winnow.compromised.ts.phpexploit.5.UNOFFICIAL

[e-male]

Script URL: http://juniperbay.byethost6.com/gb/gbook.php
Version of script: 1.6
Hosting company: Byethost
URL of phpinfo.php: php5
URL of session_test.php: ?
What terms did you try when SEARCHING for a solution:

Write your message below:
Hi!
My host suspended my account because gbook.php contained malicious code: winnow.compromised.ts.phpexploit.5.UNOFFICIAL
Their virus scan (or whatever) reported the same problem in clickcounter (juniperbay.byethost6.com/ccount/index.php).
Any ideas what the problem could be?
Best Regards Lennart

[Klemen]

There is absolutely no malicious code in GBook. Any competent security professional who can reverse eval'd PHP code can confirm that (with over 250,000 downloaded copies of GBook rest assured a lot of developers have checked all the code).

Not sure which antivirus your host uses, but some do mark *any* encoded PHP code as a potential threat because PHP injection scripts are usually encoded using the same techniques.

There is some base64 encoded code in GBook (it handles licensing) and it looks like your antivirus marks that as a potential threat ("UNOFFICIAL") - you should contact your host and tell them to check the script and verify nothing dangerous is there, a false positive. If they are a competent company they should have no problem decoding the PHP code and verifying this.

The same technique is used in several scripts from PHPJunkyard, that's why the software reports the same thing for most of them.

[Klemen]

After a few tests this file may fix the problem, upload it instead of original gbook.php file:
http://www.phpjunkyard.com/extras/gbook17_evalfix.zip

If it does fix your problem please let me know.