${“\x47L\x4fBA\x4c\x53″}[“ malicous

Hi Fabian,

We generate a hit on various obfuscation techniques because they are used more often by malicious code than folks like you. The sample above was added in the last release because we’re seeing that exact technique used by a new malware.

Can you tell me which plugin and/or source file is causing this?

Thanks.

Fabian, is this method really beneficial to you considering that PHP files can easily be decoded? (There are online decoders.)

I’m glad someone else is running into this – been making me a little crazy. I manage two sites that use wp-filebase pro and I just recently started getting these critical warnings. Tried rolling the plugin back to an earlier version from a month old backup, and I’m still getting the “${“\x47\x4c\x4fBA\x4cS”}[” warnings, which I wasn’t getting before.

Wordfence, the obfuscator I’m using stores some names of local variables in the ${“GLOBALS”} array. The plugin is WP-Filebase Pro (plugin slug wp-filebase-pro)

romtek, maybe I’m paranoid but I see so many nulled Premium Plugins out there. As a programmer its one’s right to protect critical code, even if everything is crackable.

Just a question. Was this ever resolved?

Fabian, it is one’s right to protect critical code but to what extent. I think that for plugins it would be better if the code was seen because using code obfuscation might make people feel that there is something to hide.

I have seen what looks like this type of code from hackers. Either this type of code or a base64_decode which hides what the code is doing. Unless your methodology is completely unique to PHP programming, hiding the code seems more suspicious than being protective.

I think that anyone that is purchasing a plugin would like to know what it is doing before installing it into their WordPress. So if it was me, I would use regular expressions than hide code. It would make it seem more trustworthy to people that don’t write code for a living. Especially since we are talking about WordPress which is open source.

And to the people at Wordfence, isn’t there a way to determine if obfuscated code is malicious. I know that it is just looking at the code and based on recent techniques that hackers use, it is determining that this could be malicious code. I wonder if there is a way to decode and determine if it indeed is malicious code. Maybe not in the free plugin but the Pro one to reduce false positives?

Just some of my opinions on the subject.

@jamkddr: This pattern is still treated as potentially malicious, since it is used in many malware files. Some malicious files change each time they are deployed, so there are thousands of variations of the bad files. We are always improving the scans, so it may be possible to decrease false positives for this type of code in the future though. Thank you for your input on the subject!

-Matt R

@wfmattr: It was the Wordfence plugin that helped me in catching the infected files so I trust the scans of the plugin. Now if there was a way to find what is causing it, that would be even more amazing.

I know that the infection is somewhere that might be outside the domain level. It is closer to the root level in which the Wordfence plugin doesn’t/can’t scan.

I was finally able to track down some of it in the root directory but just find it weird that it would be there in the first place. But with the plugin in place it at least gives me a heads up if any WordPress files are modified. And when the scan completes, at least I have a list of what to check. That is how I was able to find the base64_decode in files that was outside of our WordPress site.

I would recommend this plugin to anyone looking to secure their WordPress site.

@jamkddr:

It’s possible that if just the site was hacked, it could still drop files outside of the site if the file permissions allow it. We have a guide to cleaning hacked sites which may help, here:
How do I clean my hacked site using Wordfence?

If the root directory of the whole server was affected (not just the site root or your hosting account), you might also want to check out this guide from Google:
https://support.google.com/webmasters/topic/4598104

If you need help with the Wordfence scan options, or anything else from the Wordfence hacked site guide above, can you start a new topic in this forum, so we can continue discussing it separate from this post? You can include a link to this post for reference, too. Thanks!

-Matt R