.249.10 - - [28/Mar/2017:10:18:18 -0400] “POST /wp-content/plugins/buddypress-media/app/helper/rtUploadAttachment.php HTTP/1.1” 200 121 ourdomain.orghttp://ourdomain.org” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.4) Gecko/2008102920 AdCentriaIM/1.7 Firefox/3.0.4” “-” 5.149.249.10 - - [28/Mar/2017:10:39:08 -0400] “GET /wp-content/uploads/rtMedia/tmp/wp-rt.php.docx HTTP/1.1” 200 107673 ourdomain.orghttp://ourdomain.org/wp-content/uploads/rtMedia/tmp/wp-rt.php.docx” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” “-” 5.149.249.10 - - [28/Mar/2017:10:40:19 -0400] “GET /wp-content/uploads/rtMedia/tmp/rt.php HTTP/1.1” 200 3230 ourdomain.orghttp://ourdomain.org/wp-content/uploads/rtMedia/tmp/rt.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” “-” 5.149.249.10 - - [28/Mar/2017:10:41:18 -0400] “GET /wp-content/uploads/rtMedia/tmp/rt.php HTTP/1.1” 200 3230 ourdomain.orghttp://lhmteam.org/wp-content/uploads/rtMedia/tmp/rt.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” “-”


#4