WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] Malware detection too sensitive? (6 posts)

  1. Craig
    Member
    Posted 1 year ago #

    Perhaps a little extra checking required but shouldn't a URL not trip the malware scan if it's the a comment block attributing the plugin to the authors (recently infected) website?

    Even if the URL was neutered by removing http:// the scanner still trips on the URL.

    In this case any line, comment or not, tripped the scanner if it contained gmarwaha.com

    As a data point, Sucuri and Google scan the theme and script as clean.

    Malware report:
    File contains suspected malware URL: /.../wp-content/themes/nevada/javascripts/jquery.jcarousellite.js
    Filename: wp-content/themes/nevada/javascripts/jquery.jcarousellite.js
    Bad URL: http://gmarwaha.com/jquery/jcarousellite/

    http://wordpress.org/extend/plugins/wordfence/

  2. Kpthaddoc
    Member
    Posted 1 year ago #

    I get the same error in Wordfence:

    File contains suspected malware URL: ....../wp-content/themes/modernize/javascript/jquery.jcarousellite.js
    
    Filename:	modernize/wp-content/themes/modernize/javascript/jquery.jcarousellite.js
    Bad URL:	http://gmarwaha.com/jquery/jcarousellite/
    File type:	Not a core, theme or plugin file.
    Issue first detected:	38 mins ago.
    Severity:	Critical
    Status	New
    
    This file contains a suspected malware URL listed on Google's list of malware sites. Wordfence decodes base64 when scanning files so the URL may not be visible if you view this file. The URL is: http://gmarwaha.com/jquery/jcarousellite/ - More info available at Google Safe Browsing diagnostic page.
  3. Wordfence
    Member
    Plugin Author

    Posted 1 year ago #

    This is a legitimate malware URL. If your browser didn't alert you then it's because our database is ahead of whatever Chrome is using. Chrome is now alerting when you try to visit that site.

    It doesn't matter who gets infected, we will always alert because no matter how trusted the site owner is, their site has been flagged by Google. That means if you link to them in any way you risk getting flagged. The file that contains the URL is publicly accessible by Google, that means their crawlers can find it and if you don't remove the URL you risk getting your site flagged.

    So we will always alert on any malware URL we find because even if Google got it wrong, they may decide to lump your site in the same category.

    Regards,

    Mark.

  4. Craig
    Member
    Posted 1 year ago #

    That wasn't my point. Certainly the plugin author's site is struggling with infection issues as Google's safe browser diagnostic shows (as well as Sucuri's scan):
    https://www.google.com/safebrowsing/diagnostic?site=http://gmarwaha.com/jquery/jcarousellite/

    My point though is that all tools except yours say that sites with a plugin from the Author are NOT infected.

    The reason is context. The JQuery plugin in the theme is GPL/Open Source. The license requirements are that the author is given attribution hence his contact info in the comment block at the top.

    A URL in a comment block does not make a site infected. There's no malware on my blog, the URL isn't in the executable code, nor is the URL presented in any form to a visitor such that they could use it to click through to the authors site.

    There's no risk of Google blocking my site, as Google knows the difference between code and comment. As I said, I've run my site through Google's webmaster tools and safe browser diagnostic page. It sees the difference between the plugin authors site, and mine (with a plugin by the author in a theme).

    The trust of Google or the plugin author isn't in question. I'm pointing out that it's the trust in WordFence that's in question. If WordFence cannot tell the difference between a URL in an HTML or executable code block, and one in comment block (shouldn't a positive hit at least check if the line begins with a comment character?), how can we have faith in it's ability to deal with the real stuff? Trivial false positives only hurt the brand. Either because trust is eroded, or it gets lumped in with the snakeoil like Registry booster/optimizers using false positives to inflate a sense of the product doing something worthwhile.

    Such as with the weak password checking. After reading WordFence's reply to another post that someone made after WordFence not finding their planted weak password, I just went and follow-ed up with creating 11 accounts using a random pick from the 25 most used passwords of 2012 from the millions of hacked ones, plus the top 30 released in the Linkedin hack.

    After a WordFence scan (and breaking the GPL by removing the plugin author's attribution link from the comment section) I get "Congratulations! you have no security issues on your site".

    Really? I have users with a password of "password" or "12345" or "letmein" and I have no security issues because WordFence "Started password strength check" at 8:51 on my site?

    I love the Alerts, Login Security, and Firewall rules. It's just that with issues like the above, I have to wonder if they're doing what they say they're doing too?

    Please re-consider addressing the above and restoring faith.

    (edit: I see of the 86 passwords in wfDict.php that 2 of them match ones from the set of 11 that I tried.
    1. Perhaps there's a bug in the hash matching
    2. Perhaps the list should at least contain the very public list of the 25 most commonly used passwords released every year by SplashData? http://www.splashdata.com/press/PR121023.htm
    )

  5. Wordfence
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks for your input.

    I read it all and will take it into consideration as the product evolves. A quick note re passwords: I'd actually love to throw a very large dictionary at every user account in a WP installation during a scan. But I haven't found a way to do it that doesn't consume a significant amount of CPU during the multiple rounds of hashing required during the check. If you'd like to submit some code that may improve this or any other part of WF I'd love to review it for possible inclusion in the product.

    I am looking at other ways to improve password strength though, so please know that I'm aware of and thinking about this.

    The malware URL situation: I hear you. But I prefer to leave the default at "overly cautious" with an ignore feature already included in the product. I'd rather have feedback like yours than a user who's site was blacklisted by Google because we loosened up the defaults and Google changed their algorithm.

    Regards,

    Mark.

  6. Wil
    Member
    Posted 1 year ago #

    Could you please write in an option to parse/not parse comments blocks in code.

    That way everyone would be happy.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.