WARNING WILL ROBINSON??? ispprotect suddenly warns on pomo/po.php???

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Jul 12, 2016.

  1. craig baker

    craig baker Member HowtoForge Supporter

    I got lots of warnings this morning:

    /var/www/clients/client0/owncloud_latest/owncloud/apps/files_external/3rdparty/irodsphp/prods/utilities/exif2meta.php {ISPP}suspect.hidden.explode
    /var/www/clients/client0/web4/web/wp-content/bps-backup/autorestore/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode
    /var/www/clients/client0/web4/web/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode
    /var/www/clients/client0/web40/web/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode
    /var/www/clients/client0/web41/web/wp-content/bps-backup/autorestore/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode
    /var/www/clients/client0/web41/web/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode
    /var/www/clients/client0/web44/web/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode
    /var/www/clients/client0/web45/web/greenv2/wp-content/bps-backup/autorestore/wp-includes/pomo/mo.php {ISPP}suspect.hidden.explode

    now the file mo.php is unchanged and is identical to the file in a wordpress folder I keep hidden. is this real? or a false positive?
    and what is suspect.hidden.expode MEAN? what is triggering it? please let me know whats going on here :)
    I uploaded a zip of one of the mo.php files.


    Attached Files:

    • mo.zip
      File size:
      2.5 KB
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's a false positive, it uses a special explode + chr combination in the code that is often found in malware. The mo.php file has been whitelisted a few hours ago already so ISPProtect will show it as non malware now. If you receive an alert and think that its a false positive, then please use the reporting function in ispprotect which also allows you to get notified by email when we reviewed the file.

    ispp_scan --false-positive=var/www/clients/client0/web45/web/greenv2/wp-content/bps-backup/autorestore/wp-includes/pomo/mo.php

Share This Page