Risk: plugin contain CPRBD72.Webshell

This topic contains 3 replies, has 3 voices, and was last updated by s dw 9 months, 1 week ago.

Viewing 4 posts - 1 through 4 (of 4 total)

Author

Posts
December 1, 2016 at 3:39 pm #18196

Zaki Sp
Participant

I just scanned the plugin : The WPMU DEV Google Maps Plugin

i found : CPRBD72.Webshell in the plugins

What does this mean?

December 1, 2016 at 4:47 pm #18197

7h3h
Keymaster

It first of all means that you most likely used virustotal.com, which is a great online service providing antivirus analysis routines from 54 different antivirus routines. 53 show a green checkmark (no known viruses or malware found) and only Bkav says “CPRBD72.Webshell”…

Now this either means that Bkav is the only one who was able to detect this webshell and the others failed or Bkav gave a false positive.

When you do some research on Google about “Bkav Antivirus” you will learn that they have specialized on Android…

Looks pretty much like a false positive, huh?

Why does Bkav do this? When you examine the .php file of which Bkav thinks that it contains the webshell, you will find some BASE64 code, which is contains the WPMUDEV logo. Using BASE64 Code in php is a a very ugly thing to do but unfortunately what WPMUDEV does and what most likely triggers the false positive.

December 1, 2016 at 5:04 pm #18198

Zaki Sp
Participant

Thank you for the quick reply and the explanation! I understand

I even i downloaded the free version from WPMUDEV website and scanned it Bkav detect a webshell in in it even it’s from official developer website

Thank you very much!

July 17, 2017 at 6:29 pm #19153

s dw
Participant

to be safe remove the base64 code and replace with your own logo.
Author

Posts