Closed fernandoch777 closed 4 years ago
Can you share the output of ./phpmalwarefinder /var/www
?
Here is part of it, I stopped it now:
root@ns3XXX95:~/php-malware-finder/php-malware-finder# ./phpmalwarefinder /var/www ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/class-wp-meta-query.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/class-requests.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/functions.php DangerousPhp /var/www/mywebsite1.com/public_html/wp-includes/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/deprecated.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/deprecated.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/IXR/class-IXR-date.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/SimplePie/File.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/SimplePie/Parse/Date.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/class-pop3.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/widgets/class-wp-widget-categories.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/widgets/class-wp-widget-archives.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/ID3/module.audio-video.matroska.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/ID3/module.audio-video.quicktime.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/ID3/module.tag.id3v2.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/ID3/getid3.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/bookmark-template.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/load.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/class-phpmailer.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/class-phpmailer.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/post.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/formatting.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/class-wp-tax-query.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/embed.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/js/tinymce/tinymce.min.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/js/tinymce/wp-tinymce.js DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/js/tinymce/wp-tinymce.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.js DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.js NonPrintableChars /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.min.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.min.js DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.min.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/class-wp-date-query.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/general-template.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/comment.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/media.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/post-template.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/theme.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/blocks/categories.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/class-wp-query.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/class-ftp.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/file.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-admin/includes/ajax-actions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/template.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-admin/includes/template.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-admin/includes/upgrade.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/media.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/schema.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/class-pclzip.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/class-pclzip.php DangerousPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/class-pclzip.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/uploads/2018/10/Screenshot-at-Apr-14-16-34-14-1-768x768.png HiddenInAFile /var/www/mywebsite1.com/public_html/wp-content/uploads/2018/10/Screenshot-at-Apr-14-16-34-14-1-768x768.png NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/inc/apprentice/helpers.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/inc/thrive-optin.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/inc/shortcodes/admin-shortcodes.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/inc/shortcodes/shortcodes.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/thrive-dashboard/classes/Product/Abstract.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-product-manager/thrive-product-manager.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-product-manager/inc/classes/class-tpm-connection.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/crypto/vendor/paragonie/random_compat/lib/random.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/modules/login-security/classes/controller/time.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/waf/bootstrap.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/unknownFiles.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wfUtils.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wfScanEngine.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wfDiagnostic.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/xmlrpc.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wfConfig.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/wordfence.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wordfenceClass.php DangerousPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wordfenceClass.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/calculated-fields-form/inc/cpcff_main.inc.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/calculated-fields-form/inc/cpcff_main.inc.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/thrive-dashboard/classes/Product/Abstract.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/tcb-bridge/tqb-class-hooks.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/tcb/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/tcb/inc/classes/class-tcb-utils.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/tcb/inc/helpers/social.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/thrive-dashboard/classes/Product/Abstract.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb-bridge/event-manager/actions/Thrive_Leads_State_Lightbox_Action.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb-bridge/tcb_action_hooks.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/admin/js-min/models.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb/inc/classes/class-tcb-utils.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb/inc/helpers/social.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/lib/class.core-rest-api-endpoints.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/lib/class.core-rest-api-endpoints.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/extensions/blocks/rating-star/rating-meta.php DangerousPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/class.jetpack.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/class.jetpack.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/sharedaddy/sharing-service.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/blocks/components.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/blocks/components.js DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/blocks/components.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/shortcodes/archiveorg.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/videopress/editor-media-view.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/related-posts/jetpack-related-posts.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/inc/classes/class-tcb-utils.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/inc/helpers/social.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/thrive-dashboard/classes/Product/Abstract.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/includes/admin/class-aepc-admin-ca.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/includes/admin/class-aepc-admin-view.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/includes/admin/class-aepc-facebook-adapter.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/vendor/symfony/filesystem/Tests/FilesystemTest.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/vendor/monolog/monolog/src/Monolog/Formatter/LineFormatter.php Websites /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/vendor/monolog/monolog/src/Monolog/Handler/InsightOpsHandler.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/inc/classes/class-tho-trigger-manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/thrive-dashboard/classes/Product/Abstract.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/akismet/class.akismet.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/languages/es_ES.mo DodgyStrings /var/www/mywebsite2.com/public_html_old/tests/phpunit/maintenance/backupTextPassTest.php DangerousPhp /var/www/mywebsite2.com/public_html_old/tests/phpunit/MediaWikiTestCase.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/maintenance/getConfiguration.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/includes/changes/RecentChange.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/includes/libs/xmp/XMPValidate.php DangerousPhp /var/www/mywebsite2.com/public_html_old/includes/libs/filebackend/FileBackendStore.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/libs/rdbms/database/IDatabase.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/libs/rdbms/database/Database.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/GlobalFunctions.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/includes/password/PasswordFactory.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/includes/Message.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/includes/diff/TableDiffFormatter.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/includes/api/ApiFeedRecentChanges.php DodgyPhp /var/www/mywebsite2.com/public_html_old/includes/NoLocalSettings.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/api/ApiBase.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/OutputPage.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/DefaultSettings.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/includes/collation/IcuCollation.php DodgyPhp /var/www/mywebsite2.com/public_html_old/includes/http/CurlHttpRequest.php DodgyPhp /var/www/mywebsite2.com/public_html_old/includes/http/PhpHttpRequest.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/page/WikiPage.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/includes/profiler/Profiler.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/languages/Language.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/languages/classes/LanguageKu.php DodgyPhp /var/www/mywebsite2.com/public_html_old/vendor/symfony/process/Tests/ExecutableFinderTest.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/zordius/lightncandy/tests/example_helpers.php DangerousPhp /var/www/mywebsite2.com/public_html_old/vendor/symfony/process/Process.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/zordius/lightncandy/tests/helpers_for_test.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/zordius/lightncandy/tests/regressionTest.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/monolog/monolog/tests/Monolog/Formatter/JsonFormatterTest.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/zordius/lightncandy/README.md ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/monolog/monolog/src/Monolog/Formatter/LineFormatter.php
I changed the domain names for security reasons in here.
same for me
Hello, My move would be to "quickly" review those files and to whitelist them. Since the whitelist is based on hashes, you won't have FP anymore and if your files are changed (header or footer added by an attacker) PMF will detect it .
I am running the script with ./phpmalwarefinder /var/www And it is detecting all my wordpress files as DodgyStrings or ObfuscatedPhp or DodgyPhp. When I check them, I don't see any problems... What am I doing wrong?