These aren’t threats. They are very loose signatures from Quttera that are flagging things as a result. For example this message:
Severity: enSuspiciousThreatType
File: wp-content/plugins/wordfence/js/admin.1564590761.js
File signature: 3bbca5bc0645c5ff8e9b9803765d311c
Threat signature: 156bcff48f5f3b00e26cabad8e4d8b51
Threat name: Heur.PHP.Encoded.gen
Threat: \x00\x00\x00\x00\x00
Details: Generic suspicious HEX encoder
Here’s the actual code that is warning about.
//Both to 16-byte binary strings
var binStart = ("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff" + ip1).slice(-16);
var binEnd = ("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff" + ip2).slice(-16);
Each of your examples (including this one) flagged for \x00 are dealing with IP addresses. Since we support both IPv4 and IPv6, IPv4 needs to be represented as “IPv4-mapped IPv6”, which has a prefix of a bunch of 00 bytes, two ff bytes, and then the four bytes of the IPv4 address. The example above with binStart and binEnd deals with the IPs for advanced blocking ranges.
Quttera also warns about the diagnostics page to retrieve a PHP info page:
Severity: enSuspiciousThreatType
File: wp-content/plugins/wordfence/lib/menu_tools_diagnostic.php
File signature: 37b1fc3cd5838015a0ca9f390a014b07
Threat signature: a3a97306a17681f7d765db612a6cb2b2
Threat name: Heur.PHP.Dropper.gen
Threat: <?php phpinfo();
Details: Generic PHP information dropper
That’s not something I would generally find suspicious by itself.
At any rate, we looked at all of these just to make absolutely sure and none of them are malicious. They are the result of some fairly loosely written scan signatures on Quttera’s side.
Tim
