Forums

WordPress › Support » Plugins and Hacks

[resolved] Getting different results from Exploit Scanner in two websites (11 posts)

  1. svedish
    Member
    Posted 6 months ago #

    Hi guys,

    is any of you using Exploit Scanner perhaps? I have a problem I can't figure out the explanation for. I hope someone will be able to help me out.

    I have installed Exploit Scanner on two WordPress websites. They now both run WP 3.2.1 and they show quite different results. On one website I see:

    Level Severe (26 matches)
    Level Warning (24 matches)
    Level Note (313 matches)

    On the other website I get:

    Level Warning (5 matches)
    Level Note (59 matches)

    On the website that shows much more results I have just replaced the entire wp-admin and wp-include folders from the ones coming from the original installation files. Nothing changes, I still get 26 Severe matches. All come from wp-admin and wp-includes, for example:

    wp-admin/includes/class-pclzip.php:4063
    Often used to execute malicious code

    // eval('$v_result = '.$p_options[PCLZIP_CB_P

    AND

    wp-admin/js/revisions-js.php:31
    Often used to execute malicious code

    eval(function(p,a,c,k,e,r){e=function(c){return(c<

    I also noticed that on the other website (the one with much fewer matches) no results at all comes from wp-admin and wp-includes. All the matches are only from wp-content. I also noticed that on the website with fewer results the results arrive after 250 files scanned. The website with more results reached 1000 files scanned before spitting out the results, so I get that maybe on one website not all files are scanned, hence fewer results? However I checked permissions and they are 755 on folders, exactly like the other website. The owners differ (vhost / www on the site with more results myuser / www on the one with fewer results).

    Scratching my head, don't understand why this is happening. Someone help please?

    Thanks!

  2. Jon
    WordPress Dev
    Posted 5 months ago #

    It sounds like the one with extra results has differences to the WordPress core files. This would explain why some core files are being matched as having 'severe' problems and why extra files are being scanned.

    Are you sure you copied over wp-admin/wp-includes with the correct version of WordPress? Have you checked the "See what has been modified" link for one of the modified core files?

  3. svedish
    Member
    Posted 5 months ago #

    Hi Jon,

    Thanks for your answer, but I seriously doubt that the two installations files differ in any way. They both run version 3.2.1, wp-admin contains 87 files while wp-includes contains 100 files in both cases.I really don't know what is going on, but I'm pretty sure the file count is the same in both installations, including plugins.

    Any other ideas?
    Thanks.

  4. Jon
    WordPress Dev
    Posted 5 months ago #

    I'm pretty sure the file count is the same in both installations

    Sorry I didn't make it clear enough so you didn't understand. The core files only get scanned (and so only show up in the numbers) if they have been modified*. This would explain why some core files are showing up as potentially 'malicious' and why the numbers of files scanned changes. It's the simplest explanation which is why I think it's correct.

    Are you 100% sure there are no "Modified core file" entries under Warnings?

    * Modified meaning the md5 doesn't match the known one hardcoded into the plugin. So it could also mean the file is from a different version of WP than given by $wp_version, or the plugin hasn't been updated.

  5. svedish
    Member
    Posted 5 months ago #

    Hi Jon,

    Ok, I now understand what you mean. Ok, I'm prepared to do some checks but I'm not sure 100% what to do. Would a comparison of two files inside an application that can check for differences be enough? If there's anything else I can do can you please advice me?

  6. svedish
    Member
    Posted 5 months ago #

    However, and I think it's worth highlighting this point again, there are two 'coincidences' that make me think that the problem is different. The fact that it looks like the fact that the amount of scanned files is different (The website with more results reaches "Files scanned: 1000...loading-icon" before showing the results, the other site reaches only 250 before spitting out the results), the fact that the site with less results shows results only from wp-content, not even *one* from wp-admin and wp-includes and the fact that the website with more results (all from wp-admin and wp-includes) is the one where I have now replaced the folders wp-admin and wp-includes from the original installation files at least twice. Just coincidences? I think not.

    However, as said, I'm more than happy to do whatever needs to be done to check your theory. As far as this behavior gets explained, I'm happy. :)

    Thanks!

  7. svedish
    Member
    Posted 5 months ago #

    And I have found the cuplprit. I wouldn't have spotted it if I didn't go through the plug-in files as well on both installations.

    For some arcane reasons, that I can't really explain, the installation files of exploit scanner were incomplete within the website which was showing the biggest amount of results. Probably something went wrong with my FTP client when I uploaded them. The 'hashes-3.2.1.php' file was empty, few more files were missing. Now that I have reinstalled the plug-in all works fine. I mean, there are some different results, but all seems quite normal.

    Thanks for your help.

  8. svedish
    Member
    Posted 5 months ago #

    However a new problem is popping up. Now exploit scanner is picking on a bunch of files that I keep replacing with no luck. The plug-in is complaining about them being modified but they are not.

    wp-includes/images/crystal/license.txt
Modified core file	See what has been modified
wp-includes/js/swfupload/license.txt
Modified core file	See what has been modified
wp-includes/js/tinymce/plugins/wpfullscreen/css/wp-fullscreen.css
Modified core file	See what has been modified
license.txt
Modified core file	See what has been modified
wp-config-sample.php
Modified core file	See what has been modified

    The strange thing is that if I check the MD5 when they are on my computer it corresponds to the one in the hashes file. When I upload the files, the MD5 changes? Any ideas??

    Thanks!

  9. svedish
    Member
    Posted 5 months ago #

    It was Transmit... Bah! Downloaded Cyberduck and the files got uploaded just fine without any MD5 modification. Why in the world did this happen? Go figure out. :(

  10. Jon
    WordPress Dev
    Posted 5 months ago #

    That's really weird. If you want to find out what's changing you could use the diff and cmp command line tools to check how the file uploaded by Transmit differs from the original. It's might be adding whitespace character somewhere.

    I'm glad you found out the cause though :)

  11. svedish
    Member
    Posted 5 months ago #

    Hi Jon,

    Thanks for your suggestions. I may in fact proceed with a comparison just for the sake of curiosity at this point.

    Cheers.

Reply

You must log in to post.

About this Topic

Tags