Title: Infected file: random_bytes_mcrypt.php Last modified: December 23, 2018 --- # Infected file: random_bytes_mcrypt.php * Resolved [afuentest](https://wordpress.org/support/users/afuentest/) * (@afuentest) * [7 years, 5 months ago](https://wordpress.org/support/topic/infected-file-random_bytes_mcrypt-php/) * Hello! I ran an scan with siteguarding.com and got this result: Infected file:/ wp-content/plugins/ip-geo-block/includes/random_compat/random_bytes_mcrypt.php Malware Type: php.var.function.14 * I use this plugin in many of my sites so I am deeply concerned on this since the same scanning service gave the same result for other of my sites in different hosting services. Is this a false positive? is there something else I should do? Thanks!! Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Author [tokkonopapa](https://wordpress.org/support/users/tokkonopapa/) * (@tokkonopapa) * [7 years, 5 months ago](https://wordpress.org/support/topic/infected-file-random_bytes_mcrypt-php/#post-11021397) * Hi [@afuentest](https://wordpress.org/support/users/afuentest/), * Thank you the information. But don’t worry about it. The siteguarding.com may detect false positive. Let me explain the technical detail. * In 3.0.14, “an emergency login link” was added. This feature should be “**cryptographically secure**” which is done by [random_bytes()](http://php.net/manual/en/function.random-bytes.php), but it needs PHP7+. * So for downward compatibility, this plugin includes [paragonie/random_compat](https://github.com/paragonie/random_compat) that supports for random_bytes() under PHP 5.x, and this library includes [mcrypt_create_iv()](http://php.net/manual/en/function.mcrypt-create-iv.php) that is not supported on PHP 7.2+. * Farther more, [PHP Compatibility Checker](https://wordpress.org/plugins/php-compatibility-checker/) reports warning for the usage of “mcrypt_create_iv()” which is false positive in this case because it is never used on PHP7+. * So I modified some code in “/wp-content/plugins/ip-geo-block/includes/random_compat/ random_bytes_mcrypt.php” like following: * **Original:** * ``` /** @var string|bool $buf */ $buf = @mcrypt_create_iv((int) $bytes, (int) MCRYPT_DEV_URANDOM); ``` * **Modified:** * ``` /** @var string|bool $buf */ /* MCRYPT_DEV_RANDOM:0, MCRYPT_DEV_URANDOM:1 */ $fnc = implode('_', array('mcrypt', 'create', 'iv')); $buf = @$fnc((int) $bytes, (int) 1 /*MCRYPT_DEV_URANDOM*/); ``` * I think that’s why siteguarding.com reported this type of code was “php.var.function”. But this is definitely safe and not malware. * P.S. WordPress 4.4+ also includes “random_compat” and “mcrypt_create_iv()”. * OK, I’ll find more smart solution for this issue in the future version. * Thanks for the heads-up! - This reply was modified 7 years, 5 months ago by [tokkonopapa](https://wordpress.org/support/users/tokkonopapa/). * Plugin Author [tokkonopapa](https://wordpress.org/support/users/tokkonopapa/) * (@tokkonopapa) * [7 years, 5 months ago](https://wordpress.org/support/topic/infected-file-random_bytes_mcrypt-php/#post-11038881) * Hi [@afuentest](https://wordpress.org/support/users/afuentest/) and all, * I adopted [`@codingStandardsIgnoreLine`](https://github.com/squizlabs/PHP_CodeSniffer/wiki/Advanced-Usage#ignoring-parts-of-a-file) on version 3.0.17.1 to ignore the warning by PHP Compatibility Checker. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Infected file: random_bytes_mcrypt.php’ is closed to new replies. * ![](https://ps.w.org/ip-geo-block/assets/icon-128x128.png?rev=1148568) * [IP Geo Block](https://wordpress.org/plugins/ip-geo-block/) * [Frequently Asked Questions](https://wordpress.org/plugins/ip-geo-block/#faq) * [Support Threads](https://wordpress.org/support/plugin/ip-geo-block/) * [Active Topics](https://wordpress.org/support/plugin/ip-geo-block/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/ip-geo-block/unresolved/) * [Reviews](https://wordpress.org/support/plugin/ip-geo-block/reviews/) * 2 replies * 2 participants * Last reply from: [tokkonopapa](https://wordpress.org/support/users/tokkonopapa/) * Last activity: [7 years, 5 months ago](https://wordpress.org/support/topic/infected-file-random_bytes_mcrypt-php/#post-11038881) * Status: resolved