[Plugin: AntiVirus] AntiVirus may contain malicious executable code

Resolved cscottb
(@cscottb)

13 years, 8 months ago

After installing AntiVirus, I did a Wordfence Scan and it came up with this warning:

“This file may contain malicious executable code
Filename: wp-content/plugins/antivirus/antivirus.php
File type: Not a core, theme or plugin file.
Issue first detected: 19 secs ago.
Severity: Critical
Status New
This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.”

What is base64 code doing in this file?

http://ww.wp.xz.cn/extend/plugins/antivirus/

Viewing 6 replies - 1 through 6 (of 6 total)

gbdesign
(@gbdesign)

13 years, 5 months ago
If this is true about the plugin than the plugin is a “trojan horse”! However, I tested the zip file on Virustotal.com and it passed all the tests. Also a website scanner should catch the malware in the plugin on a live site if its running base64 code, etc. Another thing to do is test it with your desktop antivirus software–it passed Avast too. Finally you can just open the files in Notepad and see if the code is really there?..which I did. Here’s what I found in the code:
```
private static function php_match_pattern()
	{
		return '/(assert|file_get_contents|curl_exec|popen|proc_open|unserialize|eval|base64_encode|base64_decode|create_function|exec|shell_exec|system|passthru|ob_get_contents|file|curl_init|readfile|fopen|fsockopen|pfsockopen|fclose|fread|file_put_contents)\s*?\(/';
	}

	/**
	* Prüfung einer Zeile
	*
	* @since   0.1
	* @change  1.3.3
	*
	* @param   string   $line  Zeile zur Prüfung
	* @param   integer  $num   Nummer zur Prüfung
	* @return  string   $line  Zeile mit Resultaten
	*/

	private static function check_file_line($line = '', $num)
	{
		/* Wert trimmen */
		$line = trim((string)$line);

		/* Leere Werte? */
		if ( !$line or !isset($num) ) {
			return false;
		}

		/* Werte initialisieren */
		$results = array();
		$output = array();

		/* Befehle suchen */
		preg_match_all(
			self::php_match_pattern(),
			$line,
			$matches
		);

		/* Ergebnis speichern */
		if ( $matches[1] ) {
			$results = $matches[1];
		}

		/* Base64 suchen */
		preg_match_all(
			'/[\'\"\$\\ \/]*?([a-zA-Z0-9]{' .strlen(base64_encode('sergej + swetlana = love.')). ',})/',
			$line,
			$matches
		);
```
Can’t really tell whats going on, it maybe just innocent checks for base64, but until someone else chimes in that knows, I’m not using this plugin.
Antivirus
(@evilsmoney)

13 years, 3 months ago

Chances are you got this error because of the conflict anti-virus software. It should use only one remedy.

gbdesign
(@gbdesign)

13 years, 3 months ago

There’s no error, its a warning message he got from a virus scan.

Please answer cscottb’s and my question What is base64 code doing in your Antivirus plugin!?

esmi
(@esmi)

13 years, 3 months ago

1. Antivirus is not this plugin’s author S/he just happens to have a similar username.

2. Any plugin that scan for base64 or eval() code will reference the same in its own files. None of the code posted above is malicious.,

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

13 years, 3 months ago

What is base64 code doing in your Antivirus plugin!?

@lion817? Calmly please. That’s not obfuscated code, that’s code that is apparently used to locate and report on some of that badness.

Look at line 817 of antivirus.php and you see some more of what that plugin is attempting to identify.

Thread Starter cscottb
(@cscottb)

13 years ago

I just activated the latest version of the AntiVirus plugin (1.3.4) and ran a Wordfence (3.6.8) scan, and there was no warning about the AntiVirus plugin.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘[Plugin: AntiVirus] AntiVirus may contain malicious executable code’ is closed to new replies.