MScan – Troubleshooting, questions, problems and code posting

Home Forums BulletProof Security Pro MScan – Troubleshooting, questions, problems and code posting

This topic contains 26 replies, has 7 voices, and was last updated by  AITpro Admin 2 months, 1 week ago.

Viewing 15 posts - 1 through 15 (of 27 total)
  • Author
    Posts
  • #33927

    AITpro Admin
    Keymaster

    This forum topic is for posting any MScan questions, issues, problems, etc. and is also for posting any code that MScan has detected as suspicious.  If MScan has detected some code that appears to be suspicious and you are not sure if that code is actually malicious then copy and paste the code in your forum Reply and we will let you know if the code is actually malicious or safe.

    If you have general MScan questions, please click the MScan Read Me help button on the MScan BPS plugin page and also check the MScan Malware Scanner Guide forum topic to see if your question is already answered before posting your question.

    Posting MScan Log file log entries:
    The MScan Log file contains extensive detailed information about all phases of scans.  If a scan stops or fails prematurely or some other problem is occurring with a scan, please post ONLY the scan log entries for the scan that is stopping or failing.  Please do not post your entire MScan Log file contents.

    Posting code that MScan has detected as suspicious:
    When MScan detects suspicious code in files, the file will be added to the View|Ignore|Delete Suspicious Files Form under the View|Ignore|Delete Suspicious Files accordion tab.  To view the file contents click the View checkbox next to that file and click the Submit button.  Use your Browser’s Search or Find feature to search the file contents/code displayed to you using the MScan Pattern Match that is displayed to you for the suspicious code that was detected by MScan.  Copy only a section of the code that is relevant (5 to 10 lines of code above and below the MScan Pattern Match) – do not copy the entire file contents that is displayed to you.  Then paste the code that you copied from the file contents in a new forum Reply.  Please use “pre” tags when posting code.  Example: <pre> your code goes here </pre>

    The Good News:
    The MScan malware scanner will detect hacker files and code that other malware scanners do not detect.

    The Bad News:
    Because the MScan malware scanner will detect hacker files and code that other malware scanners do not detect there will also be more false positive matches made by MScan.

    #33961

    David Versteeg
    Participant

    I have tried running the MScan several times today, without much success. The scan seems to stop without notification; see the log below:

    [MScan Scan Start: 09/09/2017 18:23]
    Scan Time Calculation: Start Count total files to scan.
    Scan Time Calculation: Max File Size Limit to Scan: 400 KB
    Scan Time Calculation: Total Website Files: 9055
    Scan Time Calculation: Total Skipped Files (larger than 400 KB): 6
    Scan Time Calculation: Total WP Core Files to Scan: 1321
    Scan Time Calculation: Total non-Image Files to Scan: 2448
    Scan Time Calculation: Total Image Files to Scan: 0
    Scan Time Calculation: Total Files to Scan (WP Core + non-Image + Image): 3769
    Scan Time Calculation: Hosting Account Root Folders to Scan: wp-admin, wp-content, wp-includes
    Scan Time Calculation: WP Hash Time Estimate: +0 Seconds
    Scan Time Calculation: WP Core Files Time Estimate: +3 Seconds
    Scan Time Calculation: non-Image Files Time Estimate: +91 Seconds
    Scan Time Calculation: Image Files Time Estimate: +0 Seconds
    Scan Time Calculation: DB Size Time Estimate: +1 Seconds
    Scan Time Calculation: Scan Time Estimate: 95 Seconds
    Scan Time Calculation Completion Time: 00:00:42
    WP Zip File Download: The wp-hashes.php file already exists for WordPress 4.8.1. The wordpress-4.8.1.zip was not downloaded again.
    WP Zip File Extraction: The wp-hashes.php file already exists for WordPress 4.8.1. The wordpress-4.8.1.zip file does not need to be extracted.
    WP MD5 File Hash Maker: The wp-hashes.php file already exists for WordPress 4.8.1. The wp-hashes.php file was not created again.
    Scanning Files: Start scanning files.

    The most succesful scan came a bit further:

    [MScan Scan Start: 09/09/2017 14:09]
    Scan Time Calculation: Start Count total files to scan.
    Scan Time Calculation: Max File Size Limit to Scan: 400 KB
    Scan Time Calculation: Total Website Files: 9055
    Scan Time Calculation: Total Skipped Files (larger than 400 KB): 6
    Scan Time Calculation: Total WP Core Files to Scan: 1321
    Scan Time Calculation: Total non-Image Files to Scan: 2448
    Scan Time Calculation: Total Image Files to Scan: 0
    Scan Time Calculation: Total Files to Scan (WP Core + non-Image + Image): 3769
    Scan Time Calculation: Hosting Account Root Folders to Scan: wp-admin, wp-content, wp-includes
    Scan Time Calculation: WP Hash Time Estimate: +0 Seconds
    Scan Time Calculation: WP Core Files Time Estimate: +3 Seconds
    Scan Time Calculation: non-Image Files Time Estimate: +91 Seconds
    Scan Time Calculation: Image Files Time Estimate: +0 Seconds
    Scan Time Calculation: DB Size Time Estimate: +1 Seconds
    Scan Time Calculation: Scan Time Estimate: 95 Seconds
    Scan Time Calculation Completion Time: 00:00:33
    WP Zip File Download: The wp-hashes.php file already exists for WordPress 4.8.1. The wordpress-4.8.1.zip was not downloaded again.
    WP Zip File Extraction: The wp-hashes.php file already exists for WordPress 4.8.1. The wordpress-4.8.1.zip file does not need to be extracted.
    WP MD5 File Hash Maker: The wp-hashes.php file already exists for WordPress 4.8.1. The wp-hashes.php file was not created again.
    Scanning Files: Start scanning files.
    Scanning Files: Start WP Core file scan.
    Scanning Files: Suspicious|Modified|Unknown WP Core files:
    Scanning Files WP Core: No Suspicious|Modified|Unknown WP Core files were found.
    Scanning Files: WP Core file scan completed.
    Scanning Files: Start non-Image file (php, js, etc) scan