Thanks for reporting this, we don’t see many false positives.
I tried installing the same theme here, and verified that I have the file mentioned above, but I don’t get a warning in Wordfence when I run a scan, even if I enable “high sensitivity” on the Options page.
Are you using the latest version of Wordfence, 6.0.15?
If this is happening in the latest version of Wordfence, please email me these two things:
1. A copy of the “mode-php.js” file from your server
2. Your Wordfence settings (detailed below)
My email address is: mattr [at] wordfence.com
To export your Wordfence settings to send to me, go to the Wordfence Options page, scroll to the bottom, and click the Export Wordfence Settings button. This will give you a very long “token” of letters and numbers, which will let me use the same settings that you have. Just paste that in the body of the email.
Once I get your email, I will check it out. Thanks!
@wfmattr – Lead dev of Redux here. Let me know if there’s anything on my end we can do. 😉
Dovy: Great, thanks for the offer! Can you tell me if you just added Ace Editor in your latest release? Or if not, was it just updated to a new version in this release?
I’ve submitted this to the dev team to check out, and did reproduce the problem here. It only happens when Wordfence is set to be more strict and include .js, images, and other files in the scans for PHP issues. (This option is available because some hacks rely on uploaded files that are not PHP files, but contain PHP code.)
Received this same error only after updating the Redux Framework to 3.5.8.1
Scan ran last night and pointed out this same file as containing malicious malware:
wp-content/plugins/redux-framework/ReduxCore/inc/fields/ace_editor/vendor/mode-php.js
So this is a false positive I can ignore, correct?
Yea, that’s typical. The ace-editor throws some flags. It’s completely safe though. You can check out the actual project: https://ace.c9.io/ We just embed it within Redux. 😉
@dovy: Thanks for the quick reply!
@codyecp: If you mark this file as fixed on the Wordfence scan page, and then run another scan manually, does it still appear? I’ve tried scanning with the strict options enabled and disabled while the Redux plugin is installed, and tried turning some of the other related options on and off, and haven’t seen any warnings on two servers.
This issue is a little different from the original request, where it was the Redux framework bundled in the Evolve theme, while this one is the Redux plugin. There was a fix in a recent version of Wordfence for scanning themes, which seems to have fixed the original issue with the false positive in the theme.
Thanks!
-Matt R
Just marked as fixed, ran the scanner and it comes out clean (no false positive).
Ok, then it looks like the scan must have been run between when the new version of the plugin was released, and the time when the Wordfence scanning servers processed it. For files that are scanned during that period, Wordfence will do a more thorough scan, since it cannot verify that the file isn’t modified from the original version.
Once the scanning server has processed the file after a new release, the warning should not happen again.
I’ve mentioned the issue to the dev team, so if there is a way to prevent this in the future, without missing malicious files I’m sure it will be implemented. Unfortunately, PHP is very flexible in what it allows near “eval” and other keywords and functions (even comments between “eval” and its open parentheses), so it doesn’t look like the regex could be refined without making it extremely slow for the volume of files that are scanned.
It should be fairly rare that this happens, but still may come up from time to time.
-Matt R
Hi,
I’ve got the same warning
Alert generated at Friday 22nd of April 2016 at 08:30:21 AM
Critical Problems:
* File appears to be malicious: wp-content/plugins/redux-framework/ReduxCore/inc/fields/ace_editor/vendor/mode-php.js
Latest versions of the WP and plugin in use.
May I ignore this alert?
Thanks
File appears to be malicious: wp-content/plugins/redux-framework/ReduxCore/inc/fields/ace_editor/vendor/mode-php.js
Filename: wp-content/plugins/redux-framework/ReduxCore/inc/fields/ace_editor/vendor/mode-php.js
File type: Not a core, theme or plugin file.
Issue first detected: 55 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “EvalError|InternalError|RangeError|ReferenceError|StopIteration|SyntaxError|TypeError|URIError|decodeURI|decodeURIComponent|encodeURI|encodeURIComponent|eval|isFinite|isNaN|parseFloat|parseInt|JSON|Ma…”. The infection type is: Suspicious eval with base64 decode.
I assure you, it is not. ace_editor is a well-known product that many people use. It’s a false alert.
What product gives you these alerts? I would love to find a way to fix these warnings if I knew how to reproduce them on my end. 😉
I too have had the same alert running Evolve + theme with the exact same error. Reinstalled the latest version of wp-content/themes/evolve-plus/library/admin/redux-extensions/extensions/vendor_support/vendor/ace_editor/mode-php.js from a freshly downloaded theme bundle and got the same error on Wordfence.
When I mark it as “fixed” and do a rescan the file is marked again as a critically severe error.
Seems like the problem remains.
Any chance that Wordfence can be updated to avoid this false positive?
