New Security Tab / Malicious Files

aaP_dave

As a start, I've been using aaPanel for many years and it's a great product - thanks for all your hard work.

The new scanner in the latest version appears to be very buggy in the detection of what files actually are malicious. I've had numerous detections all with the threat tag "WebShell".

The files reported are often standard Wordpress files or from popular plugins such as WPSMTP, WPforms etc.

In the cases where it's detected Wordpress files as being malicious I've compared to GitHub and the files are identical, the code is the same line by line.

Scanning with the new ClamAV plugin returns no detections with the exception of /www/server/panel/data/safeCloud which is already mentioned/covered in another topic.

Short term, is there a way to clear these errors? I'm tempted to turn off malicious scanning until you've ironed out the bugs.

aaP_ceo29

These are false positive and its common on webshell checkers tools.

A "webshell" is a malicious script that allows an attacker to run commands on your server, write files, and make network connections. To do this, they use specific, powerful PHP functions like file_put_contents(), curl_exec(), passthru(), and eval().

The aaPanel scanner's job is to look for any .php file that uses these "dangerous" functions. Safecloud uses public yara webshell rules (open source)

The problem is that many legitimate, powerful plugins also need to use these exact same functions to do their jobs.
in my case two plugin files were flaged (Really Simple SSL and Simple Form upload file.)

Since they did not put a feature to ignore these detentions, i found a way to ignore these files during scan.

in: /www/server/panel/data/safeCloud these is a config.json file, you can put the directory where those files are in the field "exclude_dirs":.
however only exclude directories. i cannot see a field there where you can exclude specific files.

to clean the warnings from the GUI, clean the detentions log files at `/www/server/panel/data/safeCloud/log``, these will clear the warnings in the plugin.

Then Scan again.

aaP_dave

aaP_ceo29

Thanks for looking into it in such detail. I can confirm deleting the logs from /www/server/panel/data/safeCloud/log does remove the detections.

As it stands I've turned off the malware scan for now, there's too many false positives to warrant any trust or belief in the scan as it currently stands.

@aaPanel_Kern

Is there a way to disable just the webshell component of this scan? Or at least implement a safelist of known Wordpress plugins that use functionality within PHP that can be malicious/abused?

Another way of looking at this might be something like Wordfence. Where it detects files that have been modified and compares against known good copies of the files/plugins.

aaPanel_Kern

Thank you for your feedback, we will optimize this part in the future

aaPanel_Kern

Turn off
aaP_dave

aaP_ceo29

aaP_dave

If you are using wordpress toolkit, there is a option to check the wordpress file against the original file to determine if they were tampered. it just checkes the MD5SUM of the file and compares to the original file from wordpress. YOu can also do it manually, download wordpress and check the MD5 using md5sum finename.php.

it will give you an hash number and compare that to your current file. if doesn't match means the file was tampered.

Note that i would recommend the manual method, because the wordpress toolkit method is also flawed, it only checked against the original us version of wordpress files. If you have a wordpress in a different language, or even different us language version, it will detect that the files were modified. But if you do it manually then you can download the wordpress files from the WordPress site specifically for the language pack you are using.

For plugins is the same thing. just download the original plugin version files from wordpress and check md5 hash.

Another is to to use their premium plugin Website Tamper-proof. i never used so i cannot tell you how it works, but the plugin description is specifically to detect if the files were tampered with.