Malicious Executable Code?

  • Resolved shey456

    (@shey456)


    9 years, 3 months ago

    Hi,

    Wordfence detected this as a critical security issue. Have I infected by malware? What should I do?

    This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘unpack(‘ (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.

    I checked the code and it include this line.

    eval(‘$v_result = ‘.$p_options[PCLZIP_CB_PRE_EXTRACT].'(PCLZIP_CB_PRE_EXTRACT, $v_local_header);’);

    And these.

    Line 2858: $v_data_footer = unpack(‘Vcrc/Vcompressed_size’, $v_binary_data);
    Line 4280: $v_data = unpack(‘Vid’, $v_binary_data);
    Line 4310: $v_data = unpack(‘vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len’, $v_binary_data);
    Line 4383: $v_data = unpack(‘Vid’, $v_binary_data);
    Line 4413: $p_header = unpack(‘vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset’, $v_binary_data);
    Line 4554: $v_data = @unpack(‘Vid’, $v_binary_data);
    Line 4630: $v_data = unpack(‘vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size’, $v_binary_data);

    Thank you.

    https://www.ads-software.com/plugins/wordfence/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter shey456

    (@shey456)

    P.S – The code is actually in this file.

    /wp-admin/includes/class-pclzip.php

    Plugin Author WFMattR

    (@wfmattr)

    I checked a clean copy of WordPress from www.ads-software.com, and all of these lines are included.

    Normally, Wordfence scans wouldn’t flag this file as malicious, so there might be some other changes that you don’t see (sometimes at the end of the file after a lot of blank lines), but I think it would also usually show an error message saying that a core file had been modified, instead of the eval and unpack message.

    Do you happen to have two copies of WordPress installed in the same site folder — like a WP main site, plus a separate WP forum in subdirectory — or a WP main site and a separate WP blog in a subdirectory? Or an testing copy of the site in a subdirectory?

    Thread Starter shey456

    (@shey456)

    Thank you for your response.

    Yes, There are two WordPress installs. One for the main site and the other for an add on domain.

    I updated to WordPress 4.3 to the add on domain first, and later on that day Wordfence detected this issue on the updated add on domain includes folder. But next day I updated WordPress 4.3 to the main site too. Still Wordfence detects this issue in the same folder on the add on domain.

    Is there anything not right? Any steps I should follow?

    Thank you.

    Plugin Author WFMattR

    (@wfmattr)

    Ok. I’ll try to reproduce this problem here, to see if it can be prevented in scans in a future version of Wordfence. Can you tell me if this option is turned on in the “Scans to include” section of your Wordfence Options page?
    Scan files outside your WordPress installation

    This option can usually be turned off for most sites, and if the site in the subdirectory is being scanned by its own copy of Wordfence already, it shouldn’t be necessary, unless you have other subdirectories that need to be scanned.

    Thread Starter shey456

    (@shey456)

    Thanks for your reply.
    Yes, that option was on, and I turned it off.

    But to mention, I had the same option on in previous WordPress installations and at then the site in the sub-directory didn’t alarm by Wordfence. It only happened after updating WordPress to 4.3.

    I don’t know how this issue relate to this new one.

    When I went to the Wordfence scan page, the previous scan was stuck. Displayed,

    “Scan Engine Error: Wordfence could not start a scan because the cron key does not match the saved key.”

    But kill and re-scan completed with no issues.

    Thank you.

    Are you scanning in high sensitivity mode (near bottom of options page)?

    tim

    Thread Starter shey456

    (@shey456)

    Hi,

    I checked, and yes, it is on.

    Thank you.

    Plugin Author WFMattR

    (@wfmattr)

    Thanks for the reply — we normally only recommend using high sensitivity scans when trying to clean a difficult infection, since it can produce false positives. If you do want to leave it on, you can have Wordfence ignore the pclzip file, since it is already being scanned on the subdirectory site as well.

    More details on high sensitivity scanning are here:
    High Sensitivity Scanning

    For get the “cron key doesn’t match the saved key” warning, you may need to turn on the Wordfence option “Disable config caching.” On most sites, the config cache improves speed a little, but some hosts have trouble with it.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Malicious Executable Code?’ is closed to new replies.