Host asks to check these files – Malware Scanner, False Flags, False Alerts, Whitelist

[Jon]

I am troubleshooting what might be a hack on my forum, so my host has said this:

I run malware detect scanning for the domain access-programmers.co.uk and found 4 hits in the domain and are given bellow. Please check those files with developer.

================ 
Malware detect scan report for vps708.urljet.com: 
SCAN ID: 011113-0612.29744 
TIME: Jan 11 06:12:54 -0600 
PATH: /home/xxxxx/public_html/ 
TOTAL FILES: 3652 TOTAL 
HITS: 4 TOTAL 
CLEANED: 0 
NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 011113-0612.29744 
FILE HIT LIST: {HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/wp-content/plugins/bulletproof-security.zip
{HEX}gzbase64.inject.unclassed.17 : /home/xxxxxx/public_html/wp-content/plugins/bulletproof-security/admin/tools/tools.php 
{HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/wp-content/bps-backup/autorestore/wp-content/plugins/bulletproof-security.zip 
{HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/wp-content/bps-backup/autorestore/wp-content/plugins/bulletproof-security/admin/tools/tools.php 
===============================================

So, I am checking in with you that those are normal files with your plugin. My site was showing a full page of garbled stuff like this: 

��\ms۶��l��? 촲ې%�ʶz'9�mS��

I know that issue is not your plugin since I had the garbled stuff before I installed your plugin, but my host is insisting I check this out as part of the elimination process

[AITpro Admin]

UPDATE:
As of BPS Pro 9.6 the Pro-Tools Base64 Decoder / Encoder tools were moved to their own individual pages and can be deleted individually from Pro-Tools. See this Forum link for full details:  http://forum.ait-pro.com/forums/topic/scanner-detects-malicious-code-or-infected-files-in-bps-pro-pro-tools/

BPS Pro has a Base64 Decoder and Encoding tools. This scanner is detecting standard legitimate php functions in BPS Pro. This is a very common thing. Scanners are only capable of looking for general things and cannot really tell the difference between good code and bad code. Please have your Host whitelist BPS Pro files. Thanks.

[Jon]

As I expected. Thanks for confirming. In my hosts wisdom, they decided (without my say so) to Disable the Bulletproof plugin and turn it back on. Will this have affected anything? i.e. will I need to reset stuff?

[AITpro Admin]

Email Question:

hello
we faced a problem with the plugin use to protect our website
this is the result below
From the reports, the mentioned plugin found to be infected. Please deactivate and remove it via your WP- admin control panel.

==
malware detect scan report for lead.mysitehosted.com:
SCAN ID: 120313-1048.26752
TIME: Dec 3 10:49:33 -0800
PATH: /home/xxxxx/public_html
TOTAL FILES: 10101
TOTAL HITS: 2
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 120313-1048.26752
FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/wp-content/plugins/bulletproof-security/admin/tools/tools.php
{HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/blog/wp-content/plugins/bulletproof-security/admin/tools/tools.php

any help would be appreciate.

[AITpro Admin]

UPDATE:
As of BPS Pro 9.6 the Pro-Tools Base64 Decoder / Encoder tools were moved to their own individual pages and can be deleted individually from Pro-Tools. See this Forum link for full details:  http://forum.ait-pro.com/forums/topic/scanner-detects-malicious-code-or-infected-files-in-bps-pro-pro-tools/

This is a very common thing. Scanners are only capable of looking for general things/code/patterns and cannot really tell the difference between good code and bad code. Please have your Host whitelist BPS Pro files or if they cannot whitelist the tools.php file then you can delete the tools.php file from this BPS Pro plugin folder:  /bulletproof-security/admin/tools/tools.php. Thanks.

[Jenny]

[Topic has been merged into this relevant Topic]
Hi,
I have just received a report that these files, included in my latest Backup buddy plugin backup are malware. Can you please tell me whether they are normally included in BPS Pro?

/wp-content/bps-backup/master-backups/May-15-2013–01-26-10–bulletproof-security.zip – {HEX}gzbase64.inject.unclassed.18.UNOFFICIAL
/wp-content/bps-backup/master-backups/bulletproof-security.zip – {HEX}gzbase64.inject.unclassed.18.UNOFFICIAL

I’m trying to work out if this is a false positive or not.
Thanks
Jenny S

[AITpro Admin]

@ Jenny – Nothing to worry about and Yes it is a false positive. The backups are dated to 2013 and a long time ago the Base64 decoder Pro-Tools that came with BPS Pro would trigger false positives. The BPS Pro Base64 Decoder Pro-Tools are no longer included in current versions of BPS Pro for exactly that reason.  I think those Base64 Decoder Pro-Tools were removed a year or 2 ago.

[Jenny]

Hi and thank you, @AITpro Admin  keymaster.

In case anyone else has this problem, the steps I took were to go to the BPS pro tools page (in website dashboard) and click delete for both online and offline base64 decoders. After further advice from BPS support (thanks) I have also deleted the specific zipped files mentioned in my post above, via ftp. I am hopeful that I will no longer get malware alerts from my backup plugin!
I am extremely grateful for the excellent support from AIT pro admin.  Cheers  Jenny

[Author]

Posts