Forums » 3rd Party Product Discussions

Plugins, server detect malwer

    • 6 posts
    April 12, 2020 12:35 AM EDT

    A strange thing happened to me today. I'm sorry for my english.

    For some time, my hosting checks all FTP files for the presence of a virus. And suddenly they inform me that I have a virus in my files. Both SocialAppTech and SocialNetworkSolutions. A few hours later, my hosting writes to me that they did an in-depth check on that and found a malwer in 15 files. All in plugins. From both companies. Apparently I have to deal with it immediately. It's possible they shut down my page. All malwer is said to be in License files. There are currently no users on this page, so it's OK. I can reinstal page.

     

     

    /web/application/modules/Seslisting/controllers/License.php: {HEX} Malware.Expert.generic.eval.strrot13.gzinflate.strrot13.base64.decode.0.UNOFFICIAL


    /web/application/modules/Sitecore/controllers/license/license1.php: {HEX} Malware.Expert.generic.malware.124.UNOFFICIAL FOUND


    /web/application/modules/Advancedactivity/controllers/license/license1.php: SecuriteInfo.com.JS.Obfus-1696.UNOFFICIAL FOUND

     

     

    There is, of course, more. Explanation: we use base64 encoding, the argument is not enough. If you know there is a problem with this and the servers misrepresent it as a virus, why don't you use anything else? Of course I understand that this may be a mistake. My hosting now I have to convince myself that the files are okay, even if I myself can't be convinced? Really? Should I change hosting? Really?
    It could be a false report. But it's true that it's the only piece of code that's not visible. And what's in it?
    They're just all the unexpected worries.


    This post was edited by Matus at April 12, 2020 12:36 AM EDT
    • 287 posts
    April 12, 2020 3:29 PM EDT

    I've had the same report for the advanced activity module too on that exact file which i believe is used for calls backs, it should be removed really. 

    • 6 posts
    April 13, 2020 12:08 AM EDT

    Here is the complete output

    /modules/Sitecore/controllers/license/license1.php: {HEX}Malware.Expert.generic.malware.124.UNOFFICIAL FOUND

    /modules/Sitecore/controllers/license/request.php: {HEX}php.generic.malware.444.UNOFFICIAL FOUND

    /modules/Advancedactivity/controllers/license/license1.php: SecuriteInfo.com.JS.Obfus-1696.UNOFFICIAL FOUND

    /modules/Advancedactivity/controllers/license/license2.php: {HEX}Malware.Expert.generic.malware.67.UNOFFICIAL FOUND

    /modules/Sitevideo/controllers/license/license.php: SecuriteInfo.com.JS.Obfus-1696.UNOFFICIAL FOUND

    /modules/Sitevideo/controllers/license/license1.php: {HEX}Malware.Expert.generic.malware.67.UNOFFICIAL FOUND

    /modules/Sitevideo/controllers/license/license2.php: {HEX}Malware.Expert.generic.malware.67.UNOFFICIAL FOUND

    /modules/Sitereview/controllers/license/license1.php: {HEX}Malware.Expert.generic.malware.67.UNOFFICIAL FOUND

    /modules/Sitereview/controllers/license/license2.php: SecuriteInfo.com.JS.Obfus-1696.UNOFFICIAL FOUND

    /modules/Seslisting/controllers/Checklicense.php: {HEX}Malware.Expert.generic.eval.strrot13.gzinflate.strrot13.base64.decode.0.UNOFFICIAL FOUND

    /modules/Seslisting/controllers/License.php: {HEX}Malware.Expert.generic.eval.strrot13.gzinflate.strrot13.base64.decode.0.UNOFFICIAL FOUND

    /modules/Sitehashtag/wjyooxcv.php: {HEX}Malware.Expert.generic.malware.178.UNOFFICIAL FOUND

     

    They are all companies that are in the SocialEngine store.
    The header
    eval (base64_decode
    just search it on google.
    Maybe it's okay, but it's really very, very suspicious. It spoils the name of those companies as well as SocialEngine because it promotes them.
    Either the license control solution is really badly solved or it is an intention. Maybe it's a false alarm and it's okay. 

    I want to continue buying and working with those companies. I need them to buy more plugins. But I can't deal with such things.

    • Moderator
    • 4802 posts
    April 13, 2020 5:04 AM EDT

    Are you saying you bought them from the SocialEngine store? Normally, companies use base64 for their license routine. It can set off false malware alerts. However, you can also have malware. It's best to ask those experts who made the products if the base64 is their license. It shouldn't have a license check if you bought it in our SE store and downloaded it directly from your account.

