Please fix

  • Please fix

    1 Suspicious Code
Dangerous and threatening code often used to attack sites.
PHP.Hidden.Code.2
This file contains suspicious hidden code, and should be checked for recent changes, or malicious code. Often hackers try to hide their hack attempts by obfuscating their attack code, to make it harder to detect. VaultPress has detected a string of suspicious characters in this file. Please check your backup history for recent changes to this file, or contact a Safekeeper if you are unsure.
Fixing threat…
5 Files Affected
4 hours ago
tcpdf_static.php
/wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf/include
1 week ago
tcpdf_static.php
/wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf/include
4 hours ago
tcpdf.php
/wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf
4 hours ago
tcpdf_parser.php
/wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf
1 week ago
tcpdf_parser.php
/wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Tickera

    (@tickera)

    Hi there,

    We’re using original TCPDF library in Tickera and the code could be compared here https://sourceforge.net/projects/tcpdf/files/

    What the VaultPress scanner actually spotted are things like these bellow and you can see the decoded results here for instance https://ddecode.com/hexdecoder/?results=bcace881138d3437ef89d9b932d53c8b

    As you can see, result of this particular one is “Powered by TCPDF (www.tcpdf.org)” which is certainly not a malicious code ??

    tcpdf_static.php:
    /**
    * Encryption padding string.
    * @public static
    */
    public static $enc_padding = “\x28\xBF\x4E\x5E\x4E\x75\x8A\x41\x64\x00\x4E\x56\xFF\xFA\x01\x08\x2E\x2E\x00\xB6\xD0\x68\x3E\x80\x2F\x0C\xA9\xFE\x64\x53\x69\x7A”;

    tcpdf.php:

    public function Close() {

    $msg = “\x50\x6f\x77\x65\x72\x65\x64\x20\x62\x79\x20\x54\x43\x50\x44\x46\x20\x28\x77\x77\x77\x2e\x74\x63\x70\x64\x66\x2e\x6f\x72\x67\x29”;

    }
    tcpdf_parser.php:

    /**
    * Decode the Cross-Reference section
    * @param $startxref (int) Offset at which the xref section starts (position of the ‘xref’ keyword).
    * @param $xref (array) Previous xref array (if any).
    * @return Array containing xref and trailer data.
    * @protected
    * @since 1.0.000 (2011-06-20)
    */
    protected function decodeXref( $startxref, $xref = array() ) {
    $startxref += 4; // 4 is the lenght of the word ‘xref’
    // skip initial white space chars: \x00 null (NUL), \x09 horizontal tab (HT), \x0A line feed (LF), \x0C form feed (FF), \x0D carriage return (CR), \x20 space (SP)
    $offset = $startxref + strspn( $this->pdfdata, “\x00\x09\x0a\x0c\x0d\x20”, $startxref );
    // initialize object number
    $obj_num = 0;
    // search for cross-reference entries or subsection
    ….

    I hope it helps. Please consider changing a rating to 5 stars.

    Thanks a lot!

    Marko,
    Tickera Team

    Thank you so much

    hai iam facing these issues

    PHP.Hidden.Code.2
    This file contains suspicious hidden code, and should be checked for recent changes, or malicious code. Often hackers try to hide their hack attempts by obfuscating their attack code, to make it harder to detect. VaultPress has detected a string of suspicious characters in this file. Please check your backup history for recent changes to this file, or contact a Safekeeper if you are unsure.

    Detected the signature PHP.Hidden.Code.2 on ./wp-content/themes/Avada/js/main.js.
    (active)

    Detected the signature PHP.Hidden.Code.2 on ./wp-content/themes/Avada/js/main-min.js.

    how to find out where the hidden code is
    please help

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Please fix’ is closed to new replies.