YARA.eval_post.UNOFFICIAL

  • Resolved djbaxter

    (@djbaxter)


    5 years, 7 months ago

    For some time now, maybe a month or two, I have been getting reports from maldet from my server (dedicated server, WHM/cPanel, CENTOS 7.6, everything up to date) to the effect that maldet has found a suspicious file.

    There are several domains on this server and it only seems to be happening on one of the domains, so initially I assumed it was a problem with that domain.

    However, multiple scans on the domain with two different malware scanners have never found any malware except the Updraft backup file. No malware in the public space or the entire account space, just in the /wp-content/updraft/backup_2019-08-23-0024_{account name}-db.gz file. I had tech support also double check and they found nothing flagged except the Updraft backup. VirusTotal finds nothing on the domain (https://www.virustotal.com/gui/home/url).

    maldet is identifying this file hit list: {YARA}eval_post : /home/{account name}/public_html/wp-content/updraft/backup_2019-08-23-0024_{account name}_43c3635f0104-db.gz and the specific file is YARA.eval_post.UNOFFICIAL

    It is basically happening with every backup. Occasionally, it skips a day but not often.

    Now I know this has been reported as a false positive for maldet and clamav in the past (if clamav is installed, maldet will use the clamav scanner engine) but that doesn’t address the issue of:

    1. why does it only flag the Updraft backup file? what about that backup file is triggering maldet to flag it?

    2. I have 16+ domains/accounts on this server. Why is it only flagging one account?

    Any suggestions?

Viewing 4 replies - 1 through 4 (of 4 total)

  • @djbaxter

    .db.gz is a database backup file, I suspect you have eval_post() function inside your database tables.

    Are you also scanning your database? Most of the malware scanners only scans files, Please also scan the database and check if you get the similar malware warning.

    Thanks

    Thread Starter djbaxter

    (@djbaxter)

    Hmmm…

    I exported the database file and ran it through Windows Defender and all the tests at VirusTotal. Everything came back clean except one alert from the Bkav engine about cpr.webshell

    Suspecting that it might be a plugin I removed several older and/or unnecessary plugins, did a fresh export of the database, and retested it again. This time it came back clean.

    I wish I had uninstalled those plugins one by one so I’d know which one it was but I didn’t think of that until later.

    In any case it’s done now.

    Thanks for the suggestion! ??

    @djbaxter

    Glad to know the issue is now fixed.

    Feel free to write back to us, if you have anymore questions.

    Hi guys… i have something similar trying to uploading Divi Theme direct to the server.
    this is the error that i get.

    YARA.Backdoor_PHP_WPVCD_DivCodeName.UNOFFICIAL FOUND

    and, also when i try to install this theme from the wordpress dashboard, it looks like the installation of the theme is fine but it doesn’t work.

    i put the debug mode and i got this error:

    Fatal error: Uncaught Error: Call to undefined function elegant_description() in /home/neonwnle/neontt.com/wp-content/themes/Divi_older_version/header.php:6 Stack trace: #0 /home/neonwnle/neontt.com/wp-includes/template.php(722): require_once() #1 /home/neonwnle/neontt.com/wp-includes/template.php(671): load_template(‘/home/neonwnle/…’, true) #2 /home/neonwnle/neontt.com/wp-includes/general-template.php(41): locate_template(Array, true) #3 /home/neonwnle/neontt.com/wp-content/themes/Divi_older_version/page.php(3): get_header() #4 /home/neonwnle/neontt.com/wp-includes/template-loader.php(98): include(‘/home/neonwnle/…’) #5 /home/neonwnle/neontt.com/wp-blog-header.php(19): require_once(‘/home/neonwnle/…’) #6 /home/neonwnle/neontt.com/index.php(17): require(‘/home/neonwnle/…’) #7 {main} thrown in /home/neonwnle/neontt.com/wp-content/themes/Divi_older_version/header.php on line 6

    Any suggestion is very welcome.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘YARA.eval_post.UNOFFICIAL’ is closed to new replies.