WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] Latest version causing major issues with major plugins (20 posts)

  1. slui
    Member
    Posted 5 months ago #

    Hi,

    I just installed the latest version and it is causing problems with the following major plugins (all latest versions):

    1. Backup Buddy
    2. Gravity Forms
    3. Justified Image Grid

    Wordfence has told me that all these plugins have malicious code. The previous version made no mention of this and now it is?

    Need help in getting this resolved.

    sl

    https://wordpress.org/plugins/wordfence/

  2. Kevin
    Member
    Posted 5 months ago #

    I have had a similar issue with my theme - based on the themify platform. It detects img.php as a Severe issue. There are other files too on the Themify platform that are now being flagged as severe threats. None of this was happening before.

    The plugin Updraftplus file updraftplug.php is flagged as not being a part of the plugin (it is the main plugin file) and hence a security issue.

  3. Heikki Hyppänen
    Member
    Posted 5 months ago #

    Same here with Gravity Forms and Backup Buddy. I think naive checking for base64 and certain other functions is way too prone to false positives.

  4. arcarcane2012
    Member
    Posted 5 months ago #

    First, I should mention that perhaps I have WP installed wrong, but this is the first time I've seen behaviour like this.

    My setup is that I have WP installed on a main domain, and then in a sub-domain. The subdomain is a folder within the main folder.

    So, when scanning, the main domain reports that there are several files that may have malicious executable code - in the subdomain.

    The first thing I do before taking the site offline is to scan the subdomain through it's own installation of Wordfence.

    *cue the sound of crickets chirping...*
    Nothing. The scan comes back clean.

    Scan again with the main domain's installation
    Immediately it comes back with all of these "infections".

    So, the next thing I do is hit the forums and find this post. I don't think I'll delete the files, but I will compare them to the ones in the main domain's installation.

    Mark, if required, I still have access set up for you.
    Thanks
    Tammi

  5. tfagen
    Member
    Posted 5 months ago #

    Same problem with wp-content/plugins/wp-super-cache/wp-cache.php, some woocommerce files and other plugins.

  6. Chris M.
    Member
    Posted 5 months ago #

    Same problem with Gravity Forms, MemberMouse, and BackWPup Pro.

    I'm geting all kinds of "eval" and other warnings... If you look at the files though, you see that it was the word "evaluate" and not "eval"... It's seems that WordFence is being too aggressive here.

    Please fix this!

  7. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    Thanks for the reports folks. The patterns for this detection are on our scanning server, so I've modified the algorithm. I'm going to go into a bit of detail here on how it worked and now works:

    The version we released yesterday looks for 'eval' and if it finds it it looks for any of the following without quotes:

    'base64_decode', 'unpack', 'str_rot13', 'urldecode'

    If one of these is found, then the file is flagged.

    The new algorithm does the same, except we're suffixing all matches with a single parentheses. So we look for eval( and then match on base64_decode(

    This modification is now live. You don't need to do anything to get it.

    I'm going to leave this open and see if things improve. If not, I'll temporarily disable it.

    The reason we added this is because an arabic hacker published a method that could circumvent our script detection and this will catch the new circumvention.

    Regards,

    Mark
    PS: If you found this helpful, please rate Wordfence 5 stars.
    http://wordpress.org/plugins/wordfence/

  8. slui
    Member
    Posted 5 months ago #

    Hi Mark,

    Thanks for the post. Your new algorithm has indeed fixed some of the issues. The issue with Gravity Forms and Justified Image Grid has been resolved, but Backup Buddy has not.

    In fact, it has found other files to be marked as malicious within Backup Buddy. The files flagged with Backup Buddy seems to be the encryption scripts and the compression scripts.

    I'll be checking some other sites I have to see if it still persists.

    sl

  9. Chris M.
    Member
    Posted 5 months ago #

    Hello WordFence Support!

    Even after the update I am getting these things flagged (OptinMonster, a premium plugin).. These are only snippets, just to show where the so-called "eval" occurs:

    foreach ($val as $key2 => $val2) {
                        $rs .= '<member><name>' . xmlrpc_encode_entitites($key2, $GLOBALS['xmlrpc_internalencoding'], $charset_encoding) . "</name>\n";
                        //$rs.=$this->serializeval($val2);
                        $rs .= $val2->serialize($charset_encoding);
                        $rs .= "</member>\n";
                    }
    // array
                    $rs .= "<array>\n<data>\n";
                    for ($i = 0; $i < count($val); $i++) {
                        //$rs.=$this->serializeval($val[$i]);
                        $rs .= $val[$i]->serialize($charset_encoding);
                    }
    // DEPRECATED
        function serializeval($o)
        {
  10. Steven Stern
    Member
    Posted 5 months ago #

    It's flipping out on 'eval' in Slim Jetpack, too.

