False Positive for Malware after update

  • Resolved funnymatt

    (@funnymatt)


    10 years, 3 months ago

    FYI, my hosting provider (A Small Orange) sent me a note saying that malware was detected on my site involving file: /wp-content/plugins/fetch-tweets/include/library/admin-page-framework/fetch-tweets-admin-page-framework.min.php

    It was allegedly {HEX}php.nested.jpexp.531

    This was after I updated to version 2.3.5 today.

    I contacted them and they analyzed the file and confirmed it was a false positive, and restored the file. This might be something you want to look into to ensure it doesn’t trigger problems for other users.

    https://www.ads-software.com/plugins/fetch-tweets/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author miunosoft

    (@miunosoft)

    Hi,

    Thanks for the heads up.

    I honestly do not know which part of the code triggers it. admin-page-framework.min.php is a library file of Admin Page Framework and Fetch Tweets 2.3.5 includes a newer version of it. Fetch Tweets utilizes the file name and class names used in the file to avoid library conflicts.

    For anybody else who is concerned about this, it is a 100% false positive and I’ll try figuring out the cause. Here the result from Virus Total of scanning Fetch Tweets v2.3.5, which says 100% clean: https://www.virustotal.com/en/file/a05a8b0b433dfd0e1d46668c89546449764ec23954f833f46f7281c5274bb179/analysis/1409046565/

    As I did a quick search with the keywords php.nested.jpexp.531, it seems a report by a program called Linux Malware Detect (https://www.rfxn.com/). They can be reached via the email address proj at rfxn.com. It would be very much appreciated if you could tell them this is a false positive and Fetch Tweets is a legitimate plugin as well as the Admin Page Framework library. It helps the future development of this plugin and the framework.

    Also it would be really appreciated if you could find which part of the code triggers the malware detection.

    Thank you.

    Plugin Author miunosoft

    (@miunosoft)

    I did a little bit of investigation on this and it seems the framework also gets a false positive.

    Linux Malware Detect seems to flag files as malware when scanning files contain certain string patterns. For example, save the following string as a text file and scan it with Linux Malware Detect. 

    ']; $GLOBALS['some_characters_admin

    (the part some_characters can be changed to any alpha-numeric characters)

    You will get a false positive regardless of the file name and the size. The framework happened to use code that matches such pattern and thus it was flagged as malware.

    I hope they update their virus definitions. For that, anybody who saw this post, PLEASE send an email to proj at rfxn.com and tell them to remove the plugin and the framework from their definitions.

    Thank you.

    Plugin Author miunosoft

    (@miunosoft)

    Closing the topic as they have fixed their signature. https://github.com/rfxn/linux-malware-detect/issues/16

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘False Positive for Malware after update’ is closed to new replies.