Wordpress Themes - WP Forum at BFA
Click here to register or to donate.
Auto self-registration is not available here - far too many spammers. This forum has many, many backlinks and because of that there is an intense desire among spammers to drop their links here.

Wordpress Themes - WP Forum at BFA » WordPress Themes » Atahualpa 3 Wordpress theme »

Apparent Atahualpa theme file triggering AV trojan warning


  #1  
Old Sep 9, 2015, 10:23 AM
rainbow
 
13 posts · Apr 2013
Although my site seems to be functioning normally, my Avast antivirus is sending a trojan alert when I try to download theme backup files. I have been able to identify the problematic file as /public_html/wp-content/themes/atahualpa/functions/bfa_get_option.php. This file has a different (more recent) date from all of the other files in the directory.

I notice there is also a very similarly named file in the same directory, bfa_get_options.php, which has the same date as all the other files. Should wp-content/themes/atahualpa/functions/ contain both a bfa_get_option.php and bfa_get_options.php file, or can I safely delete the get_option file?
  #2  
Old Sep 9, 2015, 11:22 AM
juggledad's Avatar
juggledad
 
23,576 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
There is NO bfa_get_option.php in the theme - there is a bfa_get_options.php

I would take a look at that file BEFORE you delete it to see what was in it. If it is no the normal code it is probable that your ite has been hacked and you need to deal with that.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #3  
Old Sep 10, 2015, 06:11 PM
rainbow
 
13 posts · Apr 2013
MY AV program wouldn't let me open bfa_get_option.php before deleting (but I'm OK with that). I deleted it from my WordPress installation and happily, my site didn't break. I am now able to create downloadable backups of my theme files (though thanks to your excellent save all settings option, I was not nearly as freaked out that I couldn't save backups as I might've been - I have done a LOT of customization on my site, so I really appreciate that feature).

I'm not sure what else to check. I asked my ISP, but they didn't reply. Anyway, I know that's not your problem. Thanks a lot for the swift reply.
  #4  
Old Sep 11, 2015, 01:18 AM
juggledad's Avatar
juggledad
 
23,576 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
it's too bad you deleted it, you have lost a peice of forensic evidence. Looking at the date the file was las changed would have been helpful because you would know the point when you may have been hacked.

to be safe, you should do a google search 'wordpress site hacked' and follow thru with the suggestions you find.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #5  
Old Sep 12, 2015, 01:34 AM
rainbow
 
13 posts · Apr 2013
I did note the date before deleting - Sept. 6th. Surely I don't want to open a file that has been identified as a possible trojan on my computer?
  #6  
Old Sep 12, 2015, 01:54 PM
juggledad's Avatar
juggledad
 
23,576 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
'I' would have opened it in a text editor to see what was in it. Comparing it to the original code would have shown what was changes/added and given a clue as to what hack was used. This would be something you could take to your host

As it is, it the file was changed September 6th and you didn't do it, you have been hacked and that might not be the only file that was compromised.

I'd also look thru ALL the files in the wordpress root to see if anything else was changed on September 6th, then I would reinstall all the wordpress files, plugins and all themes.

change all passwords in the database and on your channel and ftp accounts and run a scan on your pc and anyother pc that you or anyone with admin rights may have used to access the site.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #7  
Old Sep 18, 2015, 02:12 PM
rainbow
 
13 posts · Apr 2013
When I do a settings export, does that settings file include my css inserts, or do I need to back those up separately?
  #8  
Old Sep 18, 2015, 06:05 PM
juggledad's Avatar
juggledad
 
23,576 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
The atahualpa export contains ALL the atahualpa settings. Since the CSS inserts are an atahualpa option it gets exported
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #9  
Old Sep 19, 2015, 02:51 AM
rainbow
 
13 posts · Apr 2013
Excellent! I know I already said thanks for that feature, but after spending way too much of the day screenshotting the settings of every plugin and widget I use in preparation for reinstalling my site, I have a whole new level of appreciation for it! How I wish everyone else would make you their role model!

Bookmarks

Tags
antivirus, avast, infection, trojan, virus

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Theme Warning messages after moving WP to root Sculley Header configuration & styling 2 Jan 16, 2013 07:40 PM
[SOLVED] Importing Atahualpa settings file, file not valid Neut New Versions, & Updating 12 Feb 1, 2011 08:35 AM
updated to 3.4.9 Atahualpa twice. No apparent change from 2.8.4 Ben92 New Versions, & Updating 0 Jun 23, 2010 10:44 AM
[SOLVED] Atahualpa's CSS Form settings have no apparent effect RAMilewski Atahualpa 3 Wordpress theme 4 Aug 10, 2009 03:11 PM
Which php file should I Edit to Insert Opt In form in SideBar for Atahualpa Theme? kacang Sidebars & Widgets 0 Aug 1, 2009 04:41 AM


All times are GMT -6. The time now is 10:17 PM.


Powered by vBulletin® Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.