Support » Plugin: Exploit Scanner » [Plugin: Exploit Scanner] 0.97.6 plugin says "hashes-3.1.php missing"

  • Resolved fwchapman

    (@fwchapman)


    Hello,

    I’m trying the 0.97.6 plugin for the first time on a couple of different WordPress 3.1 sites. One site is very minimal, with the default Twenty Ten 1.2 theme and only one other plugin, namely WordPress HTTPS.

    After running a scan, I get hundreds of messages! The first message is this:

    hashes-3.1.php missing
    The file containing hashes of all WordPress core files appears to be missing; modified core files will no longer be detected and a lot more suspicious strings will be detected

    I suspect this is the source of most or all of the other messages.

    Can anything be done to fix this?

    Thank you,

    Fred Chapman
    Bethlehem, PA

Viewing 13 replies - 1 through 13 (of 13 total)
  • Plugin Author Jon Cave

    (@duck_)

    WordPress Dev

    A new release for WordPress 3.1 will be coming shortly. Just waiting to see if I could track down and fix a bug others have been experiencing.

    Jon,

    Thanks for your speedy reply! I look forward to the new version of your plugin. Thanks for all your hard work!

    Fred

    Jon,

    I tried Exploit Scanner 1.0, and the missing hashes message is gone now. Thanks for fixing that!

    Instead of hundreds of messages, I now get only dozens. There are 13 severe messages, mostly eval messages, some base64_decode messages. Is this normal? I have a lot of security plugins installed and the site seems to be running normally. Should I just use this as a baseline indicator to identify possible future attacks?

    Thanks again,

    Fred

    Plugin Author Jon Cave

    (@duck_)

    WordPress Dev

    I tried Exploit Scanner 1.0, and the missing hashes message is gone now. Thanks for fixing that!

    No problem, and thanks 🙂 I try to get hash updates out within hours of a WordPress release but just delayed a bit this time for other reasons.

    There are 13 severe messages, mostly eval messages, some base64_decode messages. Is this normal?

    It depends on your choice of plugins — I assume some of the other plugins you are running are being flagged. I don’t have anything like that picked up on my installs except for testing the scanner.

    All matches have to be interpreted in context. Those functions can be used for non-malicious purposes (otherwise they wouldn’t be provided by PHP!), but they are very common in malicious code which is why the plugin searches for them. If you have the understanding to look through at the plugin code (something I would do for any plugin I install) to see how these functions are used then it’s safe to ignore that output and use it as a baseline. If you’re seeing matches in modified core files or in previously unheard of locations (maybe hidden away in an innocuous file name in wp-includes) then you should be more worried.

    Jon,

    Thanks for your in-depth reply. Most of the severe messages are from plugins which I recently installed. Only two severe messages are from WordPress core files:

    wp-includes/class-ixr.php:249
    $value = base64_decode( trim( $this->_currentTagContents ) );

    php.ini:982
    ; error_reporting(0) around the eval().

    Is the first one cause for concern? The second one is just a comment, so I don’t know why it’s been flagged.

    Thanks,

    Fred

    Plugin Author Jon Cave

    (@duck_)

    WordPress Dev

    Is the first one cause for concern?

    Possibly yes. The scanner only looks in core files if they have been modified. However, I notice that you’re seeing class-ixr.php whereas that file is called class-IXR.php in 3.1 and the line that got highlighted was changed between 3.0 and 3.1 to remove the trim. So looks like something weird has happened there, although that line is fine.

    The second one is just a comment, so I don’t know why it’s been flagged.

    The scanner doesn’t make any distinction between file type, comments, etc. And php.ini isn’t a core WordPress file.

    Jon,

    Thanks for explaining this. I didn’t notice that I had an old version of class-ixr.php. I deleted it and reduced my severe messages by one. 🙂

    What do you think of the idea of allowing users to define their own baseline. In other words, would it be feasible and worthwhile to let users tell the scanner to ignore a particular error in future scans? That way, if something truly malicious does occur, it won’t be buried under a pile of messages which are not cause for concern. I think a feature like that would make the scanner much more valuable.

    Fred

    I just got the missing-hashes-file message running Exploit Scanner 1.0.1 with WordPress 3.1.2.

    Is this also just a case of the plugin needing an update?

    Jill Williams

    Hi, I just got the same message, too, about 3.1.2

    Thanks!

    Plugin Author Jon Cave

    (@duck_)

    WordPress Dev

    Done, sorry for the delay. Update notifications should be visible in dashboards soon.

    No problem; thank you!

    sokratesagogo

    (@sokratesagogo)

    Just downloaded the development version and can’t see the 3.2x hashes..

    Travelgrove

    (@travelgrove)

    @sokratesagogo: me neither.. any info when will that be available?

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘[Plugin: Exploit Scanner] 0.97.6 plugin says "hashes-3.1.php missing"’ is closed to new replies.