Malware warning on web host

well, this is a difficult one. nevertheless here are some elements that can help you judge the situation;

* autoptimized files are merely all your CSS (or JS) aggregated & minified. if one of those original files contain a vulnerability (or are reported by an anti-virus tool as such), then the autoptimized file will probably be flagged as well
* CVE_2016_0108 is unpublished, so it’s hard (not to say impossible) if this could be a problem or a false positive
* given the nature of CSS (as opposed to JS) I believe/ think that it is rather unlikely to be a host for a virus

so impossible to say if this is a false positive or not, but if I had to bet I would say “false positive”.

frank

Coincidentally, I also received a malware warning from my host. As I was told to act within 24 hours, it looks like I’ll need to uninstall the Autoptimze plugin.

The malware scan results from my host are below.

{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_ccce0e93605b5238ff83d28cbafd36d0.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_4c2fb2435ac5684b0928a05a1857a896.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_2f7a8dd016022c3800245cfa652d8108.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_1d52aade7649b298a9c99f1d2c62c257.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_f3e3ca761df45df4a4921b18f25c888e.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_c34352ccaa92f37f791bf409cdfc949a.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_616f1dcedd0f2b58921b24cb194c36a9.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_a64a6c6999d3961d80af62e043a019c7.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_c555828e34ebc206935466b9f8908a16.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_673e4a926e24615f37987808d6882f05.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_71de4dcb591cbfa168f2db32bd348bfd.css
{CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_fe9186069116749c7e3689e7929e6ba7.css

well, as I wrote in my previous comment, this is very likely a false-positive that will persist after disabling AO as the problem will be in one of the original CSS-files. but instead of disabling AO you could simply disable CSS-optimization off course ??

frank

if someone can provide me with their “infected” files (send a zip-file to futtta-at-gmail-dot-com) I’ll be happy to investigate and file a “false positive” report at clamav’s.

frank

I was going to provide these files because I received 2 more emails warning of other apparently infected files, but when looking for them via FTP I don’t see the files there – I imagine my web host may have removed / quarantined them as a precaution but am unsure where to find them now..

I’ve contacted my web host for support too, thanks for your replies.

I was going to provide these files because I received 2 more emails warning of other apparently infected files, but when looking for them via FTP I don’t see the files there – I imagine my web host may have removed / quarantined them as a precaution but am unsure where to find them now..

try re-enabling autoptimize, chances are those files will simply be re-generated?

OK, searched the web some more and found CVE 2016-1080 is a MS IE 11 specific vulnerability that:

allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability”

The relevant MS security bulletin can be found here.

As also stated here, this is more then likely a false positive, but we need to confirm that by looking at the actual files as per my previous comment.

frank

Frank,

Thank you for your quick responses. I’ve tried emailing you the infected files but my email was rejected by gmail because of a virus in the attached files.

Maria

OK, alternative approach; can you mail me your site’s URL?

I’m also happy to send on my site URL if that helps.

glenbelt: yes please, ideally the full URL to “infected” CSS-files.

been following this up using web search:
* a joomla user has a similar problem with a custom CSS-file being flagged
* a wordpress user has the same warning for popup pro’s CSS

is any-one here using popup-pro as well?

frank

followup: a WP Fastest Cache user is reporting the same issue.

frank

OK, someone (who was not using AO for CSS optimization) provided me with a link to a flagged CSS-file. I went through that and found this in it:

img{background:transparent;-ms-filter:"progid:DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF)";filter:progid:DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF);zoom:1}

This might be the reason; the color code should be a hex triplet (https://en.wikipedia.org/wiki/Web_colors#Hex_triplet) but is a hex quadruplet (which can’t work). It is not impossible that this anomoly (and probably just a silly mistake) is triggering clam av.

The CSS seems to be part of the Oshin-theme.

So question for those impacted;
* anyone on the Oshin theme?
* anyone with similar code in the CSS (DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF))

frank

For those of you who did not succeed in mail me the files; you can also copy/ paste the contents to https://pastebin.com and provide me with the URL of the pastebin.

frank

This might be the reason; the color code should be a hex triplet but is a hex quadruplet (which can’t work).

I’ve found multiple sites with this CSS-trick, including a MS-one, so those hex quadruplets seem not to be a mistake …