Host asks to check these files – Malware Scanner, False Flags, False Alerts, Whitelist

Home Forums BulletProof Security Pro Host asks to check these files – Malware Scanner, False Flags, False Alerts, Whitelist

This topic contains 7 replies, has 3 voices, and was last updated by  Jenny 2 years, 3 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #966

    Jon
    Member

    I am troubleshooting what might be a hack on my forum, so my host has said this:

    I run malware detect scanning for the domain access-programmers.co.uk and found 4 hits in the domain and are given bellow. Please check those files with developer.

    ================ 
    Malware detect scan report for vps708.urljet.com: 
    SCAN ID: 011113-0612.29744 
    TIME: Jan 11 06:12:54 -0600 
    PATH: /home/xxxxx/public_html/ 
    TOTAL FILES: 3652 TOTAL 
    HITS: 4 TOTAL 
    CLEANED: 0 
    NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 011113-0612.29744 
    FILE HIT LIST: {HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/wp-content/plugins/bulletproof-security.zip
    {HEX}gzbase64.inject.unclassed.17 : /home/xxxxxx/public_html/wp-content/plugins/bulletproof-security/admin/tools/tools.php 
    {HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/wp-content/bps-backup/autorestore/wp-content/plugins/bulletproof-security.zip 
    {HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/wp-content/bps-backup/autorestore/wp-content/plugins/bulletproof-security/admin/tools/tools.php 
    ===============================================

    So, I am checking in with you that those are normal files with your plugin. My site was showing a full page of garbled stuff like this: 

    ��\ms۶��l��? 촲ې%�ʶz'9�mS��

    I know that issue is not your plugin since I had the garbled stuff before I installed your plugin, but my host is insisting I check this out as part of the elimination process

    #977

    AITpro Admin
    Keymaster

    UPDATE:
    As of BPS Pro 9.6 the Pro-Tools Base64 Decoder / Encoder tools were moved to their own individual pages and can be deleted individually from Pro-Tools. See this Forum link for full details:  http://forum.ait-pro.com/forums/topic/scanner-detects-malicious-code-or-infected-files-in-bps-pro-pro-tools/

    BPS Pro has a Base64 Decoder and Encoding tools. This scanner is detecting standard legitimate php functions in BPS Pro. This is a very common thing. Scanners are only capable of looking for general things and cannot really tell the difference between good code and bad code. Please have your Host whitelist BPS Pro files. Thanks.

    #999

    Jon
    Member

    As I expected. Thanks for confirming. In my hosts wisdom, they decided (without my say so) to Disable the Bulletproof plugin and turn it back on. Will this have affected anything? i.e. will I need to reset stuff?

    #11740

    AITpro Admin
    Keymaster

    Email Question:

    hello
    we faced a problem with the plugin use to protect our website
    this is the result below
    From the reports, the mentioned plugin found to be infected. Please deactivate and remove it via your WP- admin control panel.

    ==
    malware detect scan report for lead.mysitehosted.com:
    SCAN ID: 120313-1048.26752
    TIME: Dec 3 10:49:33 -0800
    PATH: /home/xxxxx/public_html
    TOTAL FILES: 10101
    TOTAL HITS: 2
    TOTAL CLEANED: 0
    
    NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 120313-1048.26752
    FILE HIT LIST:
    {HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/wp-content/plugins/bulletproof-security/admin/tools/tools.php
    {HEX}gzbase64.inject.unclassed.17 : /home/xxxxx/public_html/blog/wp-content/plugins/bulletproof-security/admin/tools/tools.php

    any help would be appreciate.

    #11741

    AITpro Admin
    Keymaster

    UPDATE:
    As of BPS Pro 9.6 the Pro-Tools Base64 Decoder / Encoder tools were moved to their own individual pages and can be deleted individually from Pro-Tools. See this Forum link for full details:  http://forum.ait-pro.com/forums/topic/scanner-detects-malicious-code-or-infected-files-in-bps-pro-pro-tools/

    This is a very common thing. Scanners are only capable of looking for general things/code/patterns and cannot really tell the difference between good code and bad code. Please have your Host whitelist BPS Pro files or if they cannot whitelist the tools.php file then you can delete the tools.php file from this BPS Pro plugin folder:  /bulletproof-security/admin/tools/tools.php. Thanks.

    #28488

    Jenny
    Participant

    [Topic has been merged into this relevant Topic]
    Hi,
    I have just received a report that these files, included in my latest Backup buddy plugin backup are malware. Can you please tell me whether they are normally included in BPS Pro?

    /wp-content/bps-backup/master-backups/May-15-2013–01-26-10–bulletproof-security.zip – {HEX}gzbase64.inject.unclassed.18.UNOFFICIAL
    /wp-content/bps-backup/master-backups/bulletproof-security.zip – {HEX}gzbase64.inject.unclassed.18.UNOFFICIAL

    I’m trying to work out if this is a false positive or not.
    Thanks
    Jenny S

    #28491

    AITpro Admin
    Keymaster

    @ Jenny – Nothing to worry about and Yes it is a false positive. The backups are dated to 2013 and a long time ago the Base64 decoder Pro-Tools that came with BPS Pro would trigger false positives. The BPS Pro Base64 Decoder Pro-Tools are no longer included in current versions of BPS Pro for exactly that reason.  I think those Base64 Decoder Pro-Tools were removed a year or 2 ago.

    #28507

    Jenny
    Participant

    Hi and thank you, @AITpro Admin  keymaster.

    In case anyone else has this problem, the steps I took were to go to the BPS pro tools page (in website dashboard) and click delete for both online and offline base64 decoders. After further advice from BPS support (thanks) I have also deleted the specific zipped files mentioned in my post above, via ftp. I am hopeful that I will no longer get malware alerts from my backup plugin!
    I am extremely grateful for the excellent support from AIT pro admin.  Cheers  Jenny

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.