We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Webhost Flagged Malware/Virus in ExpressionEngine Script Files

September 28, 2011 7:50pm

Subscribe [3]

  • #1 / Sep 28, 2011 7:50pm

    PixelGrinch

    48 posts

    not sure what this is all about.
    the hosting company (bluehost) of one of my clients suspended the account.
    they referenced files from the expression engine (1.6.8) installation.
    the files have not been touched since 2009.

    files listed in the report:
    ./public_html/system/core/core.messages.php
    ./public_html/system/core/core.regex.php
    ./public_html/system/core/core.spellcheck.php
    ./public_html/system/cp/cp.communicate.php
    ./public_html/system/cp/cp.messages.php
    ./public_html/system/cp/cp.publish.php
    ./public_html/themes/profile_themes/default/profile_theme.php

    i checked through them and found nothing weird other than Pinky and the Brain ascii graphic following

    [code core.messages.php]at the end of the code:

    return <<<Dirt
    ......
    Dirt;

        Quiet, Paul, I’m pondering.    | \\  l\\l_ //  | 
            _         _       |  \\/ `/  `.|  |  Err…right, Rick! Narf!
          / \\  \      //\      | Y |  |  ||  Y |
          |  \\  \    //  |    |  \|  |  |\ /  |  /
          [  ||      ||  ]    \  |  o|o | >  /  /
          ]  ||      ||  [    \___\_—_ /_/__/
          |  \_|l,———.l|_/  |    /.-\(____) /—.\
          |  >’      `<  |    `—(______)——’
          \  (/~’—____—’~\)  /        U// U / \
          `-_>-__________-<_-’        / \  / /|
              /(_*(__)*_)\          ( .) / / ]
              \___/__\___/          `.`’ /  [
              /__`—‘__\            |`-’  |
            /\(__,>-~~ __)            |    |__
          /\//\\\      /            _l     |—:.
          ‘\/  <^\    /^>          |  `  ( |  \\
              _\ >-__-< /_         ,-\  ,-~~->. \  `:.___,/
            (___\  /___)        (____/  (____)  `—-’ 
           

                  SRKmHWgK       6HP                
                WRWWQWm         yQgX            
              zWQQqRRWT           rqQqB          
              gqQqRtWR       fbXn16hs   XXRQq0        
            gXkQ8X       pkSb   b04   RQQXXK        
          QXXQkQ7       aDahC     XSO     RbXQQRQ      
          R88kXXQ       PZFwX     kkk     bQkQkRQLt    
        QdXkkdXt     rYOZ4Vt   4bd6       qXk8X8QR    
        gQQQd8kp     G6TuTy   3khP         tXQQQQRQa    
        Q888Xdb2     1TuL6   pkS     Q     RX8QQRQH    
        Kb88kSd8     YZZZ6yF6       4h     zk888RQR    
        QQQ8bdbV     ywyn         k       X8b8RRg    
          uQXb8Qb6     zFDD       X4       XQbQXbQ    
          gRb8Qkh     apX     wQ       t8QXQQW      
            bR8QbE     hSF   1bA       bQbR8W        
              zBXQRa     zDDf2       KqQRqRbgy          
              tGEgQh           aQRRqXXW            
                  CmWQ         KRRQgqQ          
                    wqC     HmQpYj</code></pre>

    Downloading the 1.7.1 skript shows this as well ... is this funny, I am not quite sure. I know though that this is surely not a malware/virus even though it seems like it the first time you come across it!

    Why do these files yield a flag at their end in the first place? As long as they are red flagged the site is suspended ... any ideas ?

  • #2 / Sep 29, 2011 3:54am

    John Henry Donovan

    12339 posts

    Hi PixelGrinch,

    Can you please check through these files:

      * path.php
      * config.php
      * index.php

      to ensure that there is no unusual code such as iFrames or Javascript includes;

    Also check the index.html files in the above folders for anything malicious.

    Have you been in touch with a person at the hosting company? Did they say how they were determining these files as being red flagged?

  • #3 / Sep 30, 2011 7:03pm

    PixelGrinch

    48 posts

    Hi John,

    thanks for the reply. Yes I talked to them and they are using a custom script and report from google to identify problems. I asked about false positives and he confirmed there are cases of false positives.

    I compared the ExpressionEngine files with the originals and they were identical. No idea why there would be reports like this and BlueHost just shuts off the clients website with the side effect of really scaring them with an email containing: the content of your website may be deleted after 15 days.

    There were other flagged files which were not ExpressionEngine files and got rid of all of those. They ran their script again and the ExpressionEngine files were all clean.

    Just weird stuff going on out there ... Site is put online again client is happy and I can sleep again 😊 ...

  • #4 / Oct 02, 2011 5:23pm

    Sue Crocker

    26054 posts

    Glad to hear it. 😊 If anything else comes up, please do let us know in a new thread..

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register