buoy-data.php as MALWARE ??? [resolved]

[w2swr]

I was contacted by my web host. They asked me to remove both copies I run of buoy-data.php until this can be resolved. Below is a copy of their report. Why is this being detected as malware and can it be corrected?

malware detect scan report for alexandria75.etcserver.com:
SCAN ID: 070912-0822.11976
TIME: Jul 9 08:53:41 -0500
PATH: /home/%%%%%%/public_html
TOTAL FILES: 24357
TOTAL HITS: 2
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 070912-0822.11976
FILE HIT LIST:
{HEX}php.include.remote.439 : /home/%%%%%%/public_html/$$$$$$/weather/buoy-data.php
{HEX}php.include.remote.439 : /home/%%%%%%/public_html/##########/wx/buoy-data.php
===============================================
Linux Malware Detect v1.4.1 < proj@rfxn.com >

I attached the file as a txt for all to examine.

Thanks Mike

[saratogaWX]

Wow, startling headline, but not totally accurate.  The buoy-data.php script you attached (and the distributed one) are both malware-free.

It appears that what the Linux Malware Detect v1.4.1 is griping about is the use of include("buoy-data.php") and not even the HTTP version of the include (which would be viewed as suspicious if it is on a different domain).

You didn't include the contents of the page that is loading buoy-data.php, so it's hard to tell just why the Linux Malware Detect software is griping about a perfectly ordinary PHP method of invoking a script.  If you're using something like:

In the <head></head> part of the including page, put:

<?php
 $doPrintBUOY = false;
 include("buoy-data.php");
 print $BUOY_CSS;
 ?>

in the <body></body> part of the including page, put:

<?php print $BUOY_MAP; ?>
<?php print $BUOY_TABLE ?>

If you need to center the map and table on the page, don't use <center></center> or <div align="center></div> as it will cause the map display to offset from the background map. Instead use in the <body></body> part:

 <table width="99%">
 <tr><td align="center">
   <table width="100%">
   <tr>
     <td align="center">
      <?php print $BUOY_MAP; ?>
     </td>
   </tr>
   <tr>
     <td align="left">
     <?php print $BUOY_TABLE ?>
     </td>
   </tr>
   </table>
   </td></tr>
 </table>

    to load your buoy-data.php script in your page, there should be no false-positive indications from the Linux Malware Detect software.

Best regards,
Ken

[w2swr]

I dont think I ever edited the wxbuoy.php file

page that is loading buoy-data.php

. I am attaching it as a txt file as well.

[saratogaWX]

No malware there, nor is there improper use ..

I'd suggest contacting the hoster to ask about the false-positive report and get it resolved with them.

What you're doing with the script and the including page are both proper use and shouldn't be flagged by their detector.

Best regards,
Ken

[w2swr]

Ken,

I removed the following lines;

// in the <head></head> portion of your page insert
// <?php include("http://your.website/buoy-data.php?inc=CSS");
// and in the <body> portion where you'd like the map/table to appear
// <?php include("http://your.website/buoy-data.php?inc=Y");
// Note: you must include the CSS in your <head> part otherwise the
// mesomap will not be formatted correctly.

I had my host re-scan for malware and the scan came back clean.

Thanks for your help,

Mike

[saratogaWX]

Ah... that would do it.. Glad it's all sorted out now

Best regards,
Ken