Virustotal reporting VEX7B24.Webshell on some of the plugin files

Just to make sure I tested one of my sites using virustotal. It reported nothing bad and it the site is clean. Have you checked with your host to make sure your site has not been hacked?

I haven’t installed the plugin yet. I’m just scanning the plugin folder itself in the zip. I want to be safe, so I’m staying on the side of caution before I even install.

I’m figuring out what part of the coding right now is popping up this detection.

Do me a favor go into your ftp wordpress site, go into the plugin directory, extract “wp-security-brute-force-menu.php” and put it in virustotal and see if anything comes up.

In fact, I found parts of the coding that are triggering the detection. all you have to do is put the coding into a wordpad and save it, and it will pop up a result on virustotal. Here is the code: *I’m still trying to find the exact lines. It’s not going to be easy. I know there is two lines. Not just one.

`<h2><?php _e(‘Brute Force Prevention Firewall Settings’, ‘all-in-one-wp-security-and-firewall’)?></h2>

<div class=”aio_blue_box”>
<?php
//TODO – need to fix the following message
echo ‘<p>’.__(‘A Brute Force Attack is when a hacker tries many combinations of usernames and passwords until they succeed in guessing the right combination.’, ‘all-in-one-wp-security-and-firewall’).
‘<br />’.__(‘Due to the fact that at any one time there may be many concurrent login attempts occurring on your site via malicious automated robots, this also has a negative impact on your server\’s memory and performance.’, ‘all-in-one-wp-security-and-firewall’).
‘<br />’.__(‘The features in this tab will stop the majority of Brute Force Login Attacks at the .htaccess level thus providing even better protection for your WP login page and also reducing the load on your server because the system does not have to run PHP code to process the login attempts.’, ‘all-in-one-wp-security-and-firewall’).'</p>’;
?>
</div>
<div class=”aio_yellow_box”>
<?php
$backup_tab_link = ‘<a href=”admin.php?page=’.AIOWPSEC_SETTINGS_MENU_SLUG.’&tab=tab2″ target=”_blank”>backup</a>’;
$video_link = ‘<a href=”http://www.tipsandtricks-hq.com/all-in-one-wp-security-plugin-cookie-based-brute-force-login-attack-prevention-feature-5994&#8243; target=”_blank”>video tutorial</a>’;
$info_msg = sprintf( __(‘Even though this feature should not have any impact on your site\’s general functionality <strong>you are strongly encouraged to take a %s of your .htaccess file before proceeding</strong>.’, ‘all-in-one-wp-security-and-firewall’), $backup_tab_link);
$info_msg1 = __(‘If this feature is not used correctly, you can get locked out of your site. A backed up .htaccess file will come in handy if that happens.’, ‘all-in-one-wp-security-and-firewall’);
$info_msg2 = sprintf( __(‘To learn more about how to use this feature please watch the following %s.’, ‘all-in-one-wp-security-and-firewall’), $video_link);
$brute_force_login_feature_link = ‘<a href=”admin.php?page=’.AIOWPSEC_FIREWALL_MENU_SLUG.’&tab=tab4″ target=”_blank”>Cookie-Based Brute Force Login Prevention</a>’;
echo ‘<p>’.$info_msg.
‘<br />’.$info_msg1.
‘<br />’.$info_msg2.'</p>’;
?>
</div>
<?php

<div class=”inside”>
<?php
//Display security info badge
global $aiowps_feature_mgr;
$aiowps_feature_mgr->output_feature_details_badge(“firewall-enable-brute-force-attack-prevention”);
?>
<form action=”” method=”POST”>
<?php wp_nonce_field(‘aiowpsec-enable-cookie-based-brute-force-prevention’); ?>
<table class=”form-table”>
<tr valign=”top”>
<th scope=”row”><?php _e(‘Enable Brute Force Attack Prevention’, ‘all-in-one-wp-security-and-firewall’)?>:</th>
<td>
<input name=”aiowps_enable_brute_force_attack_prevention” type=”checkbox”<?php if($aio_wp_security->configs->get_value(‘aiowps_enable_brute_force_attack_prevention’)==’1′) echo ‘ checked=”checked”‘; ?> value=”1″/>
<span class=”description”><?php _e(‘Check this if you want to protect your login page from Brute Force Attack.’, ‘all-in-one-wp-security-and-firewall’); ?></span>
<span class=”aiowps_more_info_anchor”><span class=”aiowps_more_info_toggle_char”>+</span><span class=”aiowps_more_info_toggle_text”><?php _e(‘More Info’, ‘all-in-one-wp-security-and-firewall’); ?></span></span>
<div class=”aiowps_more_info_body”>
<p class=”description”>
<?php
_e(‘This feature will deny access to your WordPress login page for all people except those who have a special cookie in their browser.’, ‘all-in-one-wp-security-and-firewall’);
echo ‘<br />’;
_e(‘To use this feature do the following:’, ‘all-in-one-wp-security-and-firewall’);
echo ‘<br />’;
_e(‘1) Enable the checkbox.’, ‘all-in-one-wp-security-and-firewall’);
echo ‘<br />’;
_e(‘2) Enter a secret word consisting of alphanumeric characters which will be difficult to guess. This secret word will be useful whenever you need to know the special URL which you will use to access the login page (see point below).’, ‘all-in-one-wp-security-and-firewall’);
echo ‘<br />’;
_e(‘3) You will then be provided with a special login URL. You will need to use this URL to login to your WordPress site instead of the usual login URL. NOTE: The system will deposit a special cookie in your browser which will allow you access to the WordPress administration login page.’, ‘all-in-one-wp-security-and-firewall’);
echo ‘<br />’;
_e(‘Any person trying to access your login page who does not have the special cookie in their browser will be automatically blocked.’, ‘all-in-one-wp-security-and-firewall’);
?>
</p>
</div>
</td>

`

Hi,
Neither does the code you listed or the plugin in general contain anything malicious in it.

Yeah, you are probably right. I just wanted to get rid of the line of coding safely without breaking the plugin. Then install it. Just to get rid of false positive(which it probably is)

It just gives me piece of mind. It’s impossible to see what line is triggering it. This is an ongoing thing with BKAV. And the word webshell scares the heck out of me.