LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-27-2013, 08:03 PM   #1
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 321

Rep: Reputation: 30
maldet and possible false positives?


I have been using maldet for many months and it's worked fine up until now. As of about a week ago, it is detecting a mass {HEX}PHP.Bypassshell in nearly every PHP file. I even downloaded a clean copy of Joomla 3 and it still detected that within the PHP files.

Any thoughts on what the problem could be? Sample results:

Quote:
malware detect scan report for xxxxxxxx: SCAN ID: 072513-1957.12823 TIME: Jul 25 19:58:04 -0400 PATH: /home/xxxxx/public_html/testnew/ TOTAL FILES: 5549 TOTAL HITS: 361 TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 072513-1957.12823 FILE HIT LIST: {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/templates/hathor/html/com_categories/categories/default.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/templates/hathor/html/com_menus/items/default.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/templates/hathor/html/layouts/joomla/edit/details.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/components/com_cache/models/cache.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/components/com_cache/controller.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/components/com_content/models/article.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/administrator/components/com_content/models/fields/modal/article.php .......... {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/field.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/fields/color.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/fields/checkbox.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/fields/databaseconnection.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/fields/note.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/form/rule.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/oauth1/client.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/session/storage.php {HEX}PHP.Bypassshell : /home/xxxxxx/public_html/testnew/libraries/joomla/profiler/profiler.php ..........
 
Old 07-28-2013, 05:17 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by Zeno McDohl View Post
I even downloaded a clean copy of Joomla 3 and it still detected that within the PHP files.
Then inform the vendor of the false positives?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort false positives baronobeefdip Linux - Security 5 02-23-2013 11:46 AM
Rkhunter false positives? Amdx2_x64 Linux - Security 2 10-25-2010 05:19 PM
unable to remove rkhunter false positives. permalac Linux - Security 2 11-07-2008 01:23 PM
apache / mod_security: fixing false positives jrtayloriv Linux - Server 3 03-01-2008 04:03 PM
Chkrootkit False Positives Sabicas Linux - Software 0 08-03-2004 12:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration