PHP Malware Scanner and false positives

My site is being continually infected and I’m trying to find the cause. I’ve been using PHP Malware Scanner which works great but it keeps saying that the following files are infected but I can’t seem to see anything out of the ordinary:

/public_html/core/components/upgrademodx/vendor/guzzlehttp/guzzle/src/Middleware.php
/public_html/core/packages/upgrademodx-2.1.2-pl/modCategory/178a0f9304ec11c49bc2c26b2e8a500f/0/upgrademodx/vendor/guzzlehttp/guzzle/src/Middleware.php
/public_html/core/model/phpthumb/phpthumb.class.php

Are these false positives?

I think they’re probably false positives (my local virus and malware scans have no problem with them), but since you’re having trouble, you might want to compare them with the originals at GitHub, or simply replace them with the originals and run the scan again.

Had the samen problem. Make 100% sure you reset your FTP account’s and delete all password mails or docs. Also, check your Google Site Console. Possible the hacker has an account there as well.

Most likely they are false-positives. You can check this by downloading the original files (from a fresh setup) and run PHP Malware Scanner on those files and see if the results are the same.

Thanks everyone! I think they are false positives as I’ve copied the source over from a fresh install and the result was the same. I’m just very paranoid because I keep getting infected and I’m trying to narrow down the possibilities.

You could probably exclude them in the scan, but unfortunately, a smart piece of malware might actually use them.

Do you know more about the attack?

For example. At my sites there where weird index.php files in every map. If you decode the code in there, you will find a file which it includes. When I deleted those files, the hack was over.

It’s the same as all my other sites and I believe the same as yours. It seems to start with these index.php files everywhere that try and include these other PHP files with random names. Files like xghrkp.php or wikotp.php, etc. On all of my other sites I was able to just delete and/or clean the files that php-malware-scanner identified, upgrade, and it was done. But not this time. I’m thinking about resetting the passwords of all my users. The problem is that I have a tonne of users :frowning:

Hmm user pass ain’t gonna fix it. FTP, CP pass can solve your problem. Are there any includes with .ico files? Those are easy to hunt down and delete.

I’m on a Google Cloud instance and I haven’t even enabled FTP or have cPanel installed. I’ll do a search for those ico includes. Thanks @ilja-web!

2 Likes

Those files reported are false positives. PHP Malware Scanner is good but will definitely find and report false positives because it’s a common malicious pattern matcher. It’s not finding malware per se. For instance. PHP Thumb is definitely going to false positive.

Are you using git pull to fetch the latest version before running it? Or, did you download it once and run it regularly?

Do you have any other evidence that your site is compromised? I.e. odd behavior, strange users, unknown plugins, errors on manager or front and, changes to .htaccess or any of these?

I’ve downloaded it once and then just run it regularly. And no other evidence the site is compromised. I’ve looked through the DB for strange users, plugins, and snippets. All seems to be in order. I did find more of those *.ico includes that @ilja-web said to look for. Deleted them. Hopefully that was it. fingers crossed

1 Like