Malware in class-font-manager.php

IvchenkoDV · July 19, 2017, 5:52am

Hello,

My provider found (twice) a malware in this path: wp-content/plugins/cornerstone/includes/classes/styling/class-font-manager.php

He say it is JS.Inject.Typekit.

Are you heared about this?

I have the message by my provider when I install X-theme.

Thank you.

IvchenkoDV · July 19, 2017, 8:36am

My provider added the file to exclude.

I’m interesting why the problem was in.

rubin · July 19, 2017, 8:47am

Hey There,

Sometimes some scanners have false positives. Our files do not include any malware as all we do happens with the highest level of security standards.

Gundud · July 16, 2018, 5:48pm

FYI I’m also having this same issue. Imunify360 flag this as malware.

While it might be safe but its a problem if you dont fix it. I have to put it on whitelist. If you google you’ll find that few other people also have the same problem.

Also if you check the file on online anti virus it will be flagged, like this https://www.virustotal.com/#/file/a7e0216ff7a661a70bb16bb9a20fe002745e191a88a883a31aca9f4f94a1d649/detection

thanks

rad · July 16, 2018, 7:07pm

Hi @Gundud,

It’s false positive, and based on @vchenkoDV’s provided information. It’s related to Typekit, and here is the code

 <script id="cs-typekit-loader">(function(d){var config={kitId:'<?php echo $config['typekitKitID']; ?>',scriptTimeout:3000,async:true},h=d.documentElement,t=setTimeout(function(){h.className=h.className.replace(/\bwf-loading\b/g,"")+" wf-inactive";},config.scriptTimeout),tk=d.createElement("script"),f=false,s=d.getElementsByTagName("script")[0],a;h.className+=" wf-loading";tk.src='https://use.typekit.net/'+config.kitId+'.js';tk.async=true;tk.onload=tk.onreadystatechange=function(){a=this.readyState;if(f||a&&a!="complete"&&a!="loaded")return;f=true;clearTimeout(t);try{Typekit.load(config)}catch(e){}};s.parentNode.insertBefore(tk,s)})(document);</script>

The code itself is from Adobe’s https://typekit.com/, and only added dynamically based on the user’s supplied Typekit ID.

Those tools are able to detect the script being added or injected, but they are unable to really check if they are actually malware. Hence, just marked them as malware with javascript injection. Most of them are based on name too so if the name matches then it will be considered malware too since they can’t really tell how the script works. With Typekit, we can’t fix it by changing its name.

Thanks!

spedney · July 19, 2018, 7:42am

This is interesting and could explain why on 3 different sites and servers, after autoupgrade, I experience problems with the permissions on class-font-manager.php and have to replace it.
See this thread: https://theme.co/apex/forum/t/can-t-update-pro/38189/7
and this one: https://theme.co/apex/forum/t/problem-with-cornerstone-and-class-font-manager-php/34949

christian · July 19, 2018, 1:13pm

Thanks for sharing, Steve.