Here's an excerpt from the email message I got from DreamHost:
The following file(s) specifically have been identified as attacker-added malware. We have DISABLED these files by setting their permissions to 200 (Owner write-only). You will need to audit these files and either replace them with known good versions or remove them altogether:
/home/agafdan/lifewaysnorthamerica.org/wp-content/plugins/types/vendor/toolset/toolset-common/lib/Zip.php
I deactivated/deleted the plugin and reinstalled it from the latest version I downloaded from your site. Can you please check it out?
Hi,
Welcome to Toolset support.
Would you please make sure that you have the latest version of Toolset plugins?
- IMPORTANT STEP! Create a backup of your website. Or better approach will be to test this on a copy/staging version of the website to avoid any disruption of a live website.
- Go to "WordPress Dashboard > Plugins > Add new > Commercial (tab)".
- Click the "Check for Updates" button.
- Update Toolset and its addons there.
Also for the Types plugin explicitly I suggest that you upload the latest version if even the version is the same so you can make sure it has our version:
- IMPORTANT STEP! Create a backup of your website. Or better approach will be to test this on a copy/staging version of the website to avoid any disruption of a live website.
- Make sure you are signed in toolset.com.
- Go to hidden link
- Click the "Download Toolset manually" link to show the rest of the plugins on the page.
- Download the latest version of the toolset and its add-ons.
- Install them manually on your website, if WordPress asks if you want to replace files, say yes.
Thanks.
I got the notice about malicious code yesterday, deleted the plugin and reinstalled it from the download I got from your website. This morning I got the same message. So my web host, DreamHost, had re-scanned the site last night and still reported the same thing, suspicion that there was malicious code in that Zip.php file.
Hi,
Thank you very much. I reported this to the second-tier support, but most probably, there will be questions on what exactly the issue is that the system of your host detects as malware. They usually have an error log that you can ask their support to share.
That will help us to identify what might be the problem cause.
I haven't heard back from second-tier support yet.
Hi,
The issue has been escalated to our development team. They double checked and there is no backdoor or malicious code.
The warning most probably is because:
The presence of raw ZIP headers such as \x50\x4b\x03\x04 which malware scanners associate with malware.
The development team will work to see if it is possible to avoid the ZIP library altogether and use more modern technologies.
That will take time.
If I have news I will share with you here.
Thanks.
I also have a comment from our dev team that most probably you will be ok using Toolset by deleting that specific file at the time being.
So you can continue your work.
Thanks.
