MSCAN flags non-existent DB rows

Home Forums BulletProof Security Pro MSCAN flags non-existent DB rows

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #41761
    Adam
    Participant

    Hi

    I get MSCAN suspicious database entries for DB rows that don’t exist when I look for them in phpMyAdmin.

    These are in the name_options table and the column is options_value.

    The pattern matched is

    visibility:

    I also get a matches for a file called

    /tmp/cloner-cert-[number]

    These also aren’t visible in cpanl filemanager.

    Are these okay?

    Thanks in advance.

    #41762
    AITpro Admin
    Keymaster

    The row would have to exist in order for MScan to detect that pattern in that row.  Most likely you are looking in the wrong place.  Double check that you are looking in the correct database and correct DB Table.  You can do searches in phpMyAdmin by the Row ID number or the pattern match: visibility.

    cPanel tmp folders are located in the left column when using the File Manager tool.

    #41786
    Adam
    Participant

    Thanks,

    This really seems to be what is happening though. In the _options table, the Row ID is called option_id but that’s got to be the same thing.

    If I search the table for the string %visibility% I get four results. One is for “bulletproof_security_options_mscan_patterns”.

    So I think I am looking correctly.

    The other’s don’t match with the Row IDs in MScan, they do look familiar though.

    It’s as if the row numbers are changing from day to day. Is there something that could be doing this?

    #41787
    AITpro Admin
    Keymaster

    Maybe the MScan DB scan results are old DB scan results that no longer exist?  Click the Reset MScan button and run another scan.  If you get the same DB scan results then do the steps below.

    Go to the BPS Pro > Tools > DB String Finder tool.
    For the DB Search String enter:  visibility:
    Click the Find DB String button.
    Copy and paste the DB String Finder search results in your forum reply.

    #41789
    Adam
    Participant

    Update to this.

    I tried the support chat at my hosting company again.

    This time I seem to have got a better representative and they have looked at the

    /tmp/cloner-cert-[number]

    issue I mentioned and say the site may be infected.

    I suspect it has been infected since I migrated to the host a couple of months ago. I alerted them to a “this site hacked by” file that appeared as I was migrating and they said, “just delete it”…

    Anyway, they are running a scan on my account which may / or may not impact the changing Row ID issue as well.

    So perhaps we can pick this up after I have cleaned anything up from that.

    #41790
    AITpro Admin
    Keymaster

    If you would like for me to check your site then contact me directly > info at ait-pro dot com.

    #41799
    Adam
    Participant

    Thank you for offering to help me.

    I think my recent success with the hosting support people has finally yielded a result. They did a scan, but it returned a nil result.

    However, I suspect they had deleted whatever was in the tmp folder while I was on chat and that the scan was just precautionary.

    I’ve reset MScan on my sites and re-scanned. There are still some suspicious DB entries, with <script and <noscript tags. I haven’t had time to look into those, but I’m 95% sure I’ve checked them all in the past and they are expected.

    Importantly the “visibility:” string entries and the “cloner-cert” files didn’t show up on the scans.

    Very frustrating that this was not visible to me, I’ve wasted so much of my own time and now yours.

    Thanks again.

     

    #41802
    AITpro Admin
    Keymaster

    My guess is that that DB entry existed at some point and simply just no longer exists for whatever reason.  ie a plugin option setting that no longer exists, a theme option setting that no longer exists, etc.

    Most DB scan results that are flagged as suspicious are typically harmless/benign.  MScan flags anything that could be malicious, which of course means you will typically see some false positive DB scan results.

    File hash scanning on the other hand is 100% accurate.  File pattern matching scanning is around 85% accurate.

Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.