Getting a Malware Positive on EasyBlog
By Gary Piland on Monday, 24 August 2015
Posted in General
Replies 10
Likes 0
Views 1.1K
Votes 0
We just installed EasyBlog 5.0.22 on a Joomla 3.4.3 site but now Sucuri is reporting the site has malware on it with this message:

Our server side scanner identified some issues on the website: sewingworkshop.com:

Warning: File possibly compromised: ./administrator/components/com_easyblog/includes/oauth/adapters/twitter/client.php (php.spam-seo.gen.007). Manual review recommended.
Warning: File possibly compromised: ./administrator/components/com_easyblog/includes/oauth/adapters/linkedin/client.php (php.spam-seo.gen.007). Manual review recommended.

Is this a false positive?

Thanks.
Hi Everyone- Looks like we are good!

Message just received from Sucuri in response to my additional information request:

I've checked those files and they were not infected. our tools removed the following line:

require_once(dirname(__FILE__) . '/consumer.php');

and the "consumer.php"; file is legit. I've restored those files to the original version, I truly sorry for the inconvenience caused. If your continue seeing warnings please white-list both /linkedin/client.php and /twitter/client.php

If there is anything else we can do the help, let us know.
Adam Wolf
·
Saturday, 03 October 2015 00:57
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Gary,

I believe these are false alarm as the twitter and linkedin in EasyBlog is responsible to push message to twitter / linkedin server. There is another discussion regarding this one. http://stackideas.com/forums/malicious-blackhat-seo-in-easyblog

You may ignore these warning

Hope this help and have a nice day!
Sam
·
Tuesday, 25 August 2015 16:40
·
0 Likes
·
0 Votes
·
0 Comments
·
I just had the same issue with a Sucuri scan and they said the files were infected. Please advise.
Adam Wolf
·
Friday, 02 October 2015 02:34
·
0 Likes
·
0 Votes
·
0 Comments
·
Sucuri says the EasyBlog code is being flagged as malware. We have been (nervously) ignoring the warnings.
Gary Piland
·
Friday, 02 October 2015 02:56
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Adam & Gary,

May I know which files inside easyblog that are being flagged as malware by Sucuri?
Ezrul Fazwan
·
Friday, 02 October 2015 16:02
·
0 Likes
·
0 Votes
·
0 Comments
·
administrator/components/com_easyblog/includes/oauth/adapters/twitter/client.php - php.spam-seo.gen.007

administrator/components/com_easyblog/includes/oauth/adapters/linkedin/client.php - php.spam-seo.gen.007
Gary Piland
·
Friday, 02 October 2015 22:39
·
0 Likes
·
0 Votes
·
0 Comments
·
Same issue. Attaching files "cleaned" by Sucuri for comparison with those you provide in the core download.
Adam Wolf
·
Friday, 02 October 2015 22:43
·
0 Likes
·
0 Votes
·
0 Comments
·
Hey guys,

I am just wondering why is Sucuri flagging these files as false positive. Is there some specific pattern that they are detecting?
Mark
·
Saturday, 03 October 2015 16:04
·
0 Likes
·
0 Votes
·
0 Comments
·
Hey Mark - I posted their response to me. Their scanner had issue with the following line:

require_once(dirname(__FILE__) . '/consumer.php');
Adam Wolf
·
Monday, 05 October 2015 23:36
·
0 Likes
·
0 Votes
·
0 Comments
·
Hm, I don't see why this would be a false positive for them. It's a pretty commond code :x
Mark
·
Tuesday, 06 October 2015 02:11
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post