Malware detected hesk 2.3

[gfinternet]

Script URL:
Version of script: 2.3
Hosting company: StartPower
URL of phpinfo.php:
URL of session_test.php:
What terms did you try when SEARCHING for a solution:

Hesk 2.3 malware

Hesk 2.3 malware detected

windows tool for remove Malware <proj@rfxn.com >

Write your message below:

Hello we have installed hesk 2.3 for three times and our hosting provider is sendig this report everytime we install the script:


malware detect scan report for xxxxxxxxx:
SCAN ID: 071212-0402.24093
TIME: Jul 12 04:26:36 -0430
PATH: /home*/*/public_html
RANGE: 2 days
TOTAL FILES: 9413
TOTAL HITS: 4
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.14 : /home/xxxxxx/public_html/admin/admin_main.php => /usr/local/maldetect/quarantine/admin_main.php.19915
{HEX}gzbase64.inject.unclassed.14 : /home/xxxxxx/public_html/admin/admin_main.php => /usr/local/maldetect/quarantine/admin_main.php.26915
{HEX}gzbase64.inject.unclassed.14 : /home/xxxxxx/public_html/inc/footer.inc.php => /usr/local/maldetect/quarantine/footer.inc.php.17877
{HEX}gzbase64.inject.unclassed.14 : /home/xxxxxx/public_html/inc/footer.inc.php => /usr/local/maldetect/quarantine/footer.inc.php.16584
===============================================
Linux Malware Detect v1.3.7 < proj@rfxn.com >

We purchased the license today and sill the malware is present, please help

[Klemen]

There is absolutely no malicious code in HESK. Any competent security professional who can reverse eval'd PHP code can confirm that (with over 200,000 downloaded copies of HESK rest assured a lot of developers have checked all the code).

There is some gzip base64 encoded code in HESK (it handles licensing and is located in "footer.inc.php" and "admin_main.php" files) and it looks like your antivirus marks that as a potential threat.

You should contact your hosting company, ask them to verify nothing dangerous is inside HESK, a false positive. If they are a competent company they should have no problem decoding the PHP code, verifying this and excluding the files from being automatically moved to quarantine.

That said, version 2.4 (due in few weeks) will have license handling code rewritten and that should hopefully prevent such false positives in the future.

[nebojsar]

Hello,
same thing happened to me, we were blocked also by google. It seems that code have some vulnerabilities, we had to down two other websites that we have.

best regards,

Nebojsa

[Klemen]

You weren't blocked by Google for having such encoded HESK code - if you were blocked you had some other code injected into your website.

[nebojsar]

Agree, that is exact point, I think that code is somehow vulnerable and prone to attacks.

[Klemen]

Not sure which version/patch you are using, but there are no known security issues with HESK 2.3 Patch 2 or HESK 2.4.1 (latest).