Suspicious Files – Are they really?

Home Forums BulletProof Security Free Suspicious Files – Are they really?

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • March 13, 2019 at 8:38 am #36992
    Laughter On Water
    Participant

    WP 5.1.1
    BPS 3.3

    MScan results yielded these suspicious files:

    /wp-includes/js/tinymce/wp-tinymce.js.gz
    /wp-includes/js/codemirror/jshint.js
    /wp-includes/random_compat/random_bytes_openssl.php

    So, I downloaded the latest zip, removed the entire wp-includes folder and unzipped WordPress into web root thus from ssh:

    /home/myname/mysite.com
$ cd ~/
$ mkdir helper
$ cd helper
$ wget http://wordpress.org/latest.zip
$ unzip latest.zip
$ mv wordpress mysite.com
$ zip -ry mysite.com.zip mysite.com
$ ls
latest.zip mysite.com mysite.com.zip
$ mv mysite.com.zip ~/
$ cd ~/mysite.com
$ rm -rf wp-includes
$ cd
$ pwd
/home/myname/
$ ls
helper mysite.com mysite.com.zip
$ unzip mysite.com.zip
Archive: mysite.com.zip
replace myszite.com/xmlrpc.php? [y]es, [n]o, [A]ll, [N]one, [r]ename: A
[ files unzip - too long to list ]

    The files scanned are the latest files direct from WordPress in a freshly installed wp-includes folder.

    Then I refreshed the browser and re-ran the MScan.

    Same results.

    What have I missed?

    March 13, 2019 at 11:03 am #36994
    AITpro Admin
    Keymaster

    I checked those files with the BPS MScan scanner and I am seeing false positives too.  Use the View|Ignore|Delete Suspicious Files form > select the Ignore File checkbox option for each of these files > click the Submit button.  Unfortunately, malware scanners detect false positives.  Just the nature of the beast.  😉  Hmm looks like there is a new problem in MScan with downloading new wp zip files from wordpress.org. We made some changes in the last BPS version and need to revert a portion of that code back to the code we were using before. That will be done in the next BPS version release.

    Edit: Actually the problem with MScan downloading new wp zip files is that a lot of people and some web hosts turn off/disable the allow_url_fopen directive in php.ini files. So it looks like we have to use the WP HTTP API after all instead of using fopen(). So that particular problem would only occur for folks who have the allow_url_fopen directive in php.ini files turned off/disabled.

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.