SiteLock Malware Warning on PHP files in SimpleMachine

Started by linux92, January 18, 2017, 03:46:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

linux92

January 18, 2017, 03:46:01 AM
Dear All,

I recently purchased a subscription of SiteLock, which is a third party company that scans your web hosting server for malware. You provide them with an FTP account and once a day they download everything and scan for infection. This is especially helpful with WordPress which gets sooo easily infected with code injections.

I wanted to report that SiteLock detects malware in a few PHP files from SimpleForums.. Below are the details:

/Sources/Subs-Package.php
Outbound connections are opened.
The error suppression operator (PHP) is used heavily.
File operations which may access external resources (e.g. malicious third-party websites) are executed.
File system operations, such as modifying file permissions, are executed.
Files are opened and/or modified.

/Sources/Subs-Post.php
Outbound connections are opened.
File system operations, such as modifying file permissions, are executed.
Email is sent.

/Sources/Subs.php
Outbound connections are opened.
System commands are executed on the server.
File system operations, such as modifying file permissions, are executed.
Files are opened and/or modified.

/Sources/Subs-Admin.php
File operations which may access external resources (e.g. malicious third-party websites) are executed.
File system operations, such as modifying file permissions, are executed.
Files are opened and/or modified.

/Sources/Themes.php
File operations which may access external resources (e.g. malicious third-party websites) are executed.
File system operations, such as modifying file permissions, are executed.
Files are opened and/or modified.
Obfuscation is used to disguise the function of the code.

Now I know these are most likely false positive, and we can configure SiteLock to "Ignore" those files; but this means that if one day they get really injected with malware code; we'll never know because they have been ignored.

Interestingly enough, we do not get any warning for the phpBB code on the same web hosting. Which makes me wonder if there is a  way that the code could be written that would not trigger warnings from malware scanning applications ? I understand that at the end of the day, it's the responsibility of the antimalware manufacturer to be able to distinguish from REAL infection and mitigate false positive; but I am wondering why SimpleMachines does trigger those while other forums with the same features don't....

Thank to all of the developers for a great project !

Arantor

#1
January 18, 2017, 04:17:31 AM
These are because SMF is actually doing things phpBB isn't, like making it easy to download mods from inside the admin panel. Or checking an image is the right size before embedding it.

It literally isn't possible to offer the actual functionality SMF offers without triggering these warnings.

linux92

#2
January 18, 2017, 07:20:15 AM
Thank you for your response. I thought it might be something like that, but still wanted to confirm and make sure others having this issue will be able to find this post!
Cheers!
Print
Go Up Pages1
User actions
Advertisement: