Help with see helper from Jo workman

Classic General
1

Hello, I recently bought SEO helper from Jo Workman, and I am extremely happy with it, the problem is when I use it on a website, my hosting provider send me a warning of virus in in the site; when i look at it, I find the file detected as malicious is in /rw_common/plugins/stacks/serverdebug.php
here is the content of the file:

<?php header('X-Robots-Tag: noindex'); ?>

Server Debug Info

<?php function get_all_the_headers() { $all_headers = array(); if (function_exists('getallheaders')) { $all_headers = getallheaders(); } elseif (function_exists('apache_request_headers')) { $all_headers = apache_request_headers(); } else { foreach ($_SERVER as $name => $value) { if (substr($name, 0, 5) === 'HTTP_') { $name = substr($name, 5); $name = str_replace('_', ' ', $name); $name = strtolower($name); $name = ucwords($name); $name = str_replace(' ', '-', $name); $all_headers[$name] = $value; } } } return $all_headers; } if (version_compare(PHP_VERSION, '7.2.0') <= 0) { echo '

You are running an unsupported version of PHP. You must be running PHP v7.2+. Your version: '.PHP_VERSION."

"; } $header = get_all_the_headers(); if (count($header) === 0) { echo '

Unable to process server request headers.

'; } // Image support check if (!extension_loaded('gd')) { echo "

You do not have the PHP gd extension enabled

"; } // curl support check if (!extension_loaded('curl')) { echo "

curl extension is not enabled on this server.

"; } // EXIF Check if (!function_exists('exif_read_data')) { echo "

The exif_read_data() function is not installed.

"; } // lib dir $asset_dir = __DIR__; if (!is_writable($asset_dir)) { chmod($cms_dir, 0775); if (!is_writable($asset_dir)) { echo "

The lib directory is not writable. Please fix the permissions on the directory: $asset_dir

"; } } ?>
<?php echo '

PHP version: '. phpversion() .'

'; echo '

LOCALE: '. setlocale(LC_ALL, 0) .'

'; echo '

HTTP_HOST: '. $_SERVER['HTTP_HOST'] .'

'; echo '

SERVER_NAME: '. $_SERVER['SERVER_NAME'] .'

'; echo '

DOCUMENT_ROOT: '. $_SERVER['DOCUMENT_ROOT'] .'

'; echo '

DOCUMENT_ROOT (realpath): '. realpath($_SERVER['DOCUMENT_ROOT']) .'

'; echo '

SITE ROOT: '. preg_replace('/(.*).rw_common.+/', '$1', __DIR__) .'

'; if (isset($_SERVER['SUBDOMAIN_DOCUMENT_ROOT']) && is_dir($_SERVER['SUBDOMAIN_DOCUMENT_ROOT'])) { echo '

SUBDOMAIN_DOCUMENT_ROOT (GoDaddy?): '.$_SERVER['SUBDOMAIN_DOCUMENT_ROOT'].'

'; } if (isset($_SERVER['PHPRC']) && is_dir($_SERVER['PHPRC'])) { echo '

PHPRC: '.$_SERVER['PHPRC'].'

'; } // LiteSpeed server hack. SCRIPT_NAME on shared hosting contains domain name // This was on A2 hosting. Strip the domain out echo '

SCRIPT_NAME: '. $_SERVER['SCRIPT_NAME'] .'

'; echo '

POST_MAX_SIZE: '.ini_get('post_max_size').'

'; echo '

UPLOAD_MAX_FILESIZE: '.ini_get('upload_max_filesize').'

'; echo '

MEMORY LIMIT: '.ini_get('memory_limit').'

'; echo '

MAX_EXECUTION_TIME: '.ini_get('max_execution_time').'

'; ?> 
<?php
if (isset($_GET['info'])) 
    phpinfo();
}
?>

there must be t in the code that make the antivirus software from Haisoft believe this file is malicious, has anybody come across anything like this?

PJ

2

I used seo helper on 3 websites, they all return the same warning on the same file

Signature ID
SMW-INJ-03952-bkdr.phpinfo-0

/rw_common/plugins/stacks/serverdebug.php

Server malware is usually hacker’s backdoors, web-shells, malicious injections in the files, spam mailers, doorways and hacker’s tools. Usually it is located in the files written in php, pl or python.

3

Have you checked with your provider that you are running php 7.2 or greater?
SEO stack requires that version.

You are running an unsupported version of PHP. You must be running PHP v7.2+. Your version: '.PHP_VERSION."

4

This script does not contain any malware. It is used to verify what is installed on the server and if certain packages are enabled. This is to help me debug a customer’s setup if I need.

5

The version running on my server is 7.3.7, I will talk with one of their techies later on today, I believe something trigger the malicious software alert mistakenly, but I posted it on the f

6

small interruption, I posted it in case other people with different providers run into the same problem

7

I just spoke to the techies, they said the end of the file is written in such a way that it trigger a false positive, because people who write malicious software sometime use a similar script, they will send me a technical explanation later on

8

hello Jo, seo helper is such a good stack, here is the response from the techies:

It appears that the file “rw_common/plugins/stacks/serverdebug.php” is detected as malicious, because of the following code :

<pre>
<?php
if (isset($_GET[‘info’])) {
phpinfo();
}
?>
</pre>

The signature ID shown by the anti-malware ImunifyAV is “SMW-INJ-03952-bkdr.phpinfo-0”.

If we remove the phpinfo(); command or the $_GET variable, the file is no more detected as malicious :
So it seems that using $_GET + phpinfo(); command leads to this ; maybe it’s possible to code this without triggering this alert ?

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.