WordPress.org

Forums

Wordfence Security
[resolved] * This file appears to be malicious (17 posts)

  1. zztype
    Member
    Posted 1 year ago #

    I got this exact email from several of my WordPress sites this morning. This is all the email said. It does not detail WHICH file it is talking about. Any thoughts?
    Thanks,
    Blaine

    Wordfence found the following new issues on "yourwebsite.com".

    Alert generated at Thursday 24th of April 2014 at 06:00:20 AM
    Critical Problems:

    * This file appears to be malicious
    * This file appears to be malicious
    * This file appears to be malicious
    * This file appears to be malicious
    * This file appears to be malicious
    * This file appears to be malicious
    * This file appears to be malicious
    * This file appears to be malicious

    https://wordpress.org/plugins/wordfence/

  2. chuckingit
    Member
    Posted 1 year ago #

    ditto here - when i look at the activity logs, they aren't much help either in that they say a file appears to be malicious but does not say which file name (nor folder path) thus impossible to track down and double check (see below - partial clip from activity log - e.g., http://mysite.org/?_wfsf=viewActivityLog&nonce=0888e8f951) ...

    [Apr 24 13:43:24:1398361404.960558:2:info] Getting plugin list from WordPress
    [Apr 24 13:43:24:1398361404.526466:1:info] Contacting Wordfence to initiate scan
    [Apr 24 13:43:20:1398361400.802450:1:info] Scheduled Wordfence scan starting at Thursday 24th of April 2014 01:43:20 PM
    [Apr 24 12:05:16:1398355516.493076:2:info] Wordfence used 15.27MB of memory for scan. Server peak memory usage was: 37.65MB
    [Apr 24 12:05:16:1398355516.402732:1:info] Scan Complete. Scanned 7105 files, 59 plugins, 24 themes, 13 pages, 2 comments and 22925 records in 56 seconds.
    [Apr 24 12:05:16:1398355516.402481:1:info] -------------------
    [Apr 24 12:05:16:1398355516.355055:2:info] The disk has 92501.64 MB space available
    [Apr 24 12:05:16:1398355516.354822:2:info] Total disk space: 144.5375GB -- Free disk space: 90.3336GB
    [Apr 24 12:05:16:1398355516.351035:2:info] Scanning DNS MX record for mysite.org
    [Apr 24 12:05:16:1398355516.345223:2:info] Scanning DNS A record for mysite.org
    [Apr 24 12:05:16:1398355516.335991:2:info] Starting DNS scan for mysite.org
    [Apr 24 12:05:16:1398355516.311882:2:info] Starting password strength check on 2 users.
    [Apr 24 12:05:16:1398355516.306506:2:info] Done host key check.
    [Apr 24 12:05:15:1398355515.883150:2:info] Checking 10 host keys against Wordfence scanning servers.
    [Apr 24 12:05:15:1398355515.861408:2:info] Done examining URls
    [Apr 24 12:05:15:1398355515.860833:2:info] Done host key check.
    [Apr 24 12:05:15:1398355515.346486:2:info] Checking 96 host keys against Wordfence scanning servers.
    [Apr 24 12:05:15:1398355515.343899:2:info] Examining URLs found in posts we scanned for dangerous websites
    [Apr 24 12:05:14:1398355514.890871:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.890228:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.889550:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.888893:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.888232:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.887572:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.886922:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.886264:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.885612:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.884888:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.884238:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.883511:2:info] Adding issue: This file appears to be malicious
    [Apr 24 12:05:14:1398355514.883114:2:info] Done file contents scan
    [Apr 24 12:05:13:1398355513.586091:2:info] Done URL check.
    [Apr 24 12:05:12:1398355512.868854:2:info] Checking 17 URLs from 15 sources.
    [Apr 24 12:05:12:1398355512.865998:2:info] Done host key check.
  3. dlmweb
    Member
    Posted 1 year ago #

    If you log in to the site and run a new scan it will show the file. In my case it is flagging a file in the all-in-one-event-calendar plugin:
    Notified the plugin author, time.ly and am waiting to hear back.

