Plugin shows up as Malware when screening site

  • This is a great idea for a plugin but my experience with it has been negative. After google identified one my websites as malicious, I restored an old backup and screened the site for malware. I found nothing, but to be sure that none of my plugins were vulnerable I installed Plugin Vulnerabilities. It identified the plugin “Newsletter” as a security threat. I deleted this plugin and my hosting company tested my site again.
    My hosting provider identified the following files as malicious:

    'wp-content/plugins/plugin-vulnerabilities/vulnerabilities/c.php'
# Known exploit = [Fingerprint Match] [Hacker Signature Exploit [P0818]]
'wp-content/plugins/plugin-vulnerabilities/vulnerabilities/w.php'
# Known exploit = [Fingerprint Match] [Hacker Signature Exploit [P0818]]
'wp-content/plugins/plugin-vulnerabilities/vulnerabilities/e.php'
# Regular expression match = [1337day\.com]
'wp-content/plugins/plugin-vulnerabilities/vulnerabilities/r.php'
# Regular expression match = [1337day\.com]

    I disinstalled this plugin immediately.

Viewing 2 replies - 1 through 2 (of 2 total)

  • I do believe that is simply the list of vulnerabilities used to check against your installed plugins — not the vulnerabilities themselves. Take a look at this plugin’s changelog and its files. The changelog indicates each time new vulnerabilities are added to the list. The plugin’s files are named /vulnerabilities/c etc. as you have listed above — I think because the plugin organizes the vulnerabilities alphabetically.

    aegisdesign

    (@aegisdesign)

    Julie is correct and it’s a pity you’ve uninstalled this plugin textweaver as it’s doing a fine job.

    That report from your hosting company is from a tool called cxs from ConfigServer.com which is falsely identifying the signatures of the vulnerabilities that this plugin detects as the vulnerabilities themselves.

    Either, your host should add /vulnerabilities/ into their cxs.ignore file so that it’s not falsely reported OR the plugin developer needs to store the signatures in another way – encrypted? archived? – that doesn’t trigger false positives in any server vulnerability scans that hosting companies do.

    cxs is a very common tool for cPanel based hosting companies to identify exploits as their happening – usually because someone hasn’t kept their WordPress install up to date.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Plugin shows up as Malware when screening site’ is closed to new replies.