Forums

WordPress › Support » Plugins and Hacks

Exploit Scanner
[resolved] 0.97.6 plugin says "hashes-3.1.php missing" (14 posts)

  1. fwchapman
    Member
    Posted 1 year ago #

    Hello,

    I'm trying the 0.97.6 plugin for the first time on a couple of different WordPress 3.1 sites. One site is very minimal, with the default Twenty Ten 1.2 theme and only one other plugin, namely WordPress HTTPS.

    After running a scan, I get hundreds of messages! The first message is this:

    hashes-3.1.php missing
    The file containing hashes of all WordPress core files appears to be missing; modified core files will no longer be detected and a lot more suspicious strings will be detected

    I suspect this is the source of most or all of the other messages.

    Can anything be done to fix this?

    Thank you,

    Fred Chapman
    Bethlehem, PA

  2. Jon
    WordPress Dev
    Posted 1 year ago #

    A new release for WordPress 3.1 will be coming shortly. Just waiting to see if I could track down and fix a bug others have been experiencing.

  3. fwchapman
    Member
    Posted 1 year ago #

    Jon,

    Thanks for your speedy reply! I look forward to the new version of your plugin. Thanks for all your hard work!

    Fred

  4. fwchapman
    Member
    Posted 1 year ago #

    Jon,

    I tried Exploit Scanner 1.0, and the missing hashes message is gone now. Thanks for fixing that!

    Instead of hundreds of messages, I now get only dozens. There are 13 severe messages, mostly eval messages, some base64_decode messages. Is this normal? I have a lot of security plugins installed and the site seems to be running normally. Should I just use this as a baseline indicator to identify possible future attacks?

    Thanks again,

    Fred

  5. Jon
    WordPress Dev
    Posted 1 year ago #

    I tried Exploit Scanner 1.0, and the missing hashes message is gone now. Thanks for fixing that!

    No problem, and thanks :) I try to get hash updates out within hours of a WordPress release but just delayed a bit this time for other reasons.

    There are 13 severe messages, mostly eval messages, some base64_decode messages. Is this normal?

    It depends on your choice of plugins -- I assume some of the other plugins you are running are being flagged. I don't have anything like that picked up on my installs except for testing the scanner.

    All matches have to be interpreted in context. Those functions can be used for non-malicious purposes (otherwise they wouldn't be provided by PHP!), but they are very common in malicious code which is why the plugin searches for them. If you have the understanding to look through at the plugin code (something I would do for any plugin I install) to see how these functions are used then it's safe to ignore that output and use it as a baseline. If you're seeing matches in modified core files or in previously unheard of locations (maybe hidden away in an innocuous file name in wp-includes) then you should be more worried.

  6. fwchapman
    Member
    Posted 1 year ago #

    Jon,

    Thanks for your in-depth reply. Most of the severe messages are from plugins which I recently installed. Only two severe messages are from WordPress core files:

    wp-includes/class-ixr.php:249
    $value = base64_decode( trim( $this->_currentTagContents ) );

    php.ini:982
    ; error_reporting(0) around the eval().

    Is the first one cause for concern? The second one is just a comment, so I don't know why it's been flagged.

    Thanks,

    Fred

  7. Jon
    WordPress Dev
    Posted 1 year ago #

    Is the first one cause for concern?

    Possibly yes. The scanner only looks in core files if they have been modified. However, I notice that you're seeing class-ixr.php whereas that file is called class-IXR.php in 3.1 and the line that got highlighted was changed between 3.0 and 3.1 to remove the trim. So looks like something weird has happened there, although that line is fine.

    The second one is just a comment, so I don't know why it's been flagged.

    The scanner doesn't make any distinction between file type, comments, etc. And php.ini isn't a core WordPress file.

  8. fwchapman
    Member
    Posted 1 year ago #

    Jon,

    Thanks for explaining this. I didn't notice that I had an old version of class-ixr.php. I deleted it and reduced my severe messages by one. :)

    What do you think of the idea of allowing users to define their own baseline. In other words, would it be feasible and worthwhile to let users tell the scanner to ignore a particular error in future scans? That way, if something truly malicious does occur, it won't be buried under a pile of messages which are not cause for concern. I think a feature like that would make the scanner much more valuable.

    Fred

  9. jwgrendel
    Member
    Posted 1 year ago #

    I just got the missing-hashes-file message running Exploit Scanner 1.0.1 with WordPress 3.1.2.

    Is this also just a case of the plugin needing an update?

    Jill Williams

  10. PeacockAndPaisley
    Member
    Posted 1 year ago #

    Hi, I just got the same message, too, about 3.1.2

    Thanks!

  11. Jon
    WordPress Dev
    Posted 1 year ago #

    Done, sorry for the delay. Update notifications should be visible in dashboards soon.

  12. PeacockAndPaisley
    Member
    Posted 1 year ago #

    No problem; thank you!

  13. sokratesagogo
    Member
    Posted 10 months ago #

    Just downloaded the development version and can't see the 3.2x hashes..

  14. Travelgrove
    Member
    Posted 10 months ago #

    @sokratesagogo: me neither.. any info when will that be available?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags