malware or false positive?
-
So I am helping the owner of the site to clean up and secure the site, fixed all updates of php, wordpress and plugins, and trying to get all scan results down, I have uninstalled and installed plugins to make sure cheksums match and such, added some code to fix curl28error with longer response time and so on. on the server side updated as much that was possible.
Done several scans , with different results.
Cerber shows several plugins installed directly from WP-admin as example:
My Custom Functions plugin — Integrity data not found — Resolve issueSuspicious code found in /my-custom-functions/inc/php/functional.php
As shown below, had a look at several files that have the same error.
I really cant see any malicious code in my humble opinion , but I am not sure.<?php /** * Prevent Direct Access */ defined( 'ABSPATH' ) or die( "Restricted access!" ); /** * Prepare the custom code */ function spacexchimp_p001_prepare() { // Put value of plugin constants into an array for easier access $plugin = spacexchimp_p001_plugin(); // Retrieve options from database and declare variables $options = get_option( $plugin['settings'] . '_settings' ); $data = !empty( $options['snippets'] ) ? $options['snippets'] : ''; $enable = !empty( $options['enable'] ) ? $options['enable'] : ''; // Prepare a variable for storing the processed data $data_out = ""; // If data is not empty... if ( ! empty( $data ) ) { // If the custom code is enabled... if ( $enable == "on") { // Prepare a variable for storing the processing data, and perform data processing $data_tmp = $data; $data_tmp = trim( $data_tmp ); // Cleaning $data_tmp = ltrim( $data_tmp, '<?php' ); // Cleaning $data_tmp = rtrim( $data_tmp, '?>' ); // Cleaning $data_out .= $data_tmp; } } // Return the processed data return $data_out; } /** * Preparation of the custom code: Check the custom code for duplicate names of functions */ function spacexchimp_p001_preparation_duplicates( $data ) { // Put value of plugin constants into an array for easier access $plugin = spacexchimp_p001_plugin(); // Find names of user entered snippets and check for duplicates preg_match_all('/function[\s\n]+(\S+)[\s\n]*\(/i', $data, $user_func_names); $user_func_a = count( $user_func_names[1] ); $user_func_b = count( array_unique( $user_func_names[1] ) ); // Find all names of declared user snippets and mutch with names of user entered snippets $declared_func = get_defined_functions(); $declared_func_user = array_intersect( $user_func_names[1], $declared_func['user'] ); $declared_func_internal = array_intersect( $user_func_names[1], $declared_func['internal'] ); // Update error status if ( $user_func_a != $user_func_b OR count( $declared_func_user ) != 0 OR count( $declared_func_internal ) != 0 ) { update_option( $plugin['settings'] . '_error', '1' ); // ERROR $error_status = '1'; } else { update_option( $plugin['settings'] . '_error', '0' ); // RESET ERROR VALUE $error_status = '0'; } // Return error status return $error_status; } /** * Process the custom code */ function spacexchimp_p001_exec() { // Put value of plugin constants into an array for easier access $plugin = spacexchimp_p001_plugin(); // If the STOP file exist... if ( file_exists( $plugin['path'] . 'STOP' ) ) { return; // EXIT } // Get the custom code by calling the "prepare" function $data = spacexchimp_p001_prepare(); // If data is empty... if ( empty( $data ) OR $data == ' ' ) { return; // EXIT } // If the duplicates snippets finded... $duplicates = spacexchimp_p001_preparation_duplicates( $data ); if ( $duplicates != 0 ) { return; // EXIT } // Parsing and execute by Eval if ( false === @eval( $data ) ) { update_option( $plugin['settings'] . '_error', '1' ); // ERROR return; // EXIT } else { update_option( $plugin['settings'] . '_error', '0' ); // RESET ERROR VALUE } } /** * Inject the custom code into the website's backend and frontend */ spacexchimp_p001_exec();
From /advanced-custom-fields-pro/pro/updates.php:
<?php if( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly if( ! class_exists('acf_pro_updates') ) : class acf_pro_updates { /* * __construct * * Initialize filters, action, variables and includes * * @type function * @date 23/06/12 * @since 5.0.0 * * @param n/a * @return n/a */ function __construct() { // actions add_action('init', array($this, 'init'), 20); } /* * init * * description * * @type function * @date 10/4/17 * @since 5.5.10 * * @param $post_id (int) * @return $post_id (int) */ function init() { // bail early if no show_updates if( !acf_get_setting('show_updates') ) return; // bail early if not a plugin (included in theme) if( !acf_is_plugin_active() ) return; // register update acf_register_plugin_update(array( 'id' => 'pro', 'key' => acf_pro_get_license_key(), 'slug' => acf_get_setting('slug'), 'basename' => acf_get_setting('basename'), 'version' => acf_get_setting('version'), )); // admin if( is_admin() ) { add_action('in_plugin_update_message-' . acf_get_setting('basename'), array($this, 'modify_plugin_update_message'), 10, 2 ); } } /* * modify_plugin_update_message * * Displays an update message for plugin list screens. * * @type function * @date 14/06/2016 * @since 5.3.8 * * @param $message (string) * @param $plugin_data (array) * @param $r (object) * @return $message */ function modify_plugin_update_message( $plugin_data, $response ) { // bail ealry if has key if( acf_pro_get_license_key() ) return; // display message echo '<br />' . sprintf( __('To enable updates, please enter your license key on the <a href="%s">Updates</a> page. If you don\'t have a licence key, please see <a href="%s">details & pricing</a>.', 'acf'), admin_url('edit.php?post_type=acf-field-group&page=acf-settings-updates'), 'https://www.advancedcustomfields.com/pro' ); } } // initialize new acf_pro_updates(); endif; // class_exists check /* * acf_pro_get_license * * This function will return the license * * @type function * @date 20/09/2016 * @since 5.4.0 * * @param n/a * @return n/a */ function acf_pro_get_license() { // get option $license = get_option('acf_pro_license'); // bail early if no value if( !$license ) return false; // decode $license = maybe_unserialize(base64_decode($license)); // bail early if corrupt if( !is_array($license) ) return false; // return return $license; } /* * acf_pro_get_license_key * * This function will return the license key * * @type function * @date 20/09/2016 * @since 5.4.0 * * @param n/a * @return n/a */ function acf_pro_get_license_key() { // vars $license = acf_pro_get_license(); $home_url = home_url(); // bail early if empty if( !$license || !$license['key'] ) return false; // bail early if url has changed if( acf_strip_protocol($license['url']) !== acf_strip_protocol($home_url) ) return false; // return return $license['key']; } /* * acf_pro_update_license * * This function will update the DB license * * @type function * @date 20/09/2016 * @since 5.4.0 * * @param $key (string) * @return n/a */ function acf_pro_update_license( $key = '' ) { // vars $value = ''; // key if( $key ) { // vars $data = array( 'key' => $key, 'url' => home_url() ); // encode $value = base64_encode(maybe_serialize($data)); } // re-register update (key has changed) acf_register_plugin_update(array( 'id' => 'pro', 'key' => $key, 'slug' => acf_get_setting('slug'), 'basename' => acf_get_setting('basename'), 'version' => acf_get_setting('version'), )); // update return update_option('acf_pro_license', $value); } ?>
The page I need help with: [log in to see the link]
- The topic ‘malware or false positive?’ is closed to new replies.