Malicious Executable code in class-pclzip.php??

Resolved LMD99
(@lmd99)

9 years, 6 months ago
I just got a sever warning on a scan re:

This file may contain malicious executable code: /services/webpages/t/e/domain.com/public/wp-admin/includes/class-pclzip.php

Anyone else get this warning? To me, it could just be a new file associated with the 4.6.1 update, but the following explanation by Wordfence doesn’t make me feel comfortable assuming the file’s fine:

This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘unpack(‘ (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.

Any suggestions?
- This topic was modified 9 years, 6 months ago by LMD99.

Viewing 6 replies - 1 through 6 (of 6 total)

emc2
(@emc2)

9 years, 6 months ago

I have the same problem, so far only showed up in 2 of 10+ websites I run.

Thread Starter LMD99
(@lmd99)

9 years, 6 months ago

This is the first and only instance of this warning I’ve received with over 20 WordPress sites I manage. That fact, in itself, doesn’t give me a good feeling. Well, let’s see if anyone else or the plugin author chimes-in.

wpdevuk
(@wpdevuk)

9 years, 6 months ago

I can’t offer a definitive answer on this, however, I experienced the same message for that file (only a site with high sensitivity enabled) back when 4.4.4 was released. I got the alert about two hours after the automatic update happened.

Chalked it down to a false positive as that particular core WordPress file does include reference to a function that is often associated with malicious code (eval), but obviously a genuine use of it (https://github.com/WordPress/WordPress/blob/master/wp-admin/includes/class-pclzip.php).

Thread Starter LMD99
(@lmd99)

9 years, 6 months ago

I think you are right about the “sensitivity”. I’ve disabled “high sensitivity”, and performing another scan to see if it pops up again as a malicious file. Odd about the code reference to an instance of “eval” without quotes though…

¯\_(ツ)_/¯
barnez
(@pidengmor)

9 years, 6 months ago
I would ignore those as false positives. Here are the respective lines of code in that file in WordPress 4.6.1 (* Note the eval line is actually a comment):
```
Line 4068:     //      eval('$v_result = '.$p_options[PCLZIP_CB_PRE_EXTRACT].'(PCLZIP_CB_PRE_EXTRACT, $v_local_header);');
Line 2851:     $v_data_header = unpack('a1id1/a1id2/a1cm/a1flag/Vmtime/a1xfl/a1os', $v_binary_data);
Line 2859:     $v_data_footer = unpack('Vcrc/Vcompressed_size', $v_binary_data);
Line 4281:     $v_data = unpack('Vid', $v_binary_data);
Line 4311:     $v_data = unpack('vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $v_binary_data);
Line 4384:     $v_data = unpack('Vid', $v_binary_data);
Line 4414:     $p_header = unpack('vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $v_binary_data);
Line 4555:       $v_data = @unpack('Vid', $v_binary_data);
Line 4631:     $v_data = unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size', $v_binary_data);
```
Thread Starter LMD99
(@lmd99)

9 years, 6 months ago
I see the reference, and yes, a comment it is.

I’ve removed the “high sensitivity” function, and no issues are found now.

Thanks all for your help to resolve.
- This reply was modified 9 years, 6 months ago by LMD99.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Malicious Executable code in class-pclzip.php??’ is closed to new replies.