Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #981
    Profile photo of DonQuicky
    DonQuicky
    Participant

    I use Symbiostock v3.2.7 with Symbiostock Child Theme v0.1.0 and Symbiostock Professional v1.4.9 on WordPress 3.8.1. After upgrading to latest Wordfence Security v4.0.2 plugin and performing a fresh scan I did notified with this error.

    I discovered with the Wordfence tool that from a IP-address from Germany someone was trying to log into our backend without success. Fortunately! But I concerned about the usernames this person used as he was using existing usernames which are NOT public in any page of ours. So combined with this error and the latest attacks I am a little conserned.

    Some any ideas?

    This file may contain malicious executable code
    Filename: wp-content/themes/symbiostock/inc/classes/PHP_JPEG_Metadata_Toolkit/JPEG.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 7 secs ago.
    Severity: Critical
    Status New
    This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘unpack’ (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.

    #9295
    Profile photo of Imago Borealis
    Imago Borealis
    Participant

    I just checked my SYS 3.2.7 files. The only ‘eval’ that I can find is in ‘… FALSE – if retrieval failed…’, which doesn’t look like malicious code at all. So either your Wordfence screwed up or something/someone changed your jpeg.php.

    #9296
    Profile photo of Imago Borealis
    Imago Borealis
    Participant

    I just saw it in my WP backend: There’s a Wordfence update to 4.03 – So maybe it was this plug-in after all.

    #9297
    Profile photo of Leo
    Leo
    Participant

    Good catch! Your not all wrong!

    Here is the PHP function page: http://us3.php.net/eval

    Quoted from that page:

    Caution
    The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

    Its probably used by the image processor meta-data library, one that goes back to 2004. One of the things I wish to do when I recreate/overhaul Symbiostock is to use imagemagick functions through the shell alone, and a few higher-level meta-data programs (also shell) but in the meantime we have good ol’ metadata library :mrgreen:

    #9298
    Profile photo of Leo
    Leo
    Participant

    Following up on this, the word (in file notes) “retrieval” seems to be what is tripping the program which is scanning the file.

    I searched my files for “eval” and I didn’t find any occurances of that function. I did find “unpack” however.

    #9299
    Profile photo of THPStock
    THPStock
    Participant

    @Imago Borealis wrote:

    I just saw it in my WP backend: There’s a Wordfence update to 4.03 – So maybe it was this plug-in after all.

    The change log notes on Wordfence 4.03 said that it included new HIGH security settings (not enabled by default) that check for this exact thing, and it also noted it may return false positives.

    View my portfolio at THPStock Direct via Microstock Man. I also do Web Design & Graphic Design.

    #9300
    Profile photo of DonQuicky
    DonQuicky
    Participant

    Well, just upgraded the plugin to latest version [4.0.3] and did a rescan and guess what:

    Congratulations! You have no security issues on your site.

    I was little concerned with this notification of the EVAL() function and the attempts to login as user from IP-adres not ours and which are not public in any way.

    Now I can sleep without concerns 🙂

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.