  11. arcarcane2012
    Member
    Posted 5 months ago #

    Thanks Mark,

    This took the list of malicious executable code reports from 10 to 3, the ones still flagged are:

    wp-admin/press-this.php - This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'urldecode(' (without quotes).

    wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/datamapper/class.datamapper_driver_base.php - This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'base64_decode(' (without quotes).

    wp-admin/includes/class-pclzip.php - This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'unpack(' (without quotes)

    And once again, as mentioned, the sub-domain scan turns up nothing, but the main domain scan is flagging files in the sub-domain's WP installation.

  12. Kevin
    Member
    Posted 5 months ago #

    After the update, for Themify, it identifies the following file

    themify/themify-utils.php

    and still marks the warning as Severe with the message

    This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'urldecode(' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.

    The Updraftplus.php file has changed from a Severe to a Warning

  13. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    OK guys here's what I think we should do:

    This new detection is very sensitive and useful if your site has been hacked. But it's clearly kicking out a lot of false positives. So I've made a change on our server that has the effect of disabling it.

    If you could do a scan to verify it's fixed I'd appreciate it.

    Then I'm going to add an option to increase scan sensitivity to "high" which will enable this feature. The default sensitivity will be 'low'.

    That'll let us add a few other features which might yield false positives but which admin's cleaning sites will love.

    We have a fix for another issue that was introduced in 4.0.2 which needs to go out today, so you'll see that feature today (scan sensitivity).

    Let me know if you have any feedback on this in the next few minutes if you could. I'll check back on this thread after making the rest of my support rounds, probably in 30 mins.

    Thanks for all the help!! (Leaving this open for now)

    Regards,

    Mark
    PS: If you found this helpful, please rate Wordfence 5 stars.
    http://wordpress.org/plugins/wordfence/

  14. slui
    Member
    Posted 5 months ago #

    Hi Mark,

    I did another scan and now I have no issues to report. Thanks.

    sl

  15. arcarcane2012
    Member
    Posted 5 months ago #

    Looks good on this end too.

  16. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    OK thanks. As I'm writing this version 4.0.3 is being pushed out and will be in the repository in a few seconds and will show up as a new version within an hour.

    It contains a checkbox under scanning which enables "high sensitivity" scans. This reenables this feature, but we search for eval( with a parentheses on the end along with the other functions. It's off by default, but it's there if you're doing a site cleaning or some other activity that needs high sensitivity.

    I'm marking this resolved in a few minutes unless anyone has any objections.

    Regards,

    Mark.

  17. barker2k
    Member
    Posted 5 months ago #

    Updated to version 4.0.2 this morning. I attempted to block a network from whois lookup and received this error

    You are trying to block yourself. Your IP address is (67.xx.xx.xx) which falls into the range of 144.76.0.0. This blocking action has been cancelled so that you don't block yourself from your website.

    My IP range is does not fall into the range shown,. this error pops each time I attempt to block a range of IP's. Is this caused by the plugin?

  18. Nikola Nikolov
    Member
    Posted 5 months ago #

    Hi Mark,

    Thanks for the devoted involvement. I'm just thinking of what would happen if the hacker uses let's say eval (... or `eval
    (` - I just checked and PHP seems to be fine with parenthesis being on a new line or with any amount of whitespace between the function name and the parenthesis.

    Technically in all cases that I've seen a hacker's code it's usually on one line with no spaces whatsoever, but if I was a hacker and just adding some whitespace would allow me to go around the scans - I would totally do that.

    I think that regex is (unfortunately)the only option in this case - I know that it's way more expensive, especially if you're parsing big files, but I don't know if there is an alternative(except maybe parsing the files with http://php.net/token_get_all - but I don't know which one would be faster/more reliable ).

    Nikola

  19. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    barker2k: That's been fixed in 4.0.3.

    nikolov: I'm aware of this and we actually have a huge number of regex patterns we also use which pick up tricks like this. However we're constantly working to improve and as I added those parens I thought about the "eval (" case you mentioned. However, this release erred a little too far on the side of over-detection at the cost of convenience. So we had to pull back a little with 4.0.3 and we'll keep pushing forward making an effort to avoid inconvenience.

    Regards,

    Mark
    PS: If you found this helpful, please rate Wordfence 5 stars.
    http://wordpress.org/plugins/wordfence/

  20. HelenNovice
    Member
    Posted 5 months ago #

    I downloaded the 4.3 version, ran a scan and still get the Backup Buddy error/ warning messages.

Reply

You must log in to post.

About this Plugin

About this Topic