MalCure Scan detects suspicious files and a criticality

I converted a WP site to a CP site.
Of course I uninstalled all the plugins beforehand. And since it didn’t let me switch via plugin (I don’t know the reasons, because the WP version was 4.9 and all the checks were green - and honestly, I haven’t investigated that much), I proceeded with the manual update of the core files via ftp. Everything else came by itself.

However, when I reinstalled the MalCure Scan plugin (excellent for detecting malicious code injections in the core files), it identified a series of critical issues. Especially in the plugins.php file. Looking at it I found nothing alarming. But yet…

Anyone have any news about it? Could they be false flags?

I assume MalCure plugin was active on 4.9 and did not show any warnings for this file? Just want to confirm.

The reason automatic migration might not have worked could be related to server resources (memory, execution time, etc) or file permission issue somewhere. Checking error log could shed some light.

According to their website

Checks integrity of the WordPress core files & plugins

it could be similar to WordFence which compares the hash of the file to a known hash, and that wouldn’t match for ClassicPress.

What is the actual “Severe” issue?
Is there some more detail about what exact code, or part of the file, is “Severely critical”?

If it is just the file it may very well be what @joyously points out. I think there was a thread about that in the forum recently, the hashes do not match, but it would be a false alarm in this case.

However to confirm we’d need to know what the precise message or warning is, other than the Red “Severe”, there must be some more details?

It gives no further information, except here, when you click the “Request Malware Cleanup” button once the scan is done.
kj742L must be the name of the malware.

In the end, I also believe that it is a question of different hashes. Because the file looks clean to me. I did not find any suspicious code, also because these are core files taken directly from the zip downloaded from the official Classicpress website.
It is also likely that, as in the plugins.php file, the internet addresses are from WP have been replaced with those from CP, these are seen by the plugin as a malicious injection attempt.
That’s why what Viktor says is interesting. You should test the plugin with WP version 4.9 to see if it gives the same warning. As soon as I have the chance I try.

However, being a plugin designed for WP, it is likely to be extremely sensitive to even small core changes.

Yeah, these are false flags… and this plugin’s design looks to be not-so-great because it says there is an “unknown” or “severe” issue but it doesn’t tell you what the issue actually is.

For ClassicPress, you might try Shield Security instead: Shield Security now tailored for CP

1 Like