Viewing 11 replies - 1 through 11 (of 11 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Don’t double post, I’ve deleted your other topic.

    If you mean this file then your provider is mistaken.

    https://plugins.trac.wordpress.org/browser/quick-pagepost-redirect-plugin/trunk/js/qppr_frontend_script.js

    BUT your site may just be compromised and that would explain how that file was changed.

    If so then please remain calm and carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    I have downloaded the file from https://wordpress.org/plugins/quick-pagepost-redirect-plugin/

    The file qppr_frontend_script.min.js is in js directory. It is not changed, it is in the zip file:
    https://downloads.wordpress.org/plugin/quick-pagepost-redirect-plugin.5.1.7.zip

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    If your copy of the file matches this link then it’s a false positive.

    https://plugins.trac.wordpress.org/browser/quick-pagepost-redirect-plugin/trunk/js/qppr_frontend_script.js

    The problem is not: qppr_frontend_script.js
    The problem is: qppr_frontend_script.min.js

    I have those two different files in JS directory in zip file downloaded from:
    https://wordpress.org/plugins/quick-pagepost-redirect-plugin/
    ZIP: https://downloads.wordpress.org/plugin/quick-pagepost-redirect-plugin.5.1.7.zip

    FILE: qppr_frontend_script.js IS OK
    FILE: qppr_frontend_script.min.js PROVIDER TELL ME: Win.Trojan.Agent-1395005

    alfiotondelli,
    That is a false positive. There is one or two scanners that think it contains a virus as the file minification process compacts many of the functions into a format that some viruses use.

    Here are the results of Google Virus Total scan:
    https://www.virustotal.com/en/file/4d81cd951bc1cc8095a0b6385baa47b9c5fb6fe1440661563a09dbd2f7e243db/analysis/1460835862/

    As you can see, almost all of them say it is safe and only one or two think it may be a trojan (which it is not). To verify, you can look at the file and run it through a de-minify process and follow the functions – they perform the same functions as the un-minified version – and that is not showing as a virus. So it is a false positive (As long as you got it directly from the WordPress repository and not some place else.)

    I will notify the new owner so they can change the minification process on the next update to a more scanner friendly version.

    Regards,
    Don

    Don,

    It looks like this file has been like this for a while. Wordfence is flagging it. Is this the correct content:

    [ Moderator note: code fixed. Please wrap code in the backtick character or use the code button. ]

    !function(t){t(document).ready(function(){function e(t,e){return"undefined"!=typeof e[t]?"1":"undefined"!=typeof e[t.replace(a,"")]?"2":"undefined"!=typeof e[t.replace(n,"")]?"3":!1}var r=qpprFrontData.linkData,a=qpprFrontData.siteURL,n=qpprFrontData.siteURLq;t("a[href]").each(function(){var i=t(this),f="undefined"!=typeof t(this).attr("href")?t(this).attr("href"):"",l=e(f,r);if(l!==!1){var o="undefined"!=typeof t(this).attr("rel")?t(this).attr("rel"):"",p=("undefined"!=typeof t(this).attr("target")?t(this).attr("target"):"",!1),h=!1,c="",d=f;if("1"==l?(p=r[f][0],h=r[f][1],c=r[f][2]):"2"==l?(p=r[f.replace(a,"")][0],h=r[f.replace(a,"")][1],c=r[f.replace(a,"")][2],d=f.replace(a,"")):"3"==l&&(p=r[f.replace(n,"")][0],h=r[f.replace(n,"")][1],c=r[f.replace(n,"")][2],d=f.replace(n,"")),p&&""===this.target&&(this.target="_blank"),h&&(""!==o&&"nofollow"!==o?t(this).attr("rel",o+" nofollow"):t(this).attr("rel","nofollow")),""!=c){t(this).attr("href",c);var s=i.html();s=s.replace(d,c),i.html(s)}}})})}(jQuery);

    Very nice summary Don Fischer.
    Wish there was a like link here in WordPress.org.

    Yes, is a Wordfence “thing”
    You good. Just a false positive.
    Hopefully the developer of the script will take notice that is stuff is ringing a lot of bells (and not the one that gives angels wings…).

    Thanks for exploring this, guys. Wordfence had me scared.

    I will notify the new owner so they can change the minification process on the next update to a more scanner friendly version.

    Is there an ETA on that next update?

    The false positive was detected 4 or 5 days ago, and now Wordfence is picking it up as a malware warning.

    It would put people more at ease if there was some urgency on the part of the plugin owner to get this resolved sooner than later, that updates are still being supported.

    Thanks.

    Plugin Author anadnet

    (@anadnet)

    Hi Guys,

    Not a Trojan of course. As Don stated this is just a false positive. I’ve updated the file using a different service (version 5.1.8 released), but you can safely use all previous versions of the file. New file scan doesn’t show false positive.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Trojan?’ is closed to new replies.