I have had a similar issue with my theme – based on the themify platform. It detects img.php as a Severe issue. There are other files too on the Themify platform that are now being flagged as severe threats. None of this was happening before.
The plugin Updraftplus file updraftplug.php is flagged as not being a part of the plugin (it is the main plugin file) and hence a security issue.
Same here with Gravity Forms and Backup Buddy. I think naive checking for base64 and certain other functions is way too prone to false positives.
First, I should mention that perhaps I have WP installed wrong, but this is the first time I’ve seen behaviour like this.
My setup is that I have WP installed on a main domain, and then in a sub-domain. The subdomain is a folder within the main folder.
So, when scanning, the main domain reports that there are several files that may have malicious executable code – in the subdomain.
The first thing I do before taking the site offline is to scan the subdomain through it’s own installation of Wordfence.
*cue the sound of crickets chirping…*
Nothing. The scan comes back clean.
Scan again with the main domain’s installation
Immediately it comes back with all of these “infections”.
So, the next thing I do is hit the forums and find this post. I don’t think I’ll delete the files, but I will compare them to the ones in the main domain’s installation.
Mark, if required, I still have access set up for you.
Thanks
Tammi
Same problem with wp-content/plugins/wp-super-cache/wp-cache.php, some woocommerce files and other plugins.
Same problem with Gravity Forms, MemberMouse, and BackWPup Pro.
I’m geting all kinds of “eval” and other warnings… If you look at the files though, you see that it was the word “evaluate” and not “eval”… It’s seems that WordFence is being too aggressive here.
Please fix this!
Thanks for the reports folks. The patterns for this detection are on our scanning server, so I’ve modified the algorithm. I’m going to go into a bit of detail here on how it worked and now works:
The version we released yesterday looks for ‘eval’ and if it finds it it looks for any of the following without quotes:
‘base64_decode’, ‘unpack’, ‘str_rot13’, ‘urldecode’
If one of these is found, then the file is flagged.
The new algorithm does the same, except we’re suffixing all matches with a single parentheses. So we look for eval( and then match on base64_decode(
This modification is now live. You don’t need to do anything to get it.
I’m going to leave this open and see if things improve. If not, I’ll temporarily disable it.
The reason we added this is because an arabic hacker published a method that could circumvent our script detection and this will catch the new circumvention.
Regards,
Mark
PS: If you found this helpful, please rate Wordfence 5 stars.
http://wordpress.org/plugins/wordfence/
Thread Starter
slui
(@slui)
Hi Mark,
Thanks for the post. Your new algorithm has indeed fixed some of the issues. The issue with Gravity Forms and Justified Image Grid has been resolved, but Backup Buddy has not.
In fact, it has found other files to be marked as malicious within Backup Buddy. The files flagged with Backup Buddy seems to be the encryption scripts and the compression scripts.
I’ll be checking some other sites I have to see if it still persists.
sl
Hello WordFence Support!
Even after the update I am getting these things flagged (OptinMonster, a premium plugin).. These are only snippets, just to show where the so-called “eval” occurs:
foreach ($val as $key2 => $val2) {
$rs .= '<member><name>' . xmlrpc_encode_entitites($key2, $GLOBALS['xmlrpc_internalencoding'], $charset_encoding) . "</name>\n";
//$rs.=$this->serializeval($val2);
$rs .= $val2->serialize($charset_encoding);
$rs .= "</member>\n";
}
// array
$rs .= "<array>\n<data>\n";
for ($i = 0; $i < count($val); $i++) {
//$rs.=$this->serializeval($val[$i]);
$rs .= $val[$i]->serialize($charset_encoding);
}
// DEPRECATED
function serializeval($o)
{
It’s flipping out on ‘eval’ in Slim Jetpack, too.
Thanks Mark,
This took the list of malicious executable code reports from 10 to 3, the ones still flagged are:
wp-admin/press-this.php – This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘urldecode(‘ (without quotes).
wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/datamapper/class.datamapper_driver_base.php – This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘base64_decode(‘ (without quotes).
wp-admin/includes/class-pclzip.php – This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘unpack(‘ (without quotes)
And once again, as mentioned, the sub-domain scan turns up nothing, but the main domain scan is flagging files in the sub-domain’s WP installation.
After the update, for Themify, it identifies the following file
themify/themify-utils.php
and still marks the warning as Severe with the message
This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘urldecode(‘ (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
The Updraftplus.php file has changed from a Severe to a Warning
OK guys here’s what I think we should do:
This new detection is very sensitive and useful if your site has been hacked. But it’s clearly kicking out a lot of false positives. So I’ve made a change on our server that has the effect of disabling it.
If you could do a scan to verify it’s fixed I’d appreciate it.
Then I’m going to add an option to increase scan sensitivity to “high” which will enable this feature. The default sensitivity will be ‘low’.
That’ll let us add a few other features which might yield false positives but which admin’s cleaning sites will love.
We have a fix for another issue that was introduced in 4.0.2 which needs to go out today, so you’ll see that feature today (scan sensitivity).
Let me know if you have any feedback on this in the next few minutes if you could. I’ll check back on this thread after making the rest of my support rounds, probably in 30 mins.
Thanks for all the help!! (Leaving this open for now)
Regards,
Mark
PS: If you found this helpful, please rate Wordfence 5 stars.
http://wordpress.org/plugins/wordfence/
Thread Starter
slui
(@slui)
Hi Mark,
I did another scan and now I have no issues to report. Thanks.
sl
Looks good on this end too.
OK thanks. As I’m writing this version 4.0.3 is being pushed out and will be in the repository in a few seconds and will show up as a new version within an hour.
It contains a checkbox under scanning which enables “high sensitivity” scans. This reenables this feature, but we search for eval( with a parentheses on the end along with the other functions. It’s off by default, but it’s there if you’re doing a site cleaning or some other activity that needs high sensitivity.
I’m marking this resolved in a few minutes unless anyone has any objections.
Regards,
Mark.
