malware warning

[Gb59]

Script URL:
Version of script: 1.5
Hosting company: hawkhost
URL of phpinfo.php:
URL of session_test.php:
What terms did you try when SEARCHING for a solution:

Write your message below:

There is malware warning: (malet scanner)
{HEX}gzbase64.inject.unclassed.14 : /home/.../MyGbook.php

I think this is false alarm .. is there a way I can download a fresh 1.5 guestbook file?

[Gb59]

I read here there is a false positive fix for 1.7 - can I have that for v1.5?

viewtopic.php?f=7&t=3781

[Klemen]

I'm afraid I don't provide support for such old versions anymore. You are encouraged to upgrade to 1.7 instead.

If you wish to keep your old version you will probably need to contact your hosting company and ask them to add your gbook.php file to their antivirus software "ignore" list.

[Gb59]

I tried 1.7 but the upgrade is incompatible with the customisations in header/footer.txt hence can't do that.

[fugitivewife]

I have been using the guestbook for quite awhile now and all of a sudden my host provider send me this message:

*********
Your account is hosting the follwoing malicious files/scripts :
{HEX}gzbase64.inject.unclassed.14 : /home/......./gbook.php
This files are being abused by crackers/hackers to install malicious scripts on your account. Please note that our servers are up to date and monitored frequently against these hack/malicious attempts.
We have disabled the public_html folder for this account(s) temporarily to avoid any further exploits. This has been done for your own safety as well as to protect everyone else on the server and internet to make it a safe place for all.
********
I removed the one offending file that they pointed too but now they are telling me that ALL the gbook.php files are "infected". I have over 20 guestbooks running on this server and have had them for quite awhile. I also have the newest version 1.7.

I saw the code fix above and I assume that is the gbook.php file in the current download. I was working on a new guestbook when I got flagged as being malicious. lol I am NOT malicious.

Any ideas, what might be going on? I would hate to have to change guestbooks!

[Gb59]

As posted above it's a false positive - the code base64 part (inside the php code) is seen as malicious injection by most scanners hence this file is flagged.

My host has accepted that the code is clean

[fugitivewife]

Gb59, who is your host. Mine is still giving me the run around telling me that they can exclude me from the scanner so I can run my guestbooks. Not sure that is an option I want to go with. I HATE communicating computer for tech support, as this has been going on for two days and my guestbooks are STILL not back online. Waiting for hours for an answer to simple questions and then getting an answer that only addresses one of them is starting to really irratate me.

[Klemen]

Yes, unfortunately it is a false positive. Some virus scanners just block any script that uses this encoding technique. The "evalfix" file should be used as a solution in such cases.

[Gb59]

My host is Hawkhost.com and my guestbook v1.5 actually never was off-line. Talk to them upfront!