I got lots of warnings this morning: =========================== /var/www/clients/client0/owncloud_latest/owncloud/apps/files_external/3rdparty/irodsphp/prods/utilities/exif2meta.php {ISPP}suspect.hidden.explode /var/www/clients/client0/web4/web/wp-content/bps-backup/autorestore/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode /var/www/clients/client0/web4/web/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode /var/www/clients/client0/web40/web/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode /var/www/clients/client0/web41/web/wp-content/bps-backup/autorestore/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode /var/www/clients/client0/web41/web/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode /var/www/clients/client0/web44/web/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode /var/www/clients/client0/web45/web/greenv2/wp-content/bps-backup/autorestore/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode now the file mo.php is unchanged and is identical to the file in a wordpress folder I keep hidden. is this real? or a false positive? and what is suspect.hidden.expode MEAN? what is triggering it? please let me know whats going on here I uploaded a zip of one of the mo.php files. thanks
That's a false positive, it uses a special explode + chr combination in the code that is often found in malware. The mo.php file has been whitelisted a few hours ago already so ISPProtect will show it as non malware now. If you receive an alert and think that its a false positive, then please use the reporting function in ispprotect which also allows you to get notified by email when we reviewed the file. ispp_scan --false-positive=var/www/clients/client0/web45/web/greenv2/wp-content/bps-backup/autorestore/wp-includes/pomo/mo.php