WordPress.org

Forums

[resolved] [Plugin: WordPress Exploit Scanner] MD5 Checksum Test--No hash file for WordPress 2.9.1? (3 posts)

  1. KirkM
    Member
    Posted 5 years ago #

    When running the Exploit Scanner (versions 0.6 thru 0.93) the top "Blocker" always states the following:

    The file containing the checksums of all the core WordPress files appears to be missing. Either you have upgraded WordPress and this plugin hasn't been updated with the new hashes or the file has been deleted/renamed. You will find that a lot more files have been returned in the Suspicious Strings section.

    Under "File/Dataset":

    [ABSPATH]/wp-content/plugins/exploit-scanner/hashes-2.9.1.php

    Considering that the scan is returning blockers and severities on the vast majority of WP core files on a newly installed, clean and secure test site I'd really like to know how to fix this. Unfortunately, I'm at a complete loss as how to do this and searching for a possible fix has yielded no results.

    I checked the hash files in the "Exploit Scanner" directory via FTP and there's hash files for WordPress 2.7.1 thru 2.9 but not for 2.9.1. Is there a way to create a hash file for 2.9.1?

  2. cogdog
    Member
    Posted 5 years ago #

    I'm seeing the same; most of these are legit WP code, so you have to know what is potentially malicious, like an eval() statement on a string full of hexcode, PHP statements inserted before the opening <?php on line 1, or a faux file like xxx.pngg or xxxx.jpgg

    When in doubt, compare the file that is on your server to the one in the downloaded distribution.

    But yes, it would be helpful to have an updated checksum file for 2.9.1

  3. Donncha O Caoimh
    Member
    Posted 5 years ago #

    Try the development version on the download page. I added a hash file for 2.9.1 yesterday. Does it work for you?

Topic Closed

This topic has been closed to new replies.

About this Topic