Malicious file warnings, scan shows no issues

  • Resolved shoopi

    (@shoopi)


    10 years, 10 months ago

    Hello, I just received an alert email stating

    Critical Problems:
    * This file appears to be malicious (multiple times)

    I went to the site, checked the Wordfence latest scan and it appeared to identify malicious content within a range of different files including png images. I then re-ran the scan (without making any changes) and it told me

    Congratulations! You have no security issues on your site.

    Were these false positives? Many thanks in advance for any help.

    https://www.ads-software.com/plugins/wordfence/

Viewing 14 replies - 1 through 14 (of 14 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Same for me on 3 sites. 21 malicious files to none. I downloaded several and ran diffs against files downloaded from WordPress and they were the same, so I’m betting on a false positive.

    I just got one of these messages as well. Seems a false positive.

    I’m getting the same error…

    Same here on a number of sites, and no indication as to which file is the supposed culprit, either in the email or on the scan page.

    Additional runs of WF do not show any such errors.

    Same here, warning about critical issues but no filenames inside the email.

    Same here. Warning about malicious files but no filename.

    Plugin Author Wordfence Security

    (@mmaunder)

    Hi all,

    Working on this now. We’re able to reproduce it in our lab. But I may ask you to work with us if we need more data. Should have a fix out soon.

    Regards,

    Mark.

    Mark,

    There must be something to this file, I cannot login to my site at all and received the following message: Wordfence found the following new issues on “Saint Stephen's Episcopal Church”.

    Alert generated at Thursday 24th of April 2014 at 08:07:14 PM Critical Problems:

    * This file appears to be malicious

    So I’m unable to run a WF scan or add needed changes to the site; https://www.ststephensforest.org. Thanks!

    Roy

    A repeat of the message, for some reason posting didn’t include 's

    Wordfence found the following new issues on “Saint Stephen's Episcopal Church”.

    Alert generated at Thursday 24th of April 2014 at 08:07:14 PM Critical Problems:

    * This file appears to be malicious

    Mark,
    There are characters in the message which for some reason will not post. After the n in stephen’s there are these characters; & # 039 ; s Episcopal Church”. (spaced because they will not post in the message)

    Alert generated at Thursday 24th of April 2014 at 08:07:14 PM Critical Problems:

    * This file appears to be malicious
    ` Episcopal Church”.

    Alert generated at Thursday 24th of April 2014 at 08:07:14 PM Critical Problems:

    * This file appears to be malicious

    Alert generated at Thursday 24th of April 2014 at 08:07:14 PM Critical Problems:

    * This file appears to be malicious

    Plugin Author Wordfence Security

    (@mmaunder)

    OK so the specific issue we’re addressing here is the one @shoopi posted above where you do a scan, the status says you have some issues but the issue list says “Congratulations you have no issues” in green.

    We’ve found the bug and it is:

    If you’re doing a scan and you have comment scanning for malware URL’s enabled OR “Check password strength on profile update” enabled. Then:

    If during a scan someone posts a comment OR someone updates their profile, your list of new scan issues will be deleted up to that point. So if the scan is halfway through and it adds a few more issues you will get a partial list or you may get no issues at all which seems to be more common.

    The fix is to disable the following two options at the bottom part of Wordfence options page under Other options:

    DISABLE Scan comments for malware and phishing URL’s
    DISABLE Check password strength on profile update

    This is a TEMPORARY fix and the next version which will be out in a few days will have a permanent and proper fix.

    Regards,

    Mark.

    Plugin Author Wordfence Security

    (@mmaunder)

    To be clear: When we release the permanent fix you can then reenable the two options I suggested disabling above.

    Regards,

    Mark.

    We have run a scan with neither of these options checked, and we’re having the same issue (email and scan monitor displays errors but there are no New Issues listed. Are there any other options that could be interfering?

    mscwebmaster

    (@theresajennings2011)

    I’m getting the same thing, but here is the warning I’m getting:

    This file may contain malicious executable code

    Filename: wp-content/plugins/soliloquy/assets/js/codemirror.js
    File type: Not a core, theme or plugin file.
    Issue first detected: 5 hours 49 mins ago.
    Severity: Critical
    Status New

    This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.

    So it’s for Soliloquy. Except the file is a .js file, not a PHP executable file. I’ve contacted Soliloquy, and they have no idea why your scan is flagging this file.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Malicious file warnings, scan shows no issues’ is closed to new replies.