Malware found but not there? CSSmin.php

  • Resolved jackelliott

    (@jackelliott)


    9 years, 2 months ago

    Ninjafirewall’s Malware scanner found this hit:
    1-{REX}PHP.array.concatenation.1: /home/content/23/2507923/html/wp-content/plugins/wp-rocket/min/lib/CSSmin.php

    I downloaded CSSmin.php to take a look, and the found string is not in the file. I searched it for “concatenation” and “REX” and no hits.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author nintechnet

    (@nintechnet)

    9 years, 2 months ago

    {REX}PHP.array.concatenation.1 is only the name of the rule, not the rule.

    It could be a false positive. Try to upload that file to pastebin or other similar website and post here the link to it so that I’ll have a look at it.

    Thread Starter jackelliott

    (@jackelliott)

    9 years, 2 months ago

    Thanks. The puzzle to me is that the scanner found such a string but that string (or keywords from it) don’t seem to appear in the php file.

    Try this:

    http://www.filedropper.com/cssmin

    Plugin Author nintechnet

    (@nintechnet)

    9 years, 2 months ago

    It’s a false positive. That file contains a lot of regex and one of them is being wrongly flagged. I’ll try to adjust the rules accordingly in the next release.

    Thread Starter jackelliott

    (@jackelliott)

    9 years, 2 months ago

    Many thanks! Better the occasional false positive than a miss.

    And now I know that the error message I received was not a found string in the target file, but the name of the rule. Does NFW have a “How to interpret results” FAQ this newbie can look at?

    Plugin Author nintechnet

    (@nintechnet)

    9 years, 2 months ago

    When the firewall blocks a request, the reason and a sample of the request are displayed in the firewall log.
    Regarding malware, only the name can help to find the issue, for instance “PHP.array.concatenation” means there is a PHP array that is concatenated. Often malware use this trick to obfuscate the code. A quick look at your file shows that at least this line is the issue:

    $hex = '#' . strtolower($m[2] . $m[3] . $m[4] . $m[5] . $m[6] . $m[7]);
    Thread Starter jackelliott

    (@jackelliott)

    9 years, 2 months ago

    Thank you. It can’t be easy to teach machines how to tell the difference between malware that uses the same coding technique that legitimate code uses. It’s also tough for the site admin to determine what bit of code in the file may have triggered the alarm.

    The folk at WP-Rocket figured it might be a false positive, I sent them your comment.

    (Edit: to mark this as resolved)

    • This reply was modified 9 years, 2 months ago by jackelliott. Reason: Wanted to mark it resolved
Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Malware found but not there? CSSmin.php’ is closed to new replies.