WordPress.org

Ready to get started?Download WordPress

Forums

mb.miniAudioPlayer - an HTML5 audio player for your mp3 files
[resolved] {HEX}base64.inject.unclassed.6 malicious script (5 posts)

  1. jcarlotta
    Member
    Posted 1 year ago #

    I received following email from server company lastweek:

    "Your account xxxx hosted on server xxxx
    is hosting the follwoing malicious files/scripts :
    ==============================================

    {HEX}base64.inject.unclassed.6 : /home/xxxx/public_html/wp-content/plugins/wp-miniaudioplayer/mapTinyMCE/tinymcemaplayer.js.php

    ==============================================
    This files are being abused by crackers/hackers to install malicious scripts on your account. "

    Currently my site is disabled by the server company because of this trouble.
    I did installed wp-miniaudioplayer version 2.
    If they say the script was abused and changed to be a malicious script by someone,
    I wanted to find out which part(s) of the script(s) was changed.

    I compared 2 groups of wp-miniaudioplayer scripts.
    1. My wp-miniaudioplayer version 2 scripts, which were at the server and being claimed as malicious script(s)
    2. The files kept in WordPress.org, which is version 2 - Revision 618927 at http://plugins.svn.wordpress.org/wp-miniaudioplayer/tags/0.2
    I used Winmerge program to check all files side by side.

    *Comparison results: 100% identical

    By the way, I also compared version 2 and the latest version 3.
    mapTinyMCE/tinymcemaplayer.js.php - identical
    mapTinyMCE/maplayertinymce.php - changed a lot

    Based on above, should I conclude "wp-miniaudioplayer version 2" was {HEX}base64.inject.unclassed.6 malicious script?
    Or, this is terrible false alert?

    My server company alerted and pointed out a specific script "tinymcemaplayer.js.php" as {HEX}base64.inject.unclassed.6 malicious script,
    and there is no change in version 2 and 3.
    If possible, please anyone confirm us that wp-miniaudioplayer version 3 is not malicious script.

    Thank you

    http://wordpress.org/extend/plugins/wp-miniaudioplayer/

  2. pupunzi
    Member
    Plugin Author

    Posted 1 year ago #

    Hi,
    I really don't know why your server company classify the tinymcemaplayer.js.php as malicious.

    This file is almost identical to any TinyMCE custom plugin ised in wordpress and nothing is changed from version 0.2 to version 0.3.

    the PHP base64_decode(urldecode($_GET['params'])); is used to pass parameters to the miniAudioPlayer popup screen and has nothing malicious.

    Anyway I'll give a look to see if I can change the way I pass parameters to the TinyMCE component.

    Bye,
    Matteo

  3. ToomerInc
    Member
    Posted 1 year ago #

    I have also received the email:

    Your account stawe hosted on server manchester.nswebhost.com
    is hosting the follwoing malicious files/scripts :

    ==============================================

    {HEX}base64.inject.unclassed.6 : /home/stawe/public_html/static/wp-content/plugins/wp-miniaudioplayer/maptinymce/tinymcemaplayerJs.php

    ==============================================

    This files are being abused by crackers/hackers to install malicious scripts on your account. Please note that our servers are up to date and monitored frequently against these hack/malicious attempts.
    We have disabled the public_html folder for this account(s) temporarily to avoid any further exploits. This has been done for your own safety as well as to protect everyone else on the server and internet to make it a safe place for all.

    We are disabling the web-access temporarily to avoid the following:

    1- Suspending it blocks hackers from deleting all your files.

    2- It prevents hackers from posting embarrassing index pages till you can completely secure your account.

    3- It keeps hackers from stealing any further sensitive info such as logins, credit card numbers, etc. which may be in your files or databases.

    4- If found quickly and rectified, it may keep your site's reputation from being damaged in search engines.

    Please follow the security guidelines posted in the link below to secure your account asap.

    https://www.hostingzoom.com/clients/blablabla...

    We have disabled web access to your account so that further attacks stop and your data is secure while you work on it. You can still access the account using your control panel and FTP. We suggest you change your control panel password immediately. If you need web access to work on it, please provide us your IP address which you can find by visiting the page http://www.myipaddress.com so that we can enable web access for your local IP.

    If you require a restore, please be aware that due to the amount of data we must store, our backups are rotated daily. It is imperative that you contact us immediately to request a restore of your files from backups. We can't guarantee a backup will be available or that it will contain clean copies of your files but we will make every effort to find one prior to the date of infection for you. We can also help restore from your own backup file if you have one and you upload it to your home dir. We do recommend using the backup tool available in your control panel to always keep your own copies of your site on your own computer for safekeeping. To automate the task with a cron job, please see our forums.

    When you are done changing your passwords, updating your scripts, cleaning up the files, etc. and feel the account is now secure, please let us know what you have done to correct the situation and ask for full web access to be restored. Please be reasonably sure as enabling it prior to it being fully secured can have major consequences and cause much more delay in getting back to internet life as usual.

    We appreciate your cooperation. If you have any questions about securing particular popular scripts you are running, please feel free to ask.

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    They asked me to change the file? Change what I asked?
    They couldn't tell me.

  4. pupunzi
    Member
    Plugin Author

    Posted 1 year ago #

    The plugin code is clean, that’s for sure!

    So I think the Malware Detect used by your ISP is reporting a false positive.

    I'll see if I can use different method to pass parameters to the popup without using base64 encoding.

    Bye,
    Matteo

  5. pupunzi
    Member
    Plugin Author

    Posted 1 year ago #

    On the latest 1.2.5 update the base64 encode has been removed. It should not get as malicious anymore by the server.
    Bye,
    Matteo

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic