Title: Malicious Executable code in class-pclzip.php?? Last modified: September 7, 2016 --- # Malicious Executable code in class-pclzip.php?? * Resolved [LMD99](https://wordpress.org/support/users/lmd99/) * (@lmd99) * [9 years, 8 months ago](https://wordpress.org/support/topic/malicious-executable-code-in-class-pclzip-php/) * I just got a sever warning on a scan re: * > This file may contain malicious executable code: /services/webpages/t/e/domain. > com/public/wp-admin/includes/class-pclzip.php * Anyone else get this warning? To me, it could just be a new file associated with the 4.6.1 update, but the following explanation by Wordfence doesn’t make me feel comfortable assuming the file’s fine: * > This file is a PHP executable file and contains the word ‘eval’ (without quotes) > and the word ‘unpack(‘ (without quotes). The eval() function along with an > encoding function like the one mentioned are commonly used by hackers to hide > their code. If you know about this file you can choose to ignore it to exclude > it from future scans. This file was detected because you have enabled HIGH > SENSITIVITY scanning. This option is more aggressive than the usual scans, > and may cause false positives. * Any suggestions? - This topic was modified 9 years, 8 months ago by [LMD99](https://wordpress.org/support/users/lmd99/). Viewing 6 replies - 1 through 6 (of 6 total) * [emc2](https://wordpress.org/support/users/emc2/) * (@emc2) * [9 years, 8 months ago](https://wordpress.org/support/topic/malicious-executable-code-in-class-pclzip-php/#post-8156616) * I have the same problem, so far only showed up in 2 of 10+ websites I run. * Thread Starter [LMD99](https://wordpress.org/support/users/lmd99/) * (@lmd99) * [9 years, 8 months ago](https://wordpress.org/support/topic/malicious-executable-code-in-class-pclzip-php/#post-8156717) * This is the first and only instance of this warning I’ve received with over 20 WordPress sites I manage. That fact, in itself, doesn’t give me a good feeling. Well, let’s see if anyone else or the plugin author chimes-in. * [wpdevuk](https://wordpress.org/support/users/wpdevuk/) * (@wpdevuk) * [9 years, 8 months ago](https://wordpress.org/support/topic/malicious-executable-code-in-class-pclzip-php/#post-8156825) * I can’t offer a definitive answer on this, however, I experienced the same message for that file _(only a site with high sensitivity enabled)_ back when 4.4.4 was released. I got the alert about two hours after the automatic update happened. * Chalked it down to a false positive as that particular core WordPress file does include reference to a function that is often associated with malicious code ( eval), but obviously a genuine use of it ([https://github.com/WordPress/WordPress/blob/master/wp-admin/includes/class-pclzip.php](https://github.com/WordPress/WordPress/blob/master/wp-admin/includes/class-pclzip.php)). * Thread Starter [LMD99](https://wordpress.org/support/users/lmd99/) * (@lmd99) * [9 years, 8 months ago](https://wordpress.org/support/topic/malicious-executable-code-in-class-pclzip-php/#post-8156895) * I think you are right about the “sensitivity”. I’ve disabled “high sensitivity”, and performing another scan to see if it pops up again as a malicious file. Odd about the code reference to an instance of “eval” without quotes though… * ¯\_(ツ)_/¯ * [barnez](https://wordpress.org/support/users/pidengmor/) * (@pidengmor) * [9 years, 8 months ago](https://wordpress.org/support/topic/malicious-executable-code-in-class-pclzip-php/#post-8158008) * I would ignore those as false positives. Here are the respective lines of code in that file in WordPress 4.6.1 (* Note the **eval** line is actually a comment): * ``` Line 4068: // eval('$v_result = '.$p_options[PCLZIP_CB_PRE_EXTRACT].'(PCLZIP_CB_PRE_EXTRACT, $v_local_header);'); Line 2851: $v_data_header = unpack('a1id1/a1id2/a1cm/a1flag/Vmtime/a1xfl/a1os', $v_binary_data); Line 2859: $v_data_footer = unpack('Vcrc/Vcompressed_size', $v_binary_data); Line 4281: $v_data = unpack('Vid', $v_binary_data); Line 4311: $v_data = unpack('vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $v_binary_data); Line 4384: $v_data = unpack('Vid', $v_binary_data); Line 4414: $p_header = unpack('vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $v_binary_data); Line 4555: $v_data = @unpack('Vid', $v_binary_data); Line 4631: $v_data = unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size', $v_binary_data); ``` * Thread Starter [LMD99](https://wordpress.org/support/users/lmd99/) * (@lmd99) * [9 years, 8 months ago](https://wordpress.org/support/topic/malicious-executable-code-in-class-pclzip-php/#post-8158970) * I see the reference, and yes, a comment it is. * I’ve removed the “high sensitivity” function, and no issues are found now. * Thanks all for your help to resolve. - This reply was modified 9 years, 8 months ago by [LMD99](https://wordpress.org/support/users/lmd99/). Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘Malicious Executable code in class-pclzip.php??’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 6 replies * 4 participants * Last reply from: [LMD99](https://wordpress.org/support/users/lmd99/) * Last activity: [9 years, 8 months ago](https://wordpress.org/support/topic/malicious-executable-code-in-class-pclzip-php/#post-8158970) * Status: resolved