Hi,
The plugin code is open source.
Anyone can check what it does and there’s definitely no malware.
Furthermore, plugins are screened and previewed by the wordpress team, precisely to avoid malware or other security issues.
What functions-serverinfo.php does, is to get information for the “Server Info” tab on the plugin settings page. Obviously, it needs to run normal php code to access server system information, such as how many cpu cores or how much memory exists, as well as to get the IP and other information.
You can see what information is pulled by either looking at the source code or going to the Server Info tab, once the plugin is installed.
I love Sucuri and they generally do a good job detecting malware, but they also cause a lot of false positives and in some cases, they also fail to detect malware.
Now, because this server info page is specifically to show you information about the server, Sucuri might think that it’s malware.
What happens here is that a lot of malware, makes use of the same “type of code” to get information about the system, and since Sucuri cannot know all code in the world, it triggers an heuristic alert, where “if similar code exists” it “could” be malware.
Probably, what they are talking about is this piece of code:
$process = @popen('sysctl -a', 'rb');
The popen command, tries to get how many cpu cores your server has, and it works like a shell script (hence the analysis calls it system_shell).
On any shared hosting, or if your server is properly configured for security, commands such as these, that try to run shell commands, are usually blocked anyway.
The commands exists on the code, as a fallback.
If the information cannot be obtained any other way, it will try to get it this way.
And no, there’s nothing wrong about it, it’s just a normal function that exists on php, but which of course, is commonly used by malware also.
Nevertheless, just because a function is also used by hackers, it doesn’t mean it cannot be used for legitimate purposes.
Feel free to hire a developer to review my code, if you don’t believe me.
I’m marking this as solved, as I know this is a false positive.
Thanks for bringing this to my attention though.