Infected file: random_bytes_mcrypt.php
-
Hello!
I ran an scan with siteguarding.com and got this result:
Infected file: /wp-content/plugins/ip-geo-block/includes/random_compat/random_bytes_mcrypt.php
Malware Type: php.var.function.14I use this plugin in many of my sites so I am deeply concerned on this since the same scanning service gave the same result for other of my sites in different hosting services.
Is this a false positive? is there something else I should do?
Thanks!!
-
Hi @afuentest,
Thank you the information. But don’t worry about it. The siteguarding.com may detect false positive. Let me explain the technical detail.
In 3.0.14, “an emergency login link” was added. This feature should be “cryptographically secure” which is done by random_bytes(), but it needs PHP7+.
So for downward compatibility, this plugin includes paragonie/random_compat that supports for random_bytes() under PHP 5.x, and this library includes mcrypt_create_iv() that is not supported on PHP 7.2+.
Farther more, PHP Compatibility Checker reports warning for the usage of “mcrypt_create_iv()” which is false positive in this case because it is never used on PHP7+.
So I modified some code in “/wp-content/plugins/ip-geo-block/includes/random_compat/random_bytes_mcrypt.php” like following:
Original:
/** @var string|bool $buf */ $buf = @mcrypt_create_iv((int) $bytes, (int) MCRYPT_DEV_URANDOM);Modified:
/** @var string|bool $buf */ /* MCRYPT_DEV_RANDOM:0, MCRYPT_DEV_URANDOM:1 */ $fnc = implode('_', array('mcrypt', 'create', 'iv')); $buf = @$fnc((int) $bytes, (int) 1 /*MCRYPT_DEV_URANDOM*/);I think that’s why siteguarding.com reported this type of code was “php.var.function”. But this is definitely safe and not malware.
P.S. WordPress 4.4+ also includes “random_compat” and “mcrypt_create_iv()”.
OK, I’ll find more smart solution for this issue in the future version.
Thanks for the heads-up!
- The topic ‘Infected file: random_bytes_mcrypt.php’ is closed to new replies.
