search

scr34m / php-malware-scanner

Scans PHP files for malwares and known threats
GNU General Public License v3.0
556 stars 96 forks source link

Wordpress Plugin WPForms Lite (von Version 1.6.5 auf 1.6.6) Update marked as Virus #70

Closed mitchobrian closed 2 years ago

mitchobrian commented 3 years ago

The last auto update of WPForms Lite was marked as virues. I checked and it seems okay.

Files:

admin-wp5.7-colors.css 
admin.css
builder.css
dashboard-widget.css 
entry-print.css 
wpforms-base.css
wpforms-full.css 
wpforms-base.css 
wpforms-full.css
admin.css
scr34m commented 3 years ago

Did you checked, which pattern causing this?

mitchobrian commented 3 years ago

Hello, yes I checkt it for you:


# ER (maWxl) # {/plugins/wpforms-lite/assets/css/admin-global.css}
# ER (c3Rhd) # {/plugins/wpforms-lite/assets/css/admin-integrations.css}
# ER (zdGF0) # {/plugins/wpforms-lite/assets/css/admin-integrations.css}
# ER (zeXN0ZW) # {/plugins/wpforms-lite/assets/css/admin-integrations.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/admin-integrations.css}
# ER (b3Blb) # {/plugins/wpforms-lite/assets/css/admin-integrations.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/admin-notifications.css}
# ER (c3Rhd) # {/plugins/wpforms-lite/assets/css/admin-wp5.7-colors.css}
# ER (N0YX) # {/plugins/wpforms-lite/assets/css/admin-wp5.7-colors.css}
# ER (zdGF0) # {/plugins/wpforms-lite/assets/css/admin-wp5.7-colors.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/admin-wp5.7-colors.css}
# ER (c3Rhd) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (N0YX) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (zdGF0) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (JlcGxhY2) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (ZnVuY3Rpb2) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (Z1bmN0aW9u) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (mdW5jdGlvb) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (aW5jbHVkZ) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (luY2x1ZG) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (pbmNsdWRl) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (ZmlsZ) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (ZpbG) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (b3Blb) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (9wZW) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (vcGVu) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (Y2xvc2) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (Nsb3Nl) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (ZXh0cmFjd) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (V4dHJhY3) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (ZGVmaW5l) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (RlZmluZ) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (kZWZpbm) # {/plugins/wpforms-lite/assets/css/admin.css}
# ER (N0YX) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (jb3B5) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (yZXF1aXJl) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (ZmlsZ) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (ZpbG) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (b3Blb) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (9wZW) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (vcGVu) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (Nsb3Nl) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (jbG9zZ) # {/plugins/wpforms-lite/assets/css/builder.css}
# ER (c3Rhd) # {/plugins/wpforms-lite/assets/css/challenge.css}
# ER (N0YX) # {/plugins/wpforms-lite/assets/css/challenge.css}
# ER (ZnVuY3Rpb2) # {/plugins/wpforms-lite/assets/css/challenge.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/challenge.css}
# ER (Nsb3Nl) # {/plugins/wpforms-lite/assets/css/challenge.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/choices.css}
# ER (b3Blb) # {/plugins/wpforms-lite/assets/css/choices.css}
# ER (9wZW) # {/plugins/wpforms-lite/assets/css/choices.css}
# ER (vcGVu) # {/plugins/wpforms-lite/assets/css/choices.css}
# ER (pbmNsdWRl) # {/plugins/wpforms-lite/assets/css/dashboard-widget.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/dashboard-widget.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/emails/general.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/emails/partials/media_queries.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/emails/summary.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/entry-print.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/form-embed-wizard.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/integrations/divi/choices.css}
# ER (b3Blb) # {/plugins/wpforms-lite/assets/css/integrations/divi/choices.css}
# ER (9wZW) # {/plugins/wpforms-lite/assets/css/integrations/divi/choices.css}
# ER (vcGVu) # {/plugins/wpforms-lite/assets/css/integrations/divi/choices.css}
# ER (c3Rhd) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-base.css}
# ER (ZWNob) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-base.css}
# ER (VjaG) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-base.css}
# ER (lY2hv) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-base.css}
# ER (JlcXVpcm) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-base.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-base.css}
# ER (c3Rhd) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (N0YX) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (ZWNob) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (VjaG) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (lY2hv) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (JlcXVpcm) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (ZmlsZ) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (ZpbG) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (b3Blb) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (9wZW) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (Nsb3Nl) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (jbG9zZ) # {/plugins/wpforms-lite/assets/css/integrations/divi/wpforms-full.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/logger.css}
# ER (N0YX) # {/plugins/wpforms-lite/assets/css/wpforms-base.css}
# ER (ZWNob) # {/plugins/wpforms-lite/assets/css/wpforms-base.css}
# ER (VjaG) # {/plugins/wpforms-lite/assets/css/wpforms-base.css}
# ER (lY2hv) # {/plugins/wpforms-lite/assets/css/wpforms-base.css}
# ER (yZXF1aXJl) # {/plugins/wpforms-lite/assets/css/wpforms-base.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/wpforms-base.css}
# ER (c3Rhd) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (N0YX) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (zdGF0) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (ZWNob) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (VjaG) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (lY2hv) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (cmVxdWlyZ) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (ZmlsZ) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (ZpbG) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (maWxl) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (b3Blb) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (vcGVu) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (Y2xvc2) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER (Nsb3Nl) # {/plugins/wpforms-lite/assets/css/wpforms-full.css}
# ER ((\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}) # {/plugins/wpforms-lite/assets/js/moment-with-locales.min.js}
# ER (maWxl) # {/plugins/wpforms-lite/lite/assets/css/admin.css}```

Pattern in (). BR
scr34m commented 3 years ago

As You know, this scanner not ideal for CSS / JS, i think the SVG and compressed JS causing this issue, so the solution is to create a custom whitelist and use with the new flag, or simply disable base64 checks.