    This file appears to be malicious

    Filename: wp-content/plugins/all-in-one-event-calendar/lib/iCalcnv-3.0/iCalcnv.class.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 27 secs ago.
    Severity: Critical
    Status New

    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "str_replace( "$calnl ", '', rtrim( $comp->$fcn(".

  4. imeldesign
    Member
    Posted 1 year ago #

    I've gotten the same warning on two sites so far. I did a scan and it is pointing to this file:
    lib/iCalcnv-3.0/iCalcnv.class.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 1 hour 21 mins ago.
    Severity: Critical
    Status Ignoring this file until it changes
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "str_replace( "$calnl ", '', rtrim( $comp->$fcn(".

  5. mikerastiello
    Member
    Posted 1 year ago #

    Got the same notice from Wordfence.

    Please let us know when Timely responds to you!

  6. mikerastiello
    Member
    Posted 1 year ago #

    This is a post on their forum where people are asking for more info, too.

    http://community.time.ly/forum/troubleshooting/general_aa/14025-wordfence-is-flagging-a-time-ly-file-as-malicious

  7. zztype
    Member
    Posted 1 year ago #

    Thanks for the responses, especially @dimweb.

    I did log in to the sites and it appears that Wordfence doesn't like my InfiniteWP client plug-in! Example:

    wp-content/plugins/iwp-client/lib/amazon_s3/utilities/simplexml.class.php

    Wordfence flagged serveral files in the lib/amazon_s3 folder of the iwp-client plug-in.

    I deleted the offending files, and now the site is hosed. Coming up with a blank white screen. I went in and manually deleted the rest of the InfiniteWP plug-in directory and that brings the site back.

    Still working it out, but thanks for the tip.

    Blaine

  8. zztype
    Member
    Posted 1 year ago #

    Well, I visited two other sites which were reporting exactly the same problem, with the same files in the InfiniteWP client plug-in.

    If you're not familiar, https://infinitewp.com/ Great for managing multiple WordPress sites from a single control panel.

    I simply rescanned those two websites in Wordfence, and after a couple of minutes, the scan completed and Wordfence reported absolutely nothing wrong!

    This was an exercise in futility. Wordfence was giving false-positives. Had me all shook up!

    Thanks for your responses. If you are experiencing similar messages from Wordfence, I suggest you re-run Wordfence scan before deleting or hacking files.

    Aloha,

    Blaine

  9. mikerastiello
    Member
    Posted 1 year ago #

    I do not have that plugin and still received the warning. I also did a second scan and the same file was still flagged.

    Glad to see that you are set, but I'd still like to hear something official from Time.ly.

  10. mikerastiello
    Member
    Posted 1 year ago #

    Time.ly responded to me via Twitter.

    "_Timely: that converts an ical feed into csv. It is NOT a malicious file. You can learn more about it here: http://kigkonsult.se/iCalcnv/"

    https://twitter.com/_timely/status/459445594726334464

  11. dlmweb
    Member
    Posted 1 year ago #

    My response to Timely:

    Thanks for the update. Let me run down a confirmation checklist...

    IF
    - it's not a new file
    - the date/time stamp on the file is not today's date, meaning the file hasn't been changed by a hacker
    - you have verified every line code in the file is original, unchanged, and is there for a purpose, including this one:
    "str_replace( "$calnl ", '', rtrim( $comp->$fcn("

    THEN
    - WordFence must have re-calibrated string of code that they're scanning for

    The string of code in question must have malicious purposes in other files, but in this plugin is not malicious. Hence the false positive.

    Please affirm the IF statements.
    Thank you.

  12. chuckingit
    Member
    Posted 1 year ago #

    @dlmweb - thanks for your suggestion to rescan ... i did (after i cleared logs and made a couple tweaks to scan options) ... and after two scans, the second one yielded results in that it pointed to the offending files (see below) ...

    interesting in that bulk of complaints had to do with readme files ... thus not sure if this is a WP update thing (e.g., readme's not getting updated properly when plugin gets updated) or ..??..

    e.g., the wordpress-importer/readme.txt flagged the "Tested up to: 3.8" and "Stable tag: 0.6.1" whereas the readme file on my server had "Tested up to: 3.6" and "Stable tag: 0.6" ...

    similar WordFence nitpicks with the other plugin readme files ...

    but two of the three php files flagged by WordFence are a bit worrisome ... the loginlockdown.php file was modified by me and noted so for fine tuned error messages so that is okay ... but the changes to pods/includes/general.php and leaflet-maps-marker/inc/showmap.php files are a bit concerning ...

