PHP Malware Scanner and false positives

jeffmiranda · May 26, 2019, 6:25pm

My site is being continually infected and I’m trying to find the cause. I’ve been using PHP Malware Scanner which works great but it keeps saying that the following files are infected but I can’t seem to see anything out of the ordinary:

/public_html/core/components/upgrademodx/vendor/guzzlehttp/guzzle/src/Middleware.php
/public_html/core/packages/upgrademodx-2.1.2-pl/modCategory/178a0f9304ec11c49bc2c26b2e8a500f/0/upgrademodx/vendor/guzzlehttp/guzzle/src/Middleware.php
/public_html/core/model/phpthumb/phpthumb.class.php

Are these false positives?

bobray · May 26, 2019, 10:43pm

I think they’re probably false positives (my local virus and malware scans have no problem with them), but since you’re having trouble, you might want to compare them with the originals at GitHub, or simply replace them with the originals and run the scan again.

ilja-web · May 28, 2019, 8:03am

Had the samen problem. Make 100% sure you reset your FTP account’s and delete all password mails or docs. Also, check your Google Site Console. Possible the hacker has an account there as well.

joshualuckers · May 28, 2019, 2:18pm

Most likely they are false-positives. You can check this by downloading the original files (from a fresh setup) and run PHP Malware Scanner on those files and see if the results are the same.

jeffmiranda · May 28, 2019, 7:11pm

Thanks everyone! I think they are false positives as I’ve copied the source over from a fresh install and the result was the same. I’m just very paranoid because I keep getting infected and I’m trying to narrow down the possibilities.

bobray · May 28, 2019, 8:54pm

You could probably exclude them in the scan, but unfortunately, a smart piece of malware might actually use them.

ilja-web · May 29, 2019, 9:55am

Do you know more about the attack?

For example. At my sites there where weird index.php files in every map. If you decode the code in there, you will find a file which it includes. When I deleted those files, the hack was over.

jeffmiranda · May 31, 2019, 2:57pm

It’s the same as all my other sites and I believe the same as yours. It seems to start with these index.php files everywhere that try and include these other PHP files with random names. Files like xghrkp.php or wikotp.php, etc. On all of my other sites I was able to just delete and/or clean the files that php-malware-scanner identified, upgrade, and it was done. But not this time. I’m thinking about resetting the passwords of all my users. The problem is that I have a tonne of users

ilja-web · June 3, 2019, 12:14pm

Hmm user pass ain’t gonna fix it. FTP, CP pass can solve your problem. Are there any includes with .ico files? Those are easy to hunt down and delete.

jeffmiranda · June 5, 2019, 4:18pm

I’m on a Google Cloud instance and I haven’t even enabled FTP or have cPanel installed. I’ll do a search for those ico includes. Thanks @ilja-web!

smashingred · June 6, 2019, 1:31pm

Those files reported are false positives. PHP Malware Scanner is good but will definitely find and report false positives because it’s a common malicious pattern matcher. It’s not finding malware per se. For instance. PHP Thumb is definitely going to false positive.

Are you using git pull to fetch the latest version before running it? Or, did you download it once and run it regularly?

Do you have any other evidence that your site is compromised? I.e. odd behavior, strange users, unknown plugins, errors on manager or front and, changes to .htaccess or any of these?

jeffmiranda · June 7, 2019, 3:19am

I’ve downloaded it once and then just run it regularly. And no other evidence the site is compromised. I’ve looked through the DB for strange users, plugins, and snippets. All seems to be in order. I did find more of those *.ico includes that @ilja-web said to look for. Deleted them. Hopefully that was it. fingers crossed