Support » Plugin: Autoptimize » Malware warning on web host

  • Resolved glenbelt

    (@glenbelt)


    Hi there,

    Firstly great plugin – thanks a lot for developing it!

    I received this warning earlier from my web host and am not sure if it’s just a false alarm but thought I’d share it here in case it wasn’t:

    Malware file log:
    Mar 9 15:36:02 kobe cxs[932537]: [‘/home3/d559755/public_html/websitename.me/wp-content/cache/autoptimize/css/autoptimize_bdbaf3235595871e04da74772eb58264.css’] – ClamAV detected virus = [Html.Exploit.CVE_2016_0108]
    Mar 9 15:36:11 kobe cxs[932538]: [‘/home3/d559755/public_html/websitename.me/wp-content/cache/autoptimize/css/autoptimize_c9baee87b450feed01121a4ef8dec40a.css’] – ClamAV detected virus = [Html.Exploit.CVE_2016_0108]

    Thanks for any help / advice.

    https://wordpress.org/plugins/autoptimize/

Viewing 15 replies - 1 through 15 (of 18 total)
  • Plugin Author Frank Goossens

    (@futtta)

    well, this is a difficult one. nevertheless here are some elements that can help you judge the situation;

    * autoptimized files are merely all your CSS (or JS) aggregated & minified. if one of those original files contain a vulnerability (or are reported by an anti-virus tool as such), then the autoptimized file will probably be flagged as well
    * CVE_2016_0108 is unpublished, so it’s hard (not to say impossible) if this could be a problem or a false positive
    * given the nature of CSS (as opposed to JS) I believe/ think that it is rather unlikely to be a host for a virus

    so impossible to say if this is a false positive or not, but if I had to bet I would say “false positive”.

    frank

    mrcordicoaching

    (@mrcordicoaching)

    Coincidentally, I also received a malware warning from my host. As I was told to act within 24 hours, it looks like I’ll need to uninstall the Autoptimze plugin.

    The malware scan results from my host are below.

    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_ccce0e93605b5238ff83d28cbafd36d0.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_4c2fb2435ac5684b0928a05a1857a896.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_2f7a8dd016022c3800245cfa652d8108.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_1d52aade7649b298a9c99f1d2c62c257.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_f3e3ca761df45df4a4921b18f25c888e.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_c34352ccaa92f37f791bf409cdfc949a.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_616f1dcedd0f2b58921b24cb194c36a9.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_a64a6c6999d3961d80af62e043a019c7.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_c555828e34ebc206935466b9f8908a16.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_673e4a926e24615f37987808d6882f05.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_71de4dcb591cbfa168f2db32bd348bfd.css
    {CAV}Html.Exploit.CVE_2016_0108 : /home/username/public_html/websitename.com/wp-content/cache/autoptimize/css/autoptimize_fe9186069116749c7e3689e7929e6ba7.css

    Plugin Author Frank Goossens

    (@futtta)

    well, as I wrote in my previous comment, this is very likely a false-positive that will persist after disabling AO as the problem will be in one of the original CSS-files. but instead of disabling AO you could simply disable CSS-optimization off course 🙂

    frank

    Plugin Author Frank Goossens

    (@futtta)

    if someone can provide me with their “infected” files (send a zip-file to futtta-at-gmail-dot-com) I’ll be happy to investigate and file a “false positive” report at clamav’s.

    frank

    glenbelt

    (@glenbelt)

    I was going to provide these files because I received 2 more emails warning of other apparently infected files, but when looking for them via FTP I don’t see the files there – I imagine my web host may have removed / quarantined them as a precaution but am unsure where to find them now..

    I’ve contacted my web host for support too, thanks for your replies.

    Plugin Author Frank Goossens

    (@futtta)

    I was going to provide these files because I received 2 more emails warning of other apparently infected files, but when looking for them via FTP I don’t see the files there – I imagine my web host may have removed / quarantined them as a precaution but am unsure where to find them now..

    try re-enabling autoptimize, chances are those files will simply be re-generated?

    Plugin Author Frank Goossens

    (@futtta)

    OK, searched the web some more and found CVE 2016-1080 is a MS IE 11 specific vulnerability that:

    allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability”

    The relevant MS security bulletin can be found here.

    As also stated here, this is more then likely a false positive, but we need to confirm that by looking at the actual files as per my previous comment.

    frank

    mrcordicoaching

    (@mrcordicoaching)

    Frank,

    Thank you for your quick responses. I’ve tried emailing you the infected files but my email was rejected by gmail because of a virus in the attached files.

    Maria

    Plugin Author Frank Goossens

    (@futtta)

    OK, alternative approach; can you mail me your site’s URL?

    glenbelt

    (@glenbelt)

    I’m also happy to send on my site URL if that helps.

    Plugin Author Frank Goossens

    (@futtta)

    glenbelt: yes please, ideally the full URL to “infected” CSS-files.

    been following this up using web search:
    * a joomla user has a similar problem with a custom CSS-file being flagged
    * a wordpress user has the same warning for popup pro’s CSS

    is any-one here using popup-pro as well?

    frank

    Plugin Author Frank Goossens

    (@futtta)

    followup: a WP Fastest Cache user is reporting the same issue.

    frank

    Plugin Author Frank Goossens

    (@futtta)

    OK, someone (who was not using AO for CSS optimization) provided me with a link to a flagged CSS-file. I went through that and found this in it:

    img{background:transparent;-ms-filter:"progid:DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF)";filter:progid:DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF);zoom:1}

    This might be the reason; the color code should be a hex triplet (https://en.wikipedia.org/wiki/Web_colors#Hex_triplet) but is a hex quadruplet (which can’t work). It is not impossible that this anomoly (and probably just a silly mistake) is triggering clam av.

    The CSS seems to be part of the Oshin-theme.

    So question for those impacted;
    * anyone on the Oshin theme?
    * anyone with similar code in the CSS (DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF))

    frank

    Plugin Author Frank Goossens

    (@futtta)

    For those of you who did not succeed in mail me the files; you can also copy/ paste the contents to http://pastebin.com and provide me with the URL of the pastebin.

    frank

    Plugin Author Frank Goossens

    (@futtta)

    This might be the reason; the color code should be a hex triplet but is a hex quadruplet (which can’t work).

    I’ve found multiple sites with this CSS-trick, including a MS-one, so those hex quadruplets seem not to be a mistake …

Viewing 15 replies - 1 through 15 (of 18 total)
  • You must be logged in to reply to this topic.