maldet and possible false positives?

Zeno McDohl · 07-27-2013, 08:03 PM

I have been using maldet for many months and it's worked fine up until now. As of about a week ago, it is detecting a mass {HEX}PHP.Bypassshell in nearly every PHP file. I even downloaded a clean copy of Joomla 3 and it still detected that within the PHP files.

Any thoughts on what the problem could be? Sample results:

Quote:

malware detect scan report for xxxxxxxx: SCAN ID: 072513-1957.12823 TIME: Jul 25 19:58:04 -0400 PATH: /home/xxxxx/public_html/testnew/ TOTAL FILES: 5549 TOTAL HITS: 361 TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 072513-1957.12823 FILE HIT LIST: {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/templates/hathor/html/com_categories/categories/default.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/templates/hathor/html/com_menus/items/default.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/templates/hathor/html/layouts/joomla/edit/details.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/components/com_cache/models/cache.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/components/com_cache/controller.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/components/com_content/models/article.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/components/com_content/models/fields/modal/article.php .......... {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/field.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/fields/color.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/fields/checkbox.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/fields/databaseconnection.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/fields/note.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/rule.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/oauth1/client.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/session/storage.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/profiler/profiler.php ..........

unSpawn · 07-28-2013, 05:17 PM

Quote:

Originally Posted by Zeno McDohl

I even downloaded a clean copy of Joomla 3 and it still detected that within the PHP files.

Then inform the vendor of the false positives?