Malware

Tagged: 

Author Posts

doxo_NL

My provider claims that there is malware in Microthemer

File Malwaretype
www/wp-content/plugins/microthemer/tvr-microthemer.php {HEX}Malware.Expert.multipart.form.upload.upload.zip.upload.upload.upload.upload.upload.upload

What can i do?


Sebastian

UPDATE 1: I’m now confident that this is a false positive. I’ve already worked with one web host (20i) who have confirmed that Microthemer was misidentified as malware. They have updated their malware scanning rules, so running another scan on 20i hosting should come up clean.

So far, I have received one report from a 20i customer, and two reports from TransIP hosting customers. I suspect that TransIP use the same malware scanner as 20i, but not the same web hosting infrastructure, so I am having to work through this with them separately. I will post an update here in due course.

UPDATE 2: The other web host (TransIP) that was flagging MT as malware have also acknowledged that it was a false positive and have updated their malware scanner rules. If you could try scanning again and let me know if it comes up clean that would be very helpful. Thanks!

Hi Paul,

Thanks for bringing this to my attention. It may be a false positive, but I would like to investigate this issue very thoroughly.

There is a multipart form upload feature in Microthemer by design. It’s to allow for importing and exporting your Microthemer designs as a zip file (containing CSS settings, background images, and json config files). It’s possible that the scanner is regarding that as suspicious. But it’s also possible that the files have been tampered with. I will try to rule that out.

To help me get to the bottom of this, it may be necessary to work with the provider that flagged the Microthemer file as malware. Who is your provider?

Also, I’ve requested that you send me a copy of the /wp-content/plugins/microthemer directory on your server via the conversation you open via live chat. Once I’ve got that, I can do a full directory file compare to make sure every file is as it should be.

Many thanks,
Sebastian


Sebastian

As I suspected, your Microthemer files are exactly the same as the official release version – so there has been no tampering. The malware scanner is simply flagging code that I have written as suspicious because it contains a file upload form. Microthemer is using this legitimately, to allow for importing design packs between sites. It is only available for logged in admins, and has the necessary CSRF protection. File upload forms are also used by hackers however, to allow them to add malicious content to sites, and that is probably why the scanner is misidentifying Microthemer in this case.

You must login or register to reply to this topic.