index.php file of the plugin found as thread from servers scan

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Eli

    (@scheeeli)

    The file you posted is not corrupt. the indexinfect.txt file is an exact match for the direct repository download. Are you sure that this text file is an exact copy of the files scanned?

    Can you please tell me what software you were using on your server to scan these files?

    Did it provide any other details about the corruption?

    Thread Starter annakoutli

    (@annakoutli)

    I do not know which software they used. The ecxact email they sent is this

    ——

    During the requested scan, we found some suspicious files.
    You can find a list of infected files in your home directory:
    /usr/home/webfox/infected_files.txt

    Please inspect your account thoroughly and clean or delete malicious files.
    When you are done, update the installed software in your account to the newest version, and change ALL of your website’s login credentials.

    ——-

    The file they sent for the curapted files are

    https://gatosseeds.gr/infect/infected_files.txt

    —–

    In all the websites I use your plugin it says it is curapted and the files are the ones that I already shown

    https://gatosseeds.gr/infect/indexinfect.txt

    —–

    Do you want me to ask them which software did they use for scan? The hosting company is https://www.hetzner.com/

    Plugin Author Eli

    (@scheeeli)

    It would actually be great if you could ask them what scanner they are using that is telling them that my plugin is infected or malicious, because the file you posted here is neither. I my plugin is come up as a False Positive in their software then I need to know what software that is and get that corrected so they stop slandering my good plugin.

    You can also make then aware of this mistake and ask them to contact my directly to help get this resolved more quickly. My direct email is:

    eli AT gotmls DOT net

    Thread Starter annakoutli

    (@annakoutli)

    Hello,

    The answer I gor is

    —-

    We’re using ClamAv with public signatures, the authors of the matched signatures are also credited in the file.

    —–

    May I cc you to the conversation with the support of the server?

    Plugin Author Eli

    (@scheeeli)

    Thanks but I got in touch with them directly and they finally gave me the details I needed to get to the bottom of this. They are using the Yara scanner with signatures from this github account:

    https://github.com/Neo23x0/signature-base

    These signatures contain a very vague regex pattern that will match a lot of False Positives. So, I have reported this False Positive issue here but have not gotten a response yet:

    https://github.com/Neo23x0/signature-base/issues/317

    You can rest assured that this is in fact a False Positive, and there is not real threat in those files. I will let you know when I have a response or any solution to this issue.

    Plugin Author Eli

    (@scheeeli)

    Just following up here…

    Since the last response to my issue reported at https://github.com/Neo23x0/signature-base/issues/317 as that should be a matter of how your hosting provider was using their signatures and the Yara scanner developers are not taking responsibility for this False Positive, I had simply removed or changed all the code in my plugin that they were detecting so that it will not be a problem any more.

    Please let me know if you still have any issues with your hosting provider flagging any files in my plugin.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.