Compromised files in plugin folder

torivt · 11 August 2022 13:25

I have an email from my host that there is a malicious file in the s2member folder. Can anyone confirm if this is actually malicious?

We have identified malicious content on your account, added by an outside entity, which may include malware such as backdoor shells, adware, botnet, and spammer scripts.

The following file(s) specifically have been identified as attacker-added malware. We have DISABLED these files by setting their permissions to 200 (Owner write-only). You will need to audit these files and either replace them with known good versions or remove them altogether:

/plugins/s2member/src/includes/classes/tracking-codes.inc.php

clavaque · 11 August 2022 20:24

Hi Tori,

That file has been in s2 for over 10 years, pretty much unchanged. It has to do with the tracking API that integrates with analytics or affiliate systems, for example. WP Admin > s2Member > API / Tracking

I don’t know if something on your site modified it, you can get a clean copy from the zip file and upload it in its stead. Or maybe your host, for some reason, considers that code suspicious, most likely using some scanner. You can tell them its use and show them its in the official distribution, which may put them at ease.

But if you don’t use the Tracking API in s2 at all, you can also just leave it as they set it, and you’ll probably be fine, too.