quttera
Forum Replies Created
-
Thank you for reporting this issue. This is indeed false positive, we will whitelist this detection and add this plugin to our regression testing to avoid further FPs.
Thanks you
Hello,
Please send us this scan report and zip archive with the following files to support[at]quttera.com email address and our malware research team will investigate it.
wp-content/plugins/gravityforms/form_display.php
wp-content/plugins/malinky-ajax-pagination/malinky-ajax-pagination-settings.php
wp-content/plugins/patchstack/includes/firewall.php
wp-content/plugins/advanced-custom-fields-pro/includes/api/api-helpers.php
wp-content/plugins/wpvivid-backuprestore/vendor/monolog/monolog/tests/Monolog/Formatter/NormalizerFormatterTest.php
Thank you.
Thank you for the question,
Based on the name (php_errorlog) it could be an error log file generated by PHP interpreter.
Please send us wp-admin/php_errorlog and wp-admin/includes/php_errorlog files to support[(at)]quttera.com email for further investigation.
Forum: Fixing WordPress
In reply to: QuarantinedThank you for the provided information.
1 – Please remove phpinfo.php from the website as it presents details of installed PHP which further could be for exploitation
2 – Please send us all detected PHP files in a zip archive for support|at|quttera.com, we will investigate them and provide more details if files infected of heuristic scanner generated false positive
3 – Please review all plugins, remove unused and update outdated ones. As well as go over the wp-content/plugins directory and try to find/remove unused plugins
4 – Replace the currently used theme with any theme provided by WordPress, if theme is infected, this change can help to speed up the website
5 – Here https://blog.quttera.com/post/website-malware-removal-guide-part-1-preparation/ you can find other tips which could help to identify and cure the infection
Forum: Fixing WordPress
In reply to: QuarantinedHello @nudgephelps
Did you run internal scan in high sensitivity mode? If not please do it.
Also, please check wp-config.php if it contains any long encrypted string (which could be the infection itself)
Another step, go and disable plugins one of them could be infected. Go over plugins directory and verify you recognize all plugins located there.
In case one of plugins is infected this should help.
Next step, please switch to any default themes, if this helps to load site faster then infection locates in the theme sources.
During execution, the plugin creates two files to keep results, a report file and log files similar to the following (until there are some permissions issues to create such files):
-rw-r–r– 1 www-data www-data 8359 Jul 2 20:56 quttera_wp_report.txt
-rw-r–r– 1 www-data www-data 13147595 Jul 2 20:56 runtime.logThe detected file name also can be part of the quttera_wp_report.txt file
Please try to rerun the scan again and verify these files had been created.
Another way to get the full path is to download the scan report as a text file via “Download report” button
The log file is called runtime.log and it could be found in the plugin’s directory.
Hello,
During the scan, the plugin creates a log file you can find it in the plugins directory.
Please go over this log file and search for the words enMaliciousThreatType or enSuspiciousThreatType.
This line will/should contain the full path of the detect file.
Quttera Team
I appologize for the confusion,
The following command should copy the first 100 bytes of the file Screen_Spont_2022-05-23-10-22-56-PM.opus and will store it in header.opus in binary format
# dd if=Screen_Spont_2022-05-23-10-22-56-PM.opus of=header.opus bs=100 count=1
Can you please send us the generated header.opus file to the mentioned email?
We will use it to reproduce the detection issue on our side.
Thank you.
Thank you for reporting this issue.
Opus files should be supported by the plugin and should be skipped.
File: qtrMimetype.php, line 30.
Can you please send us an email with the first 100 bytes of this file to support[at]quttera[dot]com for further investigation?
Please mention in the request to forward this request to R&D
Thank you.
- This reply was modified 4 years ago by quttera.
Forum: Reviews
In reply to: [Quttera ThreatSign – Web Malware Scanner for WordPress] Useless AdwareThank you for your review, please pay attention our detection is based on a heuristic engine to be able to detect unknown and hidden infection.
The internal scan will check PHP/JS/CSS and image files for malware. This is a heuristic scanning of the file system for malware. Heuristics are used in our technology to detect unknown infection. Note: due to the high sensitivity, it might flag not dangerous code as well (False-Positive). For the resolution of the false-positives please contact quttera support on plugin page or email [email protected].
Hello, can you please share with us the entire file for the investigation?
Please send zip archive to our help system using following email support[#@#]quttera.com
Quttera
TeamForum: Fixing WordPress
In reply to: Why is Quttera detecting core php file as malware?@ntdropper thanks, we will reproduce this issue in our labs and will fix it.
Thank you.
Quttera’s public scanner detects CSS as potentially suspicious due to low entropy in the scanned file.
We investigated this CSS and it is clean.
The /feed output (mostly generated from database content) contains SPAM/SEO links.
We would suggest dumping WordPress database and investigating the content of the posts table.
Forum: Fixing WordPress
In reply to: Why is Quttera detecting core php file as malware?Thank you for reporting this issue.
During the scan of core files, the plugin was required to download hashes of the core files and match core files accordingly.
If the plugin reported anything in core files it means that
* either the core file was modified
* the plugin failed to download the hashes database from ww.wp.xz.cn file
* there is a mismatch between downloaded hashes and scanned version of the WordPress.Can you please share the version of WordPress and the plugin used during this scan?