Support » Plugin: Autoptimize » Malware warning on web host

  • Resolved glenbelt

    (@glenbelt)


    Hi there,

    Firstly great plugin – thanks a lot for developing it!

    I received this warning earlier from my web host and am not sure if it’s just a false alarm but thought I’d share it here in case it wasn’t:

    Malware file log:
    Mar 9 15:36:02 kobe cxs[932537]: [‘/home3/d559755/public_html/websitename.me/wp-content/cache/autoptimize/css/autoptimize_bdbaf3235595871e04da74772eb58264.css’] – ClamAV detected virus = [Html.Exploit.CVE_2016_0108]
    Mar 9 15:36:11 kobe cxs[932538]: [‘/home3/d559755/public_html/websitename.me/wp-content/cache/autoptimize/css/autoptimize_c9baee87b450feed01121a4ef8dec40a.css’] – ClamAV detected virus = [Html.Exploit.CVE_2016_0108]

    Thanks for any help / advice.

    https://wordpress.org/plugins/autoptimize/

Viewing 15 replies - 1 through 15 (of 18 total)
  • Plugin Author Frank Goossens

    (@futtta)

    well, this is a difficult one. nevertheless here are some elements that can help you judge the situation;

    * autoptimized files are merely all your CSS (or JS) aggregated & minified. if one of those original files contain a vulnerability (or are reported by an anti-virus tool as such), then the autoptimized file will probably be flagged as well
    * CVE_2016_0108 is unpublished, so it’s hard (not to say impossible) if this could be a problem or a false positive
    * given the nature of CSS (as opposed to JS) I believe/ think that it is rather unlikely to be a host for a virus

    so impossible to say if this is a false positive or not, but if I had to bet I would say “false positive”.

    frank

    Coincidentally, I also received a malware warning from my host. As I was told to act within 24 hours, it looks like I’ll need to uninstall the Autoptimze plugin.

    The malware scan results from my host are below.

    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_ccce0e93605b5238ff83d28cbafd36d0.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_4c2fb2435ac5684b0928a05a1857a896.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_2f7a8dd016022c3800245cfa652d8108.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_1d52aade7649b298a9c99f1d2c62c257.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_f3e3ca761df45df4a4921b18f25c888e.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_c34352ccaa92f37f791bf409cdfc949a.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_616f1dcedd0f2b58921b24cb194c36a9.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_a64a6c6999d3961d80af62e043a019c7.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_c555828e34ebc206935466b9f8908a16.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_673e4a926e24615f37987808d6882f05.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_71de4dcb591cbfa168f2db32bd348bfd.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_fe9186069116749c7e3689e7929e6ba7.css

    Plugin Author Frank Goossens

    (@futtta)

    well, as I wrote in my previous comment, this is very likely a false-positive that will persist after disabling AO as the problem will be in one of the original CSS-files. but instead of disabling AO you could simply disable CSS-optimization off course 🙂

    frank

    Plugin Author Frank Goossens

    (@futtta)

    if someone can provide me with their “infected” files (send a zip-file to futtta-at-gmail-dot-com) I’ll be happy to investigate and file a “false positive” report at clamav’s.

    frank

    I was going to provide these files because I received 2 more emails warning of other apparently infected files, but when looking for them via FTP I don’t see the files there – I imagine my web host may have removed / quarantined them as a precaution but am unsure where to find them now..

    I’ve contacted my web host for support too, thanks for your replies.

    Plugin Author Frank Goossens

    (@futtta)

    I was going to provide these files because I received 2 more emails warning of other apparently infected files, but when looking for them via FTP I don’t see the files there – I imagine my web host may have removed / quarantined them as a precaution but am unsure where to find them now..

    try re-enabling autoptimize, chances are those files will simply be re-generated?

    Plugin Author Frank Goossens

    (@futtta)

    OK, searched the web some more and found CVE 2016-1080 is a MS IE 11 specific vulnerability that:

    allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability”

    The relevant MS security bulletin can be found here.

    As also stated here, this is more then likely a false positive, but we need to confirm that by looking at the actual files as per my previous comment.

    frank

    Frank,

    Thank you for your quick responses. I’ve tried emailing you the infected files but my email was rejected by gmail because of a virus in the attached files.

    Maria

    Plugin Author Frank Goossens

    (@futtta)

    OK, alternative approach; can you mail me your site’s URL?

    I’m also happy to send on my site URL if that helps.

    Plugin Author Frank Goossens

    (@futtta)

    glenbelt: yes please, ideally the full URL to “infected” CSS-files.

    been following this up using web search:
    * a joomla user has a similar problem with a custom CSS-file being flagged
    * a wordpress user has the same warning for popup pro’s CSS

    is any-one here using popup-pro as well?

    frank

    Plugin Author Frank Goossens

    (@futtta)

    followup: a WP Fastest Cache user is reporting the same issue.

    frank

    Plugin Author Frank Goossens

    (@futtta)

    OK, someone (who was not using AO for CSS optimization) provided me with a link to a flagged CSS-file. I went through that and found this in it:

    img{background:transparent;-ms-filter:"progid:DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF)";filter:progid:DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF);zoom:1}

    This might be the reason; the color code should be a hex triplet (https://en.wikipedia.org/wiki/Web_colors#Hex_triplet) but is a hex quadruplet (which can’t work). It is not impossible that this anomoly (and probably just a silly mistake) is triggering clam av.

    The CSS seems to be part of the Oshin-theme.

    So question for those impacted;
    * anyone on the Oshin theme?
    * anyone with similar code in the CSS (DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF))

    frank

    Plugin Author Frank Goossens

    (@futtta)

    For those of you who did not succeed in mail me the files; you can also copy/ paste the contents to http://pastebin.com and provide me with the URL of the pastebin.

    frank

    Plugin Author Frank Goossens

    (@futtta)

    This might be the reason; the color code should be a hex triplet but is a hex quadruplet (which can’t work).

    I’ve found multiple sites with this CSS-trick, including a MS-one, so those hex quadruplets seem not to be a mistake …

Viewing 15 replies - 1 through 15 (of 18 total)
  • You must be logged in to reply to this topic.