search

jvoisin / php-malware-finder

Detect potentially malicious PHP files
GNU Lesser General Public License v3.0
1.47k stars 284 forks source link

It is detecting all wordpress files #96

Closed fernandoch777 closed 4 years ago

fernandoch777 commented 4 years ago

I am running the script with ./phpmalwarefinder /var/www And it is detecting all my wordpress files as DodgyStrings or ObfuscatedPhp or DodgyPhp. When I check them, I don't see any problems... What am I doing wrong?

jvoisin commented 4 years ago

Can you share the output of ./phpmalwarefinder /var/www ?

fernandoch777 commented 4 years ago

Here is part of it, I stopped it now:

root@ns3XXX95:~/php-malware-finder/php-malware-finder# ./phpmalwarefinder /var/www ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/class-wp-meta-query.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/class-requests.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/functions.php DangerousPhp /var/www/mywebsite1.com/public_html/wp-includes/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/deprecated.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/deprecated.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/IXR/class-IXR-date.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/SimplePie/File.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/SimplePie/Parse/Date.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/class-pop3.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/widgets/class-wp-widget-categories.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/widgets/class-wp-widget-archives.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/ID3/module.audio-video.matroska.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/ID3/module.audio-video.quicktime.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/ID3/module.tag.id3v2.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/ID3/getid3.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/bookmark-template.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/load.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-includes/class-phpmailer.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/class-phpmailer.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/post.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/formatting.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/class-wp-tax-query.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/embed.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/js/tinymce/tinymce.min.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/js/tinymce/wp-tinymce.js DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/js/tinymce/wp-tinymce.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.js DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.js NonPrintableChars /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.min.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.min.js DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/js/dist/blocks.min.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/class-wp-date-query.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/general-template.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/comment.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/media.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/post-template.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/theme.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-includes/blocks/categories.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-includes/class-wp-query.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/class-ftp.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/file.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-admin/includes/ajax-actions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/template.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-admin/includes/template.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-admin/includes/upgrade.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/media.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/schema.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/class-pclzip.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/class-pclzip.php DangerousPhp /var/www/mywebsite1.com/public_html/wp-admin/includes/class-pclzip.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/uploads/2018/10/Screenshot-at-Apr-14-16-34-14-1-768x768.png HiddenInAFile /var/www/mywebsite1.com/public_html/wp-content/uploads/2018/10/Screenshot-at-Apr-14-16-34-14-1-768x768.png NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/inc/apprentice/helpers.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/inc/thrive-optin.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/inc/shortcodes/admin-shortcodes.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/inc/shortcodes/shortcodes.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/themes/focusblog/thrive-dashboard/classes/Product/Abstract.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-product-manager/thrive-product-manager.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-product-manager/inc/classes/class-tpm-connection.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/crypto/vendor/paragonie/random_compat/lib/random.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/modules/login-security/classes/controller/time.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/waf/bootstrap.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/unknownFiles.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wfUtils.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wfScanEngine.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wfDiagnostic.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/xmlrpc.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wfConfig.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/wordfence.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wordfenceClass.php DangerousPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/wordfence/lib/wordfenceClass.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/calculated-fields-form/inc/cpcff_main.inc.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/calculated-fields-form/inc/cpcff_main.inc.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/thrive-dashboard/classes/Product/Abstract.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/tcb-bridge/tqb-class-hooks.