ClamAV detects a virus (coinminer) in phpList

My server-provider refuses to load up the upgrades 3.3.7 or .8 and tells me it has a virus.

Virus: Txt.Trojan.Coinminer-6840768-0

Found by: clamav

It seems to be true. I doublechecked on virustotal and the also found the virus in the file lists.zip

any idea what I can do?

@aohren Thank you for reporting this. How are you trying to upgrade - where did you download the 3.3.8 update file from?

@samtuke @aohren This problem has just happened on my shared hosting account causing the account to be suspended. I had just upgraded to 3.3.9-RC1 and ClamAV found a problem with the same file in the new release and in the backup of phplist 3.3.8 backup that was made.

Critical! - File Access Disabled - /home/dcameron/public_html/lists/admin/plugins/CKEditorPlugin/kcfinder/cache/base.js - ['/home/dcameron/public_html/lists/admin/plugins/CKEditorPlugin/kcfinder/cache/base.js'] - ClamAV detected virus = [Txt.Trojan.Coinminer-6840768-0]

Critical! - File Access Disabled - /home/dcameron/phplist/update/lists_3.3.8_201902051842/admin/plugins/CKEditorPlugin/kcfinder/cache/base.js - ['/home/dcameron/phplist/update/lists_3.3.8_201902051842/admin/plugins/CKEditorPlugin/kcfinder/cache/base.js'] - ClamAV detected virus = [Txt.Trojan.Coinminer-6840768-0]

In my case the file that appears to fail scanning by ClamAV is in the KCFinder package within the CKEditor plugin. I have compared the file in the 3.3.9-RC1 zip file to that in the Github repository and they are the same, so as the file has not changed then I guess it may be false positive with ClamAV.

1 Like

Other people (at least one) have found the same problem with the same file and think it is a false positive
http://www.webassist.com/forums/posts.php?id=41843

1 Like

@duncanc I have just checked the versions of this file (base.js) and the versions present on download.phplist.org (used by the automatic updater), on Sourceforge, and in your CKEditor plugin repo (where this file has not been changed since 2014), are all identical. Therefore it does indeed like this is a false positive from ClamAV.

@duncanc Are you able to upgrade jQuery from v1.11.0 (the version in KCFinder) to 2.x? According to your webassist link this may avoid ClamAV misdetection. Has KCFinder not upgraded jQuery in all this time?

It appears that ClamAV may have only added the virus detection signature in question (Win.Trojan.Cryxos-6840828-0) 3 days ago: https://lists.gt.net/clamav/virusdb/74763

I have reported a false positive to ClamAV for that file, so need to wait to see whether anything results.
Tomorrow I will look at changing the plugin to either remove that file or upgrade the two jquery files.

2 Likes

Thanks very much Duncan

@samtuke
@duncanc
Thank you very much for your investigation. Good job!

1 Like

@samtuke I have replaced the jquery.and jquery-ui files within the KCFinder package with versions 1.12.4 and 1.12.1 respectively. Also removed all of the pre-cached files from the cache subdirectory as I found that they are regenerated when needed.

While testing this I received another email from my hosting company about the file base.js having a virus (a different name this time). That file had been generated dynamically by KCFinder but using the old jquery files.
I had a few versions of my change present also and in those the dynamically-generated base.js file was not reported, which sounds hopeful.

@aohren I think that you will need to stick with your current phplist release until this problem is resolved. Hopefully the modified CKEditor plugin will be included in the pending 3.3.9 release.

1 Like

okay,no problem. thx duncan.

@duncanc Using your updated CKEditor, I can confirm that ClamAV detects no problems with the unused (uncached) files. I have used the installation with CKEditor and KCFinder but no files have yet been cached, so the troublesome base.js hasn’t been created. The KCFinder config doesn’t include caching settings; presumably caching is enabled by default.
Do you know how to force the cached files to be created, so that I can scan them with ClamAV?

My recollection is that some of the files were regenerated the first time that I went into the file browser as there was a slight delay in the display of the file images.
But you can try right-clicking on a file in the browser then renaming it. Maybe the initial browsing view doesn’t need the js files.

Update - On the file browser do ctrl-F5 to force a refresh. I guess the browser had been caching something.

Still no cached files are generated on my system (multiple browsers, plus cleared cache for all sites). It could be a permission issue related to the ability to create files, but I don’t think so. Therefore I can’t try scanning the newly generated cached files.

@samtuke I just tried again

  • removed files from kcfinder/cache directory
  • logged-out of phplist then logged-in
  • edited a campaign and went to the file browser which displayed correctly
  • the cache directory was still empty
  • did ctrl-F5 to refresh the file browser then the cache directory was populated

I will send a private message with the generated base.js file.
image

1 Like

@duncanc Following your steps worked and I confirm no problems found by ClamAV in the generating cached files. Suela plans to release a new RC including the update.

The new Release Candidate for phpList 3.3.9 that includes this update is now available for download. You can either update automatically or download the release here.

Thank you very much …<3
Can I switch directly from 3.3.6 to 3.3.9?

Yes, you should be able to do that using the manual upgrade procedure:

Once you upgrade to phpList 3.3.9 you will be able to use the Automatic Upgrade process.

1 Like