    @zztype ... ditto here on your "Had me all shook up!" ... yeesh me too and fact i was bombarded today on other frustration web fronts (besides this WordFence one) had me longing for calm shores of Kona HI free of code and hacks but i digress ...

    @everybody ... while there are many headlines reminding us what is broken in our world, Kudos and BIG Thanks to WP Community for these forums so we can share, improve, upgrade, et al :>) cordially, chuck scott

    =======================================
    from scan showing files with warnings
    =======================================

    Warnings:
    
    * Modified plugin file: wp-content/plugins/bbpress/readme.txt
    * Modified plugin file: wp-content/plugins/exec-php/docs/readme.html
    * Modified plugin file: wp-content/plugins/exec-php/readme.txt
    * Modified plugin file: wp-content/plugins/imsanity/readme.txt
    * Modified plugin file: wp-content/plugins/leaflet-maps-marker/inc/showmap.php
    * Modified plugin file: wp-content/plugins/login-lockdown/loginlockdown.php
    * Modified plugin file: wp-content/plugins/meteor-slides/readme.txt
    * Modified plugin file: wp-content/plugins/multisite-user-management/readme.txt
    * Modified plugin file: wp-content/plugins/piklist/readme.txt
    * Modified plugin file: wp-content/plugins/pods/includes/general.php
    * Modified plugin file: wp-content/plugins/qr-code-hoerandl/readme.txt
    * Modified plugin file: wp-content/plugins/simply-exclude/readme.txt
    * Modified plugin file: wp-content/plugins/wordpress-importer/readme.txt
  13. Scott Kingsley Clark
    Member
    Posted 1 year ago #

    Can you gist the pods/includes/general.php file? What version of Pods is it from?

  14. chuckingit
    Member
    Posted 1 year ago #

    @Scott - i was about to create a gist when i got an idea to use Notepad++ to compare the actual files myself ... so i downloaded pods and leaflet-maps-maker plugins from wordpress.org and then downloaded the plugin files on my server and compared them locally ...

    conclusion = never mind as Notepad said the files were identical ... meaning the pods/includes/general.php file (v2.4) on my server and the one from wordpress.org were identical ... ditto for the leaflet-maps-marker file ...

    as fyi, i had re-run Wordfence scan this AM and it still complained about plugin files but this time around it did not show me the files nor the changes it saw like last night ... too bad i did not think to take a screen shot last night of the changes Wordfence was showing ...

    @dlmweb - you might want to do similar as i in pulling down file from your site and comparing it locally to what is in zip from wordpress.org ... if you don't have Notepad++ (and are on windows) you can download here -> http://notepad-plus-plus.org/ ... then go to Notepad -> Plugins -> Plugin Manager -> Show Plugin Manager and that will show a bunch of available plugins ... check box for the Compare plugin to install, restart Notepad, then load the two files and see if there are any differences ...

  15. Wordfence
    Member
    Plugin Author

    Posted 1 year ago #

    Hi all,

    We are seeing malware in the wild that is using a pattern with a str_replace followed by a function call where the function is a variable name. We added detection for this but it turns out that a few plugin authors do a str_replace and then a lambda call (anon function assigned to variable) on the same line. Who knew!

    So we've modified the detection to fix this. You won't see any more false positives like this. The modification was made on our servers as a hotfix so you don't need to upgrade to get the fix. You already have it.

    Apologies for the inconvenience caused.

    Regards,

    Mark.

  16. zztype
    Member
    Posted 1 year ago #

    Mark,

    Thanks so much for your note, and your great plug-in!

    Blaine

  17. chuckingit
    Member
    Posted 1 year ago #

    @Mark - ditto on what zztype said -> greatly appreciate the Wordfence love and responsiveness - kudos to you and your Wordfence team!

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Wordfence Security
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic