Malware found in conditionsaction.php

More
1 month 1 week ago #199936 by Dollys
Hi,

My LimeSurvey is slefhosted and my host found malware Generic:PHP/Backdoor.A in the file application/controllers/admin/conditionsaction.php
I download this file from the website www.limesurvey.org/lts-releases-download
CE release 3.22.14 and 3.22.16 are the same files: conditionsaction.php
This error is in the original downloaded files fomr both versions.

Does someone know why this file is recognized as Malware? Is this file Malware?
How can I solve this problem?

Regards, Dollys

Please Log in to join the conversation.

LimeSurvey Partners
More
1 month 1 week ago #199940 by DenisChenu
Since you can look at code : github.com/LimeSurvey/LimeSurvey/blob/ma...conditionsaction.php

I don't think it's a malware … except if your's are different …

False positive : see with your host the tool they used.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.

Please Log in to join the conversation.

More
1 month 1 week ago #199944 by Dollys
Thank you!
A lot different between the 2 files. I'have replaced it and request a new security-scan by the host.
Í let you hear the result, it can take a few hours.

Please Log in to join the conversation.

More
1 month 1 week ago - 1 month 1 week ago #199948 by jelo

DenisChenu wrote: Since you can look at code : github.com/LimeSurvey/LimeSurvey/blob/ma...conditionsaction.php

The Github file should be different, cause you liked to the master, not the LTS.
github.com/LimeSurvey/LimeSurvey/blob/3....conditionsaction.php


The LTS-repository file and the file in the downloadfile is 100% identical. So not simple modification or replacement by an unknown party.

Dollys wrote: my host found malware Generic:PHP/Backdoor.A in the file application/controllers/admin/conditionsaction.php


With "my host" you mean your provider? You got an email with the info that conditionsaction.php was classified as "Generic:PHP/Backdoor.A"?

Would be interesting to know what tool/signature database was used. Currently it looks like a false positive as Denis already stated.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Last edit: 1 month 1 week ago by jelo.
The following user(s) said Thank You: DenisChenu

Please Log in to join the conversation.

More
1 month 1 week ago #199953 by Dollys
Thank you for the reply.

Yes, host I meant provider.

The file also was marked as Malware from Master-github.
I replace the new file and asked for a new scan.

It's found with www.patchman.co/
Do you know this tool?

Please Log in to join the conversation.

More
1 month 1 week ago #199956 by jelo

Dollys wrote: I replace the new file and asked for a new scan.

The file you downloaded from GITHUB is not the LTS version but the master version. So it quite normal that there are differences. I recommend to revert that replacement.

Thanks for providing infos about the scantool. I haven't used it.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Please Log in to join the conversation.

More
1 month 1 week ago #199957 by DenisChenu

jelo wrote:

DenisChenu wrote: Since you can look at code : github.com/LimeSurvey/LimeSurvey/blob/ma...conditionsaction.php

The Github file should be different, cause you liked to the master, not the LTS.
github.com/LimeSurvey/LimeSurvey/blob/3....conditionsaction.php

Totally right !

jelo wrote: The LTS-repository file and the file in the downloadfile is 100% identical. So not simple modification or replacement by an unknown party.

Thanks :)

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.

Please Log in to join the conversation.

More
1 month 1 week ago #199962 by Dollys
I replaced the file with the LTS-one en also this file after check from patchman result into: "malware Generic:PHP/Backdoor.A"

Please Log in to join the conversation.

More
1 month 1 week ago #199982 by Dollys
The provider asked the makers of Patchman for the file.
I'm waiting for it and let you know.

Please Log in to join the conversation.

More
1 month 1 week ago #200051 by Dollys
It's a false positive detection.
The makers of Patchman said so and add this to patchman so it never happen again.
Tank you for the support!
Regards

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now