    • 6 posts
    April 13, 2020 5:30 AM EDT

    Purchased in their store. So plugins purchased through the SocialEngine store, does not problem? Do I understand that well? well thank you

    • Moderator
    • 4802 posts
    April 13, 2020 6:50 AM EDT
    Matus said:

    Purchased in their store. So plugins purchased through the SocialEngine store, does not problem? Do I understand that well? well thank you

    We don't allow callbacks or third party license checks in the plugins purchased from the SocialEngine store.

  • April 13, 2020 7:40 AM EDT

    Hello Matus,

         We use a license system in our plugins to protect them from piracy. The license system use the Base64 encoding which requires the corresponding extension to be enabled on your server. If the extension is not enabled then the files containing encoding code if considered as suspecious by the server and throw the errors as you have mentioned above.

    SocialEngine uses the sku method to check the valid purchase of a product which does not have a callback. Almost all our products are available in SE Store which does not have call backs and use sku method, so if you do not want the licensed copies you can purchase our products from SE Store.

     

    If you need any other assistance, then please let us know.

     

    Regards

    Team SNS

       

    • 6 posts
    April 13, 2020 11:34 AM EDT

    Hi, your answer makes sense. Nevertheless, I have to solve it through hosting and I am waiting for their expression. I sent them your answers. My hosting is the best in my country and neighboring countries, so I trust them what they will say. I already think it was just a false alarm. But I will probably shop through the SocialEngine store.
    Thanks

    • 6 posts
    April 13, 2020 11:54 AM EDT

    OK, I just received a response from my hosting:
     
    We checked the files using b64decode (python) and really look like licensed files, do not insert any content (links, javascripts, etc.). false positive.

    You should have this information somewhere, unnecessarily causing fuss and paranoia.
    I apologize for the confusion, but such information should be given somewhere indeed to avoid problems.
    Thank you and I look forward to working with you. Topic is resolved.

     

    Thanks

    • Moderator
    • 4802 posts
    April 14, 2020 4:52 AM EDT

    Glad you got it sorted out.

    • 277 posts
    April 15, 2020 2:58 AM EDT
    Matus said:

    A strange thing happened to me today. I'm sorry for my english.

    For some time, my hosting checks all FTP files for the presence of a virus. And suddenly they inform me that I have a virus in my files. Both SocialAppTech and SocialNetworkSolutions. A few hours later, my hosting writes to me that they did an in-depth check on that and found a malwer in 15 files. All in plugins. From both companies. Apparently I have to deal with it immediately. It's possible they shut down my page. All malwer is said to be in License files. There are currently no users on this page, so it's OK. I can reinstal page.

     

     

    /web/application/modules/Seslisting/controllers/License.php: {HEX} Malware.Expert.generic.eval.strrot13.gzinflate.strrot13.base64.decode.0.UNOFFICIAL


    /web/application/modules/Sitecore/controllers/license/license1.php: {HEX} Malware.Expert.generic.malware.124.UNOFFICIAL FOUND


    /web/application/modules/Advancedactivity/controllers/license/license1.php: SecuriteInfo.com.JS.Obfus-1696.UNOFFICIAL FOUND

     

     

    There is, of course, more. Explanation: we use base64 encoding, the argument is not enough. If you know there is a problem with this and the servers misrepresent it as a virus, why don't you use anything else? Of course I understand that this may be a mistake. My hosting now I have to convince myself that the files are okay, even if I myself can't be convinced? Really? Should I change hosting? Really?
    It could be a false report. But it's true that it's the only piece of code that's not visible. And what's in it?
    They're just all the unexpected worries.

    Hello @Matus, 

    It seems that your hosting company is detecting our SocialApps.tech non-certified plugins' license files as malicious.

    Our non-certified plugins have a license check to verify that the installation is using a valid license key, and is not a pirated product. These files just make one call to our server with: License key, module name and website URL.

    These files are encoded so that pirates are not able to bypass the license check. Because of these files being encoded, certain hosting companies detect them as malicious. Advanced malware detection softwares do not detect these files as malicious. In the past, our Clients facing this problem have asked their hosting company to add exception for these license files so that they are not detected as malicious. Thus, we recommend you to ask your hosting provider to do the same.   [As discussed in the support ticket]


    Also, this is never performed during the normal working of a plugin. This is only performed in the respective plugin's admin panel, and whenever license key is changed. SocialEngine's new plugin guidelines that come with certification now already perform anti-piracy checks, and as we're gradually making our plugins certified, these checks performed in the admin panel will also get removed.


    For any further help from our Support Team regarding this, please send us an email at: support@socialapps.tech, or file a Support Ticket from your SocialApps.tech Client Area.


    Thanks!


    This post was edited by SocialApps at April 20, 2020 2:14 AM EDT