Hi,
I installed the plugin a couple weeks ago – did scan found nothing. However, now my anti-malware Maldet scan my server performs is now saying the server is infected due to a gotmls file.
/public_html/wordpress/wp-content/plugins/gotmls/images/index.php: YARA.WebShell_Generic_PHP_5.UNOFFICIAL FOUND
My server tech said:
The scanning applications scans based on the major virus signature that’s popular. Having said that, some of the code that’s popularly used for backdoor scripts are used for genuine purpose as well. Hence we cannot be absolutely sure if its malicious or genuine. For that you might need to check the flagged file with a developer to ensure the files are clean and genuine.
Can you answer if this is an infected file??? Surely this must be a mistake.
Help!
Thank you!
Michelle
My plugin is obviously not malicious and does not contain a WebShell in it original installation source. However, I cannot tell you if this version that was detected by Maldet was modified or if it is a False Positive unless you send me that file so I can check it.
Thanks for your reply – I figured and I’m really illiterate when it comes to web infections and viruses – just going off what my server techs said.
I don’t know what a “webshell” is…
How could I send you the file??
Thanks,
Michelle
No need to reply on a webshell – just googled it.
If these are viruses – if I download to my computer to give to you – will it infect my computer? Not sure best way to get this to you.
Thanks,
Michelle
PHP code is safe to download, and you can email it to me directly. If you would rather I handle the file directly on your server you can also just send me your login info and I will look at it in-place.
First up I love your plugin. So many headaches saved! Thanks for this!
Now the issue we found: We ran a server scan this morning to verify that our server was clear of Virus/malware.
Our server scan came back with the following.
=======/home/REDACTED/public_html/wp-content/plugins/gotmls/images/index.php: YARA.WebShell_Generic_PHP_5.UNOFFICIAL FOUND/home/REDACTED/public_html/wp-content/plugins/gotmls/images/index.php: YARA.WebShell_Generic_PHP_5.UNOFFICIAL FOUND/home/REDACTED/public_html/wp-content/plugins/gotmls/images/index.php: YARA.WebShell_Generic_PHP_5.UNOFFICIAL FOUND/home/REDACTED/public_html/wp-content/plugins/gotmls/images/index.php: YARA.WebShell_Generic_PHP_5.UNOFFICIAL FOUND———– SCAN SUMMARY ———–Known viruses: 5829644Engine version: 0.99.2Scanned directories: 31118Scanned files: 281585Infected files: 4Data scanned: 9016.72 MBData read: 32227.27 MB (ratio 0.28:1)Time: 1209.127 sec (20 m 9 s)=======
I looked through the PHP files but I didn’t see anything suspicious such as encoded or weird looking code.
I suspect it is a false positive but I reckoned I would just check in here to be certain.
Let me know if you would like me to send you a copy of the PHP file.
Yes, this is a False Positive, thanks for reporting this to me. I have notified Florian Roth (the developer who published that YARA Definition), but I am not confident that he can do much about it as it is open source and in distribution for over a year. Plus it may have been forked and redistributed by other developers, so I will be changing my code so that it will not match this definition any more.
I got a reply from Florian Roth. He says that he has fixed his YARA definitions But I still see the old definitions published on other sites. Where do you get your YARA definition updates?
I have a managed server. I will ask them and see if they know where they get the definitions from right away.
Our server techs say the following:
We are using clamscan for scanning malwares in servers. This clamscan script is configured with virus signatures from maldet also. The files “plugins/gotmls/images/index.php” seems false positive.
I use clamscan and maldet too, but I’ve never had it flag my plugin before. You host must be using customized YARA Definitions that include the patterns written by Florian Roth. There is no telling how long it might take for his updates to reach the distribution branch that your host is using, so I have modified the relevant code in the latest release of my plugin so that it no longer matches this pattern.
Thanks for your work on this. I’m not super concerned at this stage.
I can live with a false positive and carry on with site development knowing that we aren’t chasing around real hacks.
Thanks again for the great plugin!
