WordPress.org

1. cscottb
   Member
   Posted 8 months ago #
   

   After installing AntiVirus, I did a Wordfence Scan and it came up with this warning:

   "This file may contain malicious executable code
   Filename: wp-content/plugins/antivirus/antivirus.php
   File type: Not a core, theme or plugin file.
   Issue first detected: 19 secs ago.
   Severity: Critical
   Status New
   This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans."

   What is base64 code doing in this file?

   http://wordpress.org/extend/plugins/antivirus/

2. lion817
   Member
   Posted 5 months ago #
   

   If this is true about the plugin than the plugin is a "trojan horse"! However, I tested the zip file on Virustotal.com and it passed all the tests. Also a website scanner should catch the malware in the plugin on a live site if its running base64 code, etc. Another thing to do is test it with your desktop antivirus software--it passed Avast too. Finally you can just open the files in Notepad and see if the code is really there?..which I did. Here's what I found in the code:

   private static function php_match_pattern()
   	{
   		return '/(assert|file_get_contents|curl_exec|popen|proc_open|unserialize|eval|base64_encode|base64_decode|create_function|exec|shell_exec|system|passthru|ob_get_contents|file|curl_init|readfile|fopen|fsockopen|pfsockopen|fclose|fread|file_put_contents)\s*?\(/';
   	}
   
   	/**
   	* Prüfung einer Zeile
   	*
   	* @since   0.1
   	* @change  1.3.3
   	*
   	* @param   string   $line  Zeile zur Prüfung
   	* @param   integer  $num   Nummer zur Prüfung
   	* @return  string   $line  Zeile mit Resultaten
   	*/
   
   	private static function check_file_line($line = '', $num)
   	{
   		/* Wert trimmen */
   		$line = trim((string)$line);
   
   		/* Leere Werte? */
   		if ( !$line or !isset($num) ) {
   			return false;
   		}
   
   		/* Werte initialisieren */
   		$results = array();
   		$output = array();
   
   		/* Befehle suchen */
   		preg_match_all(
   			self::php_match_pattern(),
   			$line,
   			$matches
   		);
   
   		/* Ergebnis speichern */
   		if ( $matches[1] ) {
   			$results = $matches[1];
   		}
   
   		/* Base64 suchen */
   		preg_match_all(
   			'/[\'\"\$\\ \/]*?([a-zA-Z0-9]{' .strlen(base64_encode('sergej + swetlana = love.')). ',})/',
   			$line,
   			$matches
   		);

   Can't really tell whats going on, it maybe just innocent checks for base64, but until someone else chimes in that knows, I'm not using this plugin.

3. Antivirus
   Member
   Posted 3 months ago #
   

   Chances are you got this error because of the conflict anti-virus software. It should use only one remedy.

4. lion817
   Member
   Posted 3 months ago #
   

   There's no error, its a warning message he got from a virus scan.

   Please answer cscottb's and my question What is base64 code doing in your Antivirus plugin!?

5. esmi
   Theme Diva & Forum Moderator
   Posted 3 months ago #
   

   1. Antivirus is not this plugin's author S/he just happens to have a similar username.

   2. Any plugin that scan for base64 or eval() code will reference the same in its own files. None of the code posted above is malicious.,

6. Jan Dembowski
   Volunteer Mod. & Brute Squad
   Posted 3 months ago #
   

   What is base64 code doing in your Antivirus plugin!?

   @lion817? Calmly please. That's not obfuscated code, that's code that is apparently used to locate and report on some of that badness.

   Look at line 817 of antivirus.php and you see some more of what that plugin is attempting to identify.

7. cscottb
   Member
   Posted 1 week ago #
   

   I just activated the latest version of the AntiVirus plugin (1.3.4) and ran a Wordfence (3.6.8) scan, and there was no warning about the AntiVirus plugin.

Reply

You must log in to post.