iThemes Security 8.1.2 false positives?

Replies: 0

Hi, I’m getting a “known threat” on two iThemes Security core files. Hovering over the numbered link I get: “php class Variable Functions new CLASS” (this is the same on both files). Clicking on the link highlights the whole file. I don’t see anything malicious in the files. Previous scans have not pointed these files out. Here they are as presented to me by the Anti-Malware plugin :

better-wp-security/core/modules/backup/setup.php

<?php

class ITSEC_Backup_Setup {

	public function __construct() {
		add_action( 'itsec_modules_do_plugin_uninstall', array( $this, 'execute_uninstall' ) );
		add_action( 'itsec_modules_do_plugin_upgrade', array( $this, 'execute_upgrade' ) );
	}

	/**
	 * Execute module uninstall
	 *
	 * @return void
	 */
	public function execute_uninstall() {
		delete_site_option( 'itsec_backup' );
	}

	/**
	 * Execute module upgrade
	 *
	 * @return void
	 */
	public function execute_upgrade( $build ) {

		if ( $build < 4000 ) {

			global $itsec_bwps_options;

			$current_options = get_site_option( 'itsec_backup' );

			// Don't do anything if settings haven't already been set, defaults exist in the module system and we prefer to use those
			if ( false !== $current_options ) {

				$current_options['enabled']  = isset( $itsec_bwps_options['backup_enabled'] ) && $itsec_bwps_options['backup_enabled'] == 1 ? true : false;
				$current_options['interval'] = isset( $itsec_bwps_options['backup_interval'] ) ? intval( $itsec_bwps_options['backup_interval'] ) : 1;

				update_site_option( 'itsec_backup', $current_options );

			}

		}

		if ( $build < 4040 ) {
			$backup_options = get_site_option( 'itsec_backup' );
			// Make sure we have an index files to block directory listing in backups directory
			if ( is_dir( $backup_options['location'] ) && ! file_exists( path_join( $backup_options['location'], 'index.php' ) ) ) {
				file_put_contents( path_join( $backup_options['location'], 'index.php' ), "<?php\n// Silence is golden." );
			}
		}

		if ( $build < 4041 ) {
			$current_options = get_site_option( 'itsec_backup' );

			// If there are no current options, go with the new defaults by not saving anything
			if ( is_array( $current_options ) ) {
				// Make sure the new module is properly activated or deactivated
				if ( $current_options['enabled'] ) {
					ITSEC_Modules::activate( 'backup' );
				} else {
					ITSEC_Modules::deactivate( 'backup' );
				}

				if ( isset( $current_options['location'] ) && ! is_dir( $current_options['location'] ) ) {
					unset( $current_options['location'] );
				}

				$options = ITSEC_Modules::get_defaults( 'backup' );

				foreach ( $options as $name => $value ) {
					if ( isset( $current_options[ $name ] ) ) {
						$options[ $name ] = $current_options[ $name ];
					}
				}

				ITSEC_Modules::set_settings( 'backup', $options );
			}
		}

		if ( $build < 4069 ) {
			delete_site_option( 'itsec_backup' );
		}

		if ( $build < 4079 ) {
			wp_clear_scheduled_hook( 'itsec_execute_backup_cron' );
		}

		if ( $build < 4123 ) {
			$update = [
				'both',
				'email',
				'local',
			];

			$legacy = ITSEC_Modules::get_setting( 'backup', 'method' );
			$new    = $update[ $legacy ] ?? ITSEC_Modules::get_default( 'backup', 'method' );
			ITSEC_Modules::set_setting( 'backup', 'method', $new );
		}
	}
}

new ITSEC_Backup_Setup();

better-wp-security/core/modules/global/setup.php

<?php

class ITSEC_Global_Setup {

	public function __construct() {
		add_action( 'itsec_modules_do_plugin_upgrade', array( $this, 'execute_upgrade' ) );
	}

	/**
	 * Execute module upgrade
	 *
	 * @return void
	 */
	public function execute_upgrade( $itsec_old_version ) {
		if ( $itsec_old_version < 4040 ) {
			$options = get_site_option( 'itsec_global' );

			if ( $options['log_info'] ) {
				$new_log_info = substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . wp_generate_password( 30, false );
				$old_file     = path_join( $options['log_location'], 'event-log-' . $options['log_info'] . '.log' );
				$new_file     = path_join( $options['log_location'], 'event-log-' . $new_log_info . '.log' );

				// If the file exists already, don't update the location unless we successfully move it.
				if ( file_exists( $old_file ) && rename( $old_file, $new_file ) ) {
					$options['log_info'] = $new_log_info;
					update_site_option( 'itsec_global', $options );
				}
			}

			// Make sure we have an index files to block directory listing in logs directory
			if ( is_dir( $options['log_location'] ) && ! file_exists( path_join( $options['log_location'], 'index.php' ) ) ) {
				file_put_contents( path_join( $options['log_location'], 'index.php' ), "<?php\n// Silence is golden." );
			}
		}

		if ( $itsec_old_version < 4041 ) {
			$current_options = get_site_option( 'itsec_global' );

			// If there are no current options, go with the new defaults by not saving anything
			if ( is_array( $current_options ) ) {
				// log_type used to be 0 for database, 1 for file, 2 for both
				switch ( $current_options['log_type'] ) {
					case 2:
						$current_options['log_type'] = 'both';
						break;
					case 1:
						$current_options['log_type'] = 'file';
						break;
					default:
						$current_options['log_type'] = 'database';
				}

				if ( isset( $current_options['log_location'] ) && ! is_dir( $current_options['log_location'] ) ) {
					unset( $current_options['log_location'] );
				}

				if ( isset( $current_options['nginx_file'] ) && ! is_dir( dirname( $current_options['nginx_file'] ) ) ) {
					unset( $current_options['nginx_file'] );
				}

				$settings = ITSEC_Modules::get_defaults( 'global' );

				foreach ( $settings as $index => $setting ) {
					if ( isset( $current_options[ $index ] ) ) {
						$settings[ $index ] = $current_options[ $index ];
					}
				}

				ITSEC_Modules::set_settings( 'global', $settings );
			}
		}

		if ( $itsec_old_version < 4059 ) {
			$message_queue = get_site_option( 'itsec_message_queue' );

			if ( false !== $message_queue ) {
				if ( isset( $message_queue['last_sent'] ) ) {
					ITSEC_Modules::set_setting( 'global', 'digest_last_sent', $message_queue['last_sent'] );
				}

				if ( isset( $message_queue['messages'] ) ) {
					ITSEC_Modules::set_setting( 'global', 'digest_messages', $message_queue['messages'] );
				}

				delete_site_option( 'itsec_message_queue' );
			}
		}

		if ( $itsec_old_version < 4064 ) {
			delete_site_option( 'itsec_global' );
		}

		if ( $itsec_old_version < 4108 ) {
			if ( ITSEC_Modules::get_setting( 'global', 'proxy_override' ) ) {
				ITSEC_Modules::set_setting( 'global', 'proxy', 'disabled' );
			}
		}

		if ( $itsec_old_version < 4116 ) {
			if ( ITSEC_Core::is_pro() && ITSEC_Modules::get_setting( 'security-check-pro', 'remote_ip_index' ) ) {
				ITSEC_Modules::set_setting( 'global', 'proxy', 'security-check' );
			}
		}

		if ( $itsec_old_version < 4123 ) {
			ITSEC_Modules::set_setting( 'global', 'onboard_complete', true );
		}
	}
}

new ITSEC_Global_Setup();

Any light you could shed would be appreciated. Thanks!