file getting flagged as “Detected unknown file in core directory” by Quttera

  • Resolved edwardsmark

    (@edwardsmark)


    4 years, 1 month ago

    hello – this file is being flagged by quttera:

    Severity: enSuspiciousThreatType
    File: wp-admin/wpmu-sitewide-plugins.php
    File signature: 831a35b9abf0da09d228eff066f71f81
    Threat signature: 831a35b9abf0da09d228eff066f71f81
    Threat name: Heur.AlienFile.gen
    Threat: Unknown file in core
    Details: Detected unknown file in core directory

    i uploaded it on virustotal.com and it looks fine. is there a way i can determine
    why its being flagged and if this is something i need to be concerned about?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author quttera

    (@quttera)

    During the scan, our plugin download hashes of WP core files from api.www.remarpro.com and compares all files in WP core directories against the downloaded checksums.

    If a file locates in WP core directory but its MD5 value could not be found among the downloaded hashes, the plugin will report such a file as “Heur.AlienFile.gen”

    Can you please share which WP version are you on your web site?

    Thread Starter edwardsmark

    (@edwardsmark)

    wp Version 5.6.1
    quttera Version 3.3.4.44

    and quttera is TOTALLY AWESOME, by the way.

    i also see:

    Severity: enSuspiciousThreatType
    File: wp-includes/SimplePie/Canonical.php-VIRUS-SUSPECTED
    File signature: 890172309bb500537494623fb5f27672
    Threat signature: 890172309bb500537494623fb5f27672
    Threat name: Heur.AlienFile.gen
    Threat: Unknown file in core
    Details: Detected unknown file in core directory

    Severity: enSuspiciousThreatType
    File: wp-content/themes/twentytwentyone/postcss.config.js
    File signature: 2b2f94298693f9221149c12b83dc8a3c
    Threat signature: 2b2f94298693f9221149c12b83dc8a3c
    Threat name: Heur.CoreFile.gen
    Threat: Modified core file..
    Details: Detected modified core file

    • This reply was modified 4 years, 1 month ago by edwardsmark.
    Plugin Author quttera

    (@quttera)

    Thank you,

    I just downloaded sources of WP 5.6.1 from www.remarpro.com and cannot locate wp-admin/wpmu-sitewide-plugins.php in the downloaded archive.

    Can you please send to support[at]quttera.com the following files for investigation

    wp-admin/wpmu-sitewide-plugins.php
    wp-includes/SimplePie/Canonical.php-VIRUS-SUSPECTED

    We will investigate them and update you.

    Thread Starter edwardsmark

    (@edwardsmark)

    done – THANK YOU!

    Thread Starter edwardsmark

    (@edwardsmark)

    this is also a great utility from what i can see: https://www.virustotal.com/

    any opinions?

    Plugin Author quttera

    (@quttera)

    The canonical.php is a malware shell/backdoor script allowing full access and modification of files on the website.

    wpmu-sitewide-plugins.php allows website plugins manipulation directly without access to the WP admin dashboard.
    I would suggest quarantining this file (rename it to something else) and check which exact functionality it will break.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘file getting flagged as “Detected unknown file in core directory” by Quttera’ is closed to new replies.