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/tcb/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/tcb/inc/classes/class-tcb-utils.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-quiz-builder/tcb/inc/helpers/social.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/thrive-dashboard/classes/Product/Abstract.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb-bridge/event-manager/actions/Thrive_Leads_State_Lightbox_Action.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb-bridge/tcb_action_hooks.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/admin/js-min/models.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb/inc/classes/class-tcb-utils.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-leads/tcb/inc/helpers/social.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/lib/class.core-rest-api-endpoints.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/lib/class.core-rest-api-endpoints.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/extensions/blocks/rating-star/rating-meta.php DangerousPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/class.jetpack.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/class.jetpack.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/sharedaddy/sharing-service.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/blocks/components.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/blocks/components.js DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/_inc/blocks/components.js ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/shortcodes/archiveorg.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/videopress/editor-media-view.php NonPrintableChars /var/www/mywebsite1.com/public_html/wp-content/plugins/jetpack/modules/related-posts/jetpack-related-posts.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/inc/classes/class-tcb-utils.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/inc/helpers/social.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-visual-editor/thrive-dashboard/classes/Product/Abstract.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/includes/admin/class-aepc-admin-ca.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/includes/admin/class-aepc-admin-view.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/includes/admin/class-aepc-facebook-adapter.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/vendor/symfony/filesystem/Tests/FilesystemTest.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/vendor/monolog/monolog/src/Monolog/Formatter/LineFormatter.php Websites /var/www/mywebsite1.com/public_html/wp-content/plugins/pixel-caffeine/vendor/monolog/monolog/src/Monolog/Handler/InsightOpsHandler.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/inc/classes/class-tho-trigger-manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/thrive-dashboard/inc/auto-responder/classes/Manager.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/thrive-dashboard/inc/functions.php DodgyPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/thrive-dashboard/inc/functions.php ObfuscatedPhp /var/www/mywebsite1.com/public_html/wp-content/plugins/thrive-headline-optimizer/thrive-dashboard/classes/Product/Abstract.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/plugins/akismet/class.akismet.php DodgyStrings /var/www/mywebsite1.com/public_html/wp-content/languages/es_ES.mo DodgyStrings /var/www/mywebsite2.com/public_html_old/tests/phpunit/maintenance/backupTextPassTest.php DangerousPhp /var/www/mywebsite2.com/public_html_old/tests/phpunit/MediaWikiTestCase.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/maintenance/getConfiguration.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/includes/changes/RecentChange.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/includes/libs/xmp/XMPValidate.php DangerousPhp /var/www/mywebsite2.com/public_html_old/includes/libs/filebackend/FileBackendStore.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/libs/rdbms/database/IDatabase.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/libs/rdbms/database/Database.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/GlobalFunctions.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/includes/password/PasswordFactory.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/includes/Message.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/includes/diff/TableDiffFormatter.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/includes/api/ApiFeedRecentChanges.php DodgyPhp /var/www/mywebsite2.com/public_html_old/includes/NoLocalSettings.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/api/ApiBase.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/OutputPage.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/DefaultSettings.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/includes/collation/IcuCollation.php DodgyPhp /var/www/mywebsite2.com/public_html_old/includes/http/CurlHttpRequest.php DodgyPhp /var/www/mywebsite2.com/public_html_old/includes/http/PhpHttpRequest.php DodgyStrings /var/www/mywebsite2.com/public_html_old/includes/page/WikiPage.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/includes/profiler/Profiler.php NonPrintableChars /var/www/mywebsite2.com/public_html_old/languages/Language.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/languages/classes/LanguageKu.php DodgyPhp /var/www/mywebsite2.com/public_html_old/vendor/symfony/process/Tests/ExecutableFinderTest.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/zordius/lightncandy/tests/example_helpers.php DangerousPhp /var/www/mywebsite2.com/public_html_old/vendor/symfony/process/Process.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/zordius/lightncandy/tests/helpers_for_test.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/zordius/lightncandy/tests/regressionTest.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/monolog/monolog/tests/Monolog/Formatter/JsonFormatterTest.php ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/zordius/lightncandy/README.md ObfuscatedPhp /var/www/mywebsite2.com/public_html_old/vendor/monolog/monolog/src/Monolog/Formatter/LineFormatter.php

fernandoch777 commented 4 years ago

I changed the domain names for security reasons in here.

celevra commented 4 years ago

same for me

shaddai commented 4 years ago

Hello, My move would be to "quickly" review those files and to whitelist them. Since the whitelist is based on hashes, you won't have FP anymore and if your files are changed (header or footer added by an attacker) PMF will detect it .