Malware alert

  • Resolved marici

    (@marici)


    6 years, 11 months ago

    My client is using Sucuri for their website security and received an alert today that there might be malware — a backdoor, specifically — in filepath wp-content/plugins/fast-velocity-minify/inc/functions-serverinfo.php. The only other information provided by Sucuri is a “definition” which states “php.backdoor.system_shell.005”.

    They haven’t come back to me with any further info at this stage. Is anyone aware of any issues?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Raul P.

    (@alignak)

    Hi,

    The plugin code is open source.
    Anyone can check what it does and there’s definitely no malware.

    Furthermore, plugins are screened and previewed by the wordpress team, precisely to avoid malware or other security issues.

    What functions-serverinfo.php does, is to get information for the “Server Info” tab on the plugin settings page. Obviously, it needs to run normal php code to access server system information, such as how many cpu cores or how much memory exists, as well as to get the IP and other information.

    You can see what information is pulled by either looking at the source code or going to the Server Info tab, once the plugin is installed.

    I love Sucuri and they generally do a good job detecting malware, but they also cause a lot of false positives and in some cases, they also fail to detect malware.

    Now, because this server info page is specifically to show you information about the server, Sucuri might think that it’s malware.

    What happens here is that a lot of malware, makes use of the same “type of code” to get information about the system, and since Sucuri cannot know all code in the world, it triggers an heuristic alert, where “if similar code exists” it “could” be malware.

    Probably, what they are talking about is this piece of code:

    $process = @popen('sysctl -a', 'rb');

    The popen command, tries to get how many cpu cores your server has, and it works like a shell script (hence the analysis calls it system_shell).

    On any shared hosting, or if your server is properly configured for security, commands such as these, that try to run shell commands, are usually blocked anyway.

    The commands exists on the code, as a fallback.
    If the information cannot be obtained any other way, it will try to get it this way.
    And no, there’s nothing wrong about it, it’s just a normal function that exists on php, but which of course, is commonly used by malware also.

    Nevertheless, just because a function is also used by hackers, it doesn’t mean it cannot be used for legitimate purposes.

    Feel free to hire a developer to review my code, if you don’t believe me.
    I’m marking this as solved, as I know this is a false positive.

    Thanks for bringing this to my attention though.

    Thread Starter marici

    (@marici)

    Hi Raul,

    Many thanks for your prompt response. I will relay this information to Sucuri and reassure my client about your excellent plugin, which I have used many times before and never had a problem with.

    Thank you for everything. All the best.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malware alert’ is closed to new replies.