WordFence scan – tools.php

Home Forums BulletProof Security Pro WordFence scan – tools.php

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #9913
    jan
    Participant

    WordFence is coming up with an error:

    • This file may contain malicious executable code: wp-content/plugins/bulletproof-security/admin/tools/tools.php
    • File type: Not a core, theme or plugin file.
    • Issue first detected: a moment ago.
    • Severity: Critical
    • This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.

    I assume this file is OK with base 64 and php?  The main reason for raising this issue is that maybe you should make sure THEY check with the right repository for BPS to keep these from showing up for people?

    #9916
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
    You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account or database.

    UPDATE:
    As of BPS Pro 9.6 the Pro-Tools Base64 Decoder / Encoder tools were moved to their own individual pages and can be deleted individually from Pro-Tools. See this Forum link for full details:  http://forum.ait-pro.com/forums/topic/scanner-detects-malicious-code-or-infected-files-in-bps-pro-pro-tools/

    Yep, the tools.php file is safe.  The tools.php file is the BPS Pro Pro-Tools file/page.  One of the Pro-Tools is a Base64 Decoding tool so Wordfence is seeing standard/legitimate php functions that relate to base64 decoding/encoding and it is triggering a false alert/false flag alert.  Whitelist the tools.php file in Wordfence so that Wordfence does not continue to check this file.

    Scanners can only generally check for code/php functions/patterns/etc. and cannot actually tell the difference between good code or malicious code, but scanners typically have a way to whitelist things so that they do not trigger additional alerts in the future.

    #9919
    jan
    Participant

    As always, thanks so much for your incredible support. I realize the issue but the Wordfence option states “Scan plugin files against repository versions for changes”. i assume this means that it does a file listing check against a master repository on WP.org plugins directory. If so, just not sure why the file is being flagged at all. Anyway, no need to reply. I will white list it (i just checked the ignore this file until it changes option in WFence). The two of you together really make me feel better about the security of the site.

    #9921
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
    You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account or database.

    UPDATE:
    As of BPS Pro 9.6 the Pro-Tools Base64 Decoder / Encoder tools were moved to their own individual pages and can be deleted individually from Pro-Tools. See this Forum link for full details:  http://forum.ait-pro.com/forums/topic/scanner-detects-malicious-code-or-infected-files-in-bps-pro-pro-tools/

    BPS Pro plugin files do not exist in the WordPress.org repository so I assume Wordfence is designed to not check plugin files that do not exist in both the WordPress.org repository and on your website.

    In any case, this is another issue.  Scanners in general scan for known code/coding patterns/php functions/etc. and can only scan generally and are not capable of actually telling the difference between good and bad code.  All php code are standard php functions, but if that standard php code/function is used maliciously then it can be used to hack your site.  So you can see that since all php code/functions are standard php code then a scanner may accidently flag good code as bad code if the scanner is looking for a particular standard php function that is commonly used by hackers – hackers of course use several of the standard base64 encoding and decoding php functions.  😉

    #11940
    imxproducts
    Participant

    Thanks for the clarification.

    #13132
    imxproducts
    Participant

    @ AITpro Admin
    New file is showing up in the Word Fence Scan
    wp-content/plugins/bulletproof-security/languages/bulletproof-security.pot
    I assume this file is safe also but I wanted to check?

    #13134
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
    You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account or database.

    Yes, any/all/every file in BulletProof Security is safe of course.  Scanners are limited to only checking general patterns / general things that the scanner code is told to look for and cannot actually tell the difference between safe code, unsafe code, good code, bad code, malicious code, etc. 😉  So whitelist the bulletproof-security.pot file as well as any other BulletProof Security files.

    #31885
    alan sills
    Participant

    [Topic has been merged into this relevant Topic]
    Wordfence identified the following file as potentially corrupted – should I remove the file or ignore wordfence about this file? Here is the wordfence report –
    File appears to be malicious: wp-content/plugins/bulletproof-security/admin/tools/tools.php
    Filename: wp-content/plugins/bulletproof-security/admin/tools/tools.php
    File type: Not a core, theme or plugin file.
    Issue first detected:1 hour 50 mins ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval or base64_decode”. The infection type is: Suspicious eval with base64 decode..

    #31888
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
    You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account or database.

    @ alan sills – It is a false alarm.  You can either ignore or whitelist this BPS file depending on what Wordfence allows you to do regarding false alarms.  See the beginning of this forum topic for more details.

Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.