WordPress.org

Ready to get started?Download WordPress

Forums

AntiVirus
[resolved] AntiVirus may contain malicious executable code (7 posts)

  1. cscottb
    Member
    Posted 1 year ago #

    After installing AntiVirus, I did a Wordfence Scan and it came up with this warning:

    "This file may contain malicious executable code
    Filename: wp-content/plugins/antivirus/antivirus.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 19 secs ago.
    Severity: Critical
    Status New
    This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans."

    What is base64 code doing in this file?

    http://wordpress.org/extend/plugins/antivirus/

  2. lion817
    Member
    Posted 1 year ago #

    If this is true about the plugin than the plugin is a "trojan horse"! However, I tested the zip file on Virustotal.com and it passed all the tests. Also a website scanner should catch the malware in the plugin on a live site if its running base64 code, etc. Another thing to do is test it with your desktop antivirus software--it passed Avast too. Finally you can just open the files in Notepad and see if the code is really there?..which I did. Here's what I found in the code:

    private static function php_match_pattern()
    	{
    		return '/(assert|file_get_contents|curl_exec|popen|proc_open|unserialize|eval|base64_encode|base64_decode|create_function|exec|shell_exec|system|passthru|ob_get_contents|file|curl_init|readfile|fopen|fsockopen|pfsockopen|fclose|fread|file_put_contents)\s*?\(/';
    	}
    
    	/**
    	* Prüfung einer Zeile
    	*
    	* @since   0.1
    	* @change  1.3.3
    	*
    	* @param   string   $line  Zeile zur Prüfung
    	* @param   integer  $num   Nummer zur Prüfung
    	* @return  string   $line  Zeile mit Resultaten
    	*/
    
    	private static function check_file_line($line = '', $num)
    	{
    		/* Wert trimmen */
    		$line = trim((string)$line);
    
    		/* Leere Werte? */
    		if ( !$line or !isset($num) ) {
    			return false;
    		}
    
    		/* Werte initialisieren */
    		$results = array();
    		$output = array();
    
    		/* Befehle suchen */
    		preg_match_all(
    			self::php_match_pattern(),
    			$line,
    			$matches
    		);
    
    		/* Ergebnis speichern */
    		if ( $matches[1] ) {
    			$results = $matches[1];
    		}
    
    		/* Base64 suchen */
    		preg_match_all(
    			'/[\'\"\$\\ \/]*?([a-zA-Z0-9]{' .strlen(base64_encode('sergej + swetlana = love.')). ',})/',
    			$line,
    			$matches
    		);

    Can't really tell whats going on, it maybe just innocent checks for base64, but until someone else chimes in that knows, I'm not using this plugin.

  3. Antivirus
    Member
    Posted 1 year ago #

    Chances are you got this error because of the conflict anti-virus software. It should use only one remedy.

  4. lion817
    Member
    Posted 1 year ago #

    There's no error, its a warning message he got from a virus scan.

    Please answer cscottb's and my question What is base64 code doing in your Antivirus plugin!?

  5. esmi
    Forum Moderator
    Posted 1 year ago #

    1. Antivirus is not this plugin's author S/he just happens to have a similar username.

    2. Any plugin that scan for base64 or eval() code will reference the same in its own files. None of the code posted above is malicious.,

  6. What is base64 code doing in your Antivirus plugin!?

    @lion817? Calmly please. That's not obfuscated code, that's code that is apparently used to locate and report on some of that badness.

    Look at line 817 of antivirus.php and you see some more of what that plugin is attempting to identify.

  7. cscottb
    Member
    Posted 1 year ago #

    I just activated the latest version of the AntiVirus plugin (1.3.4) and ran a Wordfence (3.6.8) scan, and there was no warning about the AntiVirus plugin.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.