[Plugin: Exploit Scanner] 0.97.6 plugin says "hashes-3.1.php missing"

A new release for WordPress 3.1 will be coming shortly. Just waiting to see if I could track down and fix a bug others have been experiencing.

Jon,

Thanks for your speedy reply! I look forward to the new version of your plugin. Thanks for all your hard work!

Fred

Jon,

I tried Exploit Scanner 1.0, and the missing hashes message is gone now. Thanks for fixing that!

Instead of hundreds of messages, I now get only dozens. There are 13 severe messages, mostly eval messages, some base64_decode messages. Is this normal? I have a lot of security plugins installed and the site seems to be running normally. Should I just use this as a baseline indicator to identify possible future attacks?

Thanks again,

Fred

I tried Exploit Scanner 1.0, and the missing hashes message is gone now. Thanks for fixing that!

No problem, and thanks ?? I try to get hash updates out within hours of a WordPress release but just delayed a bit this time for other reasons.

There are 13 severe messages, mostly eval messages, some base64_decode messages. Is this normal?

It depends on your choice of plugins — I assume some of the other plugins you are running are being flagged. I don’t have anything like that picked up on my installs except for testing the scanner.

All matches have to be interpreted in context. Those functions can be used for non-malicious purposes (otherwise they wouldn’t be provided by PHP!), but they are very common in malicious code which is why the plugin searches for them. If you have the understanding to look through at the plugin code (something I would do for any plugin I install) to see how these functions are used then it’s safe to ignore that output and use it as a baseline. If you’re seeing matches in modified core files or in previously unheard of locations (maybe hidden away in an innocuous file name in wp-includes) then you should be more worried.

Jon,

Thanks for your in-depth reply. Most of the severe messages are from plugins which I recently installed. Only two severe messages are from WordPress core files:

wp-includes/class-ixr.php:249
$value = base64_decode( trim( $this->_currentTagContents ) );

php.ini:982
; error_reporting(0) around the eval().

Is the first one cause for concern? The second one is just a comment, so I don’t know why it’s been flagged.

Thanks,

Fred

Is the first one cause for concern?

Possibly yes. The scanner only looks in core files if they have been modified. However, I notice that you’re seeing class-ixr.php whereas that file is called class-IXR.php in 3.1 and the line that got highlighted was changed between 3.0 and 3.1 to remove the trim. So looks like something weird has happened there, although that line is fine.

The second one is just a comment, so I don’t know why it’s been flagged.

The scanner doesn’t make any distinction between file type, comments, etc. And php.ini isn’t a core WordPress file.

Jon,

Thanks for explaining this. I didn’t notice that I had an old version of class-ixr.php. I deleted it and reduced my severe messages by one. ??

What do you think of the idea of allowing users to define their own baseline. In other words, would it be feasible and worthwhile to let users tell the scanner to ignore a particular error in future scans? That way, if something truly malicious does occur, it won’t be buried under a pile of messages which are not cause for concern. I think a feature like that would make the scanner much more valuable.

Fred

I just got the missing-hashes-file message running Exploit Scanner 1.0.1 with WordPress 3.1.2.

Is this also just a case of the plugin needing an update?

Jill Williams

Hi, I just got the same message, too, about 3.1.2

Thanks!

Done, sorry for the delay. Update notifications should be visible in dashboards soon.

No problem; thank you!

Just downloaded the development version and can’t see the 3.2x hashes..

@sokratesagogo: me neither.. any info when will that be available?