PHPJunkyard support forum


https://developers.phpjunkyard.com/

Malware detected hesk 2.3

https://developers.phpjunkyard.com/viewtopic.php?t=4110

Page 1 of 1

Malware detected hesk 2.3

Posted: Thu Jul 12, 2012 10:23 pm
by gfinternet
Script URL:
Version of script: 2.3
Hosting company: StartPower
URL of phpinfo.php:
URL of session_test.php:
What terms did you try when SEARCHING for a solution:

Hesk 2.3 malware

Hesk 2.3 malware detected

windows tool for remove Malware <proj@rfxn.com >

Write your message below:

Hello we have installed hesk 2.3 for three times and our hosting provider is sendig this report everytime we install the script:


malware detect scan report for xxxxxxxxx:
SCAN ID: 071212-0402.24093
TIME: Jul 12 04:26:36 -0430
PATH: /home*/*/public_html
RANGE: 2 days
TOTAL FILES: 9413
TOTAL HITS: 4
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.14 : /home/xxxxxx/public_html/admin/admin_main.php => /usr/local/maldetect/quarantine/admin_main.php.19915
{HEX}gzbase64.inject.unclassed.14 : /home/xxxxxx/public_html/admin/admin_main.php => /usr/local/maldetect/quarantine/admin_main.php.26915
{HEX}gzbase64.inject.unclassed.14 : /home/xxxxxx/public_html/inc/footer.inc.php => /usr/local/maldetect/quarantine/footer.inc.php.17877
{HEX}gzbase64.inject.unclassed.14 : /home/xxxxxx/public_html/inc/footer.inc.php => /usr/local/maldetect/quarantine/footer.inc.php.16584
===============================================
Linux Malware Detect v1.3.7 < proj@rfxn.com >

We purchased the license today and sill the malware is present, please help

Re: Malware detected hesk 2.3

Posted: Fri Jul 13, 2012 10:32 am
by Klemen
There is absolutely no malicious code in HESK. Any competent security professional who can reverse eval'd PHP code can confirm that (with over 200,000 downloaded copies of HESK rest assured a lot of developers have checked all the code).

There is some gzip base64 encoded code in HESK (it handles licensing and is located in "footer.inc.php" and "admin_main.php" files) and it looks like your antivirus marks that as a potential threat.

You should contact your hosting company, ask them to verify nothing dangerous is inside HESK, a false positive. If they are a competent company they should have no problem decoding the PHP code, verifying this and excluding the files from being automatically moved to quarantine.

That said, version 2.4 (due in few weeks) will have license handling code rewritten and that should hopefully prevent such false positives in the future.

Re: Malware detected hesk 2.3

Posted: Fri Aug 17, 2012 6:06 pm
by nebojsar
Hello,
same thing happened to me, we were blocked also by google. It seems that code have some vulnerabilities, we had to down two other websites that we have.

best regards,

Nebojsa

Re: Malware detected hesk 2.3

Posted: Fri Aug 17, 2012 6:12 pm
by Klemen
You weren't blocked by Google for having such encoded HESK code - if you were blocked you had some other code injected into your website.

Re: Malware detected hesk 2.3

Posted: Tue Aug 21, 2012 8:50 pm
by nebojsar
Agree, that is exact point, I think that code is somehow vulnerable and prone to attacks.

Re: Malware detected hesk 2.3

Posted: Wed Aug 22, 2012 4:06 pm
by Klemen
Not sure which version/patch you are using, but there are no known security issues with HESK 2.3 Patch 2 or HESK 2.4.1 (latest).
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited