NOD32 and ClamWin classified Linkman1.7 as malware, why?

[jessemullinax]

Script URL: http://www.tappingmachines.com/cgi-bin/ ... lLinks.php
Version of script: Linkman 1.7
Hosting company: Liquidweb.com
URL of phpinfo.php: not sure how to do this?
URL of session_test.php: not sure how to do this?
What terms did you try when SEARCHING for a solution:

NOD 32 and Linkman17 conflict issues -> a bunch of malware came up:/

Write your message below:

Ok Ive been successfully using you link manager for the past 3-4 years. Recently i changed server hosts due support issues. Now i am hosting at Liquidweb.com and they use NOD32 and ClamWin. NOD32 would not allow the scripts to run and classified it as potentially unwanted application/malware. Then the support at liquidweb installed malwarebytes and that scan classified all files clean! The support guy recommended me report this issue with you so that you can go about taking the proper steps in getting your useful linkman manager added as a trusted application.

NOD32 and ClamWin did not like this on the links.php page
eval(gzinflate(base64_decode('DdBHsqJAAADQ43x/uRBBUs0KJEiQjA1spiTTZJEG+vQz7wivQO
/uVOFmKLv3tzil76Vgbn/zIhvz4vQjZbQO50kQBMm9sb5auxVwKZoR4tqVBGLUPnDqFOH+bKbwmeAzvy
kFB0WF95PyuCTJuCvo0UNhW2VqI/vollGRQZlcK/b9uFlNlX3olZkPt5I4IGebU8fBRJlKNinReNFdUU
WDh8UuSx6rcuXMRchRbJdYJmBTrH7+NkVCN6wp5Xb+UHWHZS2+zfnEFGX2uzy11T2LRsDExPHxkHkdm/
M96Awho+mQUkQUUW5VAzdSTTJ8N1SawJgFi7ebBdnmryNvTVDJHKJJQEAcVPEebX5paaP4CcoqhKt0zE
x5btB51ubuBpajV+n7xH1eFRjbA1MDpOxxBknTOuwT8o/JCmY17B1U1ZCPFHv1vGaZj3ZP9g2sIMMWth
s22o9sYi2BDQLD1l4y02HtRS4Q1WIxhamsE7Oz4oABkRRHDNfkXO1/8UsdPP5A3P9F6UuSM7/znWKrjQ
yHRFYJRuGkNh5aIr4/r2tuFCyV6+Fu3z7G2z961xH8mX5oCcmWg+m4GkWE1724EKnTNhv2oaqf6StWVe
DhWApeYoHUJTD6lLkgNk3Z9HL5+f39/fMP')));

When i disable NOD32 the linkman1.7 works just fine. Currently i have it disabled so i can get to the admin.php page and view my links.

What do you recommend for me to do?

[Klemen]

This is, just like with GBook and HESK, a false alarm.

The code you mention handles LinkMan licensing and is therefor encoded. However, some antivirus programs will detect *any* PHP code encoded this way as a "potential threat".

You can verify this for example by saving this code as "text.php" and scan the file with your antivirus:

Code: Select all

<?php
eval(gzinflate(base64_decode('abc')));
?>

Anyone with enough PHP experience should be able to easily decode the above code and confirm nothing dangerous is inside. Unfortunately, antivirus software companies compete on who will report most (potential) threats to make their software look more powerful...

[jessemullinax]

Thanks for your response Klemen
Ive been thankfully using your Link Manager for a long time and i m wondering, If we purchase or bought you a few drinks and install a full licensed version, will this remove that encoded licensing? Do you think NoD32 will continue to block linkman1.7 functionality then? My last host, plesk or something got hacked and all my javascipts on my navigation and some .php got infected with malware code and their support was horrible so since switching to liquidweb i feel im less venerable to these attacks, which means i would like to keep live malware monitoring up todate. Can you recommend any good windows server malware monitoring systems? Perhaps my host can just use malwarebytes since linkman was cleared by it... idk ill ask them today. not even sure if malwarebytes can even do live monitoring? i know, im a rookie in this area being forced to educate myself and deal with the new age internet:/

or

My support at liquidweb said that NOD32 will allow you to submit your software and will perhaps update there registry? Something tells me this is not the case but worth asking about?

[Klemen]

I'm afraid I cannot give any recommendations here as I'm not an expert in the field.

Also the last thing I want to do is force anyone into purchasing a license or sending a donation. Here's a free fix you can try, let me know if it works for you:

1. Backup existing LinkMan files
2. Upload these files over original Linkman ones:
http://www.phpjunkyard.com/extras/linkm ... al_fix.zip
3. Test and let me know if it helped.

[jessemullinax]

Ok i followed your instructions and over wrote the files with the zip contents you created, turned on the NOD32 just to test if the link.php file was injected into my template and it was:) however, when i attempted to log into the admin.php it asked for Authentication, Enter username and password for http://www.tappingmachines.com.
http://www.tappingmachines.com/cgi-bin/ ... /admin.php

When i turn off the monitoring to NOD32, Linkman1.7 worked just fine and i was able to log into the admin.php

I did not test to see if a link could be posted. I figured that when NOD32 is monitoring there were still issues. What do you think?

[jessemullinax]

Just spoke to my support and they told me i can exclude the linkman directory in NOD32 and all should be well. That to me sounds like the easiest fix for us all and still get the malware monitoring .

Well at least now you know what NOD32 and ClamWin are doing:/

Thanks for the help and the great product. Im still open to suggestions tho hahaha

Have a great day

[Klemen]

I guess that should solve it at least temporarily. LinkMan is long due for an update and when I get to it I will rewrite this code to hopefully stop false positives.