- This topic has 13 replies, 9 voices, and was last updated 5 years, 9 months ago by chrisghill.
-
Posts
-
I just installed UpdraftPlus Premium yesterday and am getting a critical security notice from Wordfence on each site it’s installed on (copied/pasted below). Will you confirm if the following is an issue, and if there’s something that needs to be fixed?
Thanks,
Scott———
This file may contain malicious executable code: /public_html/wp-content/plugins/updraftplus/vendor/phpseclib/phpseclib/phpseclib/Crypt/Base.php
Filename: wp-content/plugins/updraftplus/vendor/phpseclib/phpseclib/phpseclib/Crypt/Base.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status: NewThis file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘unpack(‘ (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.
It’s almost certainly a false positive, in that that file (part of https://github.com/phpseclib/phpseclib/ , the PHP standard encryption library) contains that. Please report it to Wordfence… we’ve had this question so many times, and would really like it if they could fix their scanner so that it doesn’t flag up the same false positives repeatedly!
David
Just FYI that I got the same “critical” warning from Wordfence yesterday. This with Wordfence Premium. Further to the warning, Wordfence says “Since you have the beta threat defense feed enabled, there is a high likelihood that your results could include false positives.”
I opened a ticket with Wordfence and sent them the file and a link to this post. This is the reply I got:
“I see we have this file in our system as non-malicious. Of course, you will always want to continue to keep an eye on things, even when you see false positives. As Updraft mentioned, I believe it is safe to say this is a false positive.”
Thought I’d share as it’s scary to get the critical warning plus a prompt to hire Wordfence to clean the site for malware ;-)
Hi again –
I’m getting another critical warning from Wordfence for this file:
START
wp-content/plugins/updraftplus/vendor/phpseclib/phpseclib/tests/Unit/Crypt/RSA/LoadKeyTest.php
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: $key = ‘MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp’ .\x0a ‘wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5’ .\x0a ‘…
The issue type is: Backdoor:PHP/SEemf0Ji
Description: A backdoor known as SEemf0JiEND
Can you confirm that it’s a legitimate file or not?
Hi,
Apologies for the delay.
This appears to be a false positive. The file is legitimate, and the matched strings are part of the file.
Best Wishes,
David NHi,
I’m getting the same issue, I think:
Filename: wp-content/plugins/updraftplus/vendor/phpseclib/phpseclib/tests/Unit/Crypt/RSA/LoadKeyTest.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: $key = ‘MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp’ .\x0a ‘wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5’ .\x0a ‘…The issue type is: Backdoor:PHP/SEemf0Ji
Description: A backdoor known as SEemf0JiCan you let me know if this is a false positive or something that needs to be addressed?
Thanks.
I got the same warning today from Wordfence:
* File appears to be malicious: wp-content/plugins/updraftplus/vendor/phpseclib/phpseclib/tests/Unit/Crypt/RSA/LoadKeyTest.php
Can you please let us know if this is a false positive or something that needs to be addressed?
Thanks.I received the same warning today from Wordfence:
Filename: wp-content/plugins/updraftplus/vendor/phpseclib/phpseclib/tests/Unit/Crypt/RSA/LoadKeyTest.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: $key = ‘MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp’ .\x0a ‘wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5’ .\x0a ‘…
The issue type is: Backdoor:PHP/SEemf0Ji
Description: A backdoor known as SEemf0JiPlease confirm that this is a false positive.
Thank you.
I too got the critical alert from Wordfence.
Filename: wp-content/plugins/updraftplus/vendor/phpseclib/phpseclib/tests/Unit/Crypt/RSA/LoadKeyTest.php
File Type: Not a core, theme, or plugin file from wordpress.org.Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: $key = ‘MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp’ .\x0a ‘wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5’ .\x0a ‘…
The issue type is: Backdoor:PHP/SEemf0Ji
Description: A backdoor known as SEemf0JiI compared the file to the one that is hosted on the official phpseclib 1.0 branch at GitHub and the files are exactly the same, so I believe this to be a false positive.
I will write Wordfence to let them know.
Same issue here today:
File appears to be malicious: wp-content/plugins/updraftplus/vendor/phpseclib/phpseclib/tests/Unit/Crypt/RSA/LoadKeyTest.php
Type: File
Issue Found February 5, 2019 6:16 AM
Critical
Stop IgnoringDetails
Filename: wp-content/plugins/updraftplus/vendor/phpseclib/phpseclib/tests/Unit/Crypt/RSA/LoadKeyTest.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: $key = ‘MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp’ .\x0a ‘wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5’ .\x0a ‘…The issue type is: Backdoor:PHP/SEemf0Ji
I hope it’s still a false positive.
I got a quick response from Wordfence Support:
“Thanks for reaching out. This is a known false positive and we have disabled the rule. It shouldn’t show up in new scans while we are investigating and implementing a fix for the scan signature.”
I got a similar response as well. They seem to be on it.
- The topic ‘Wordfence critical security notice with Premium’ is closed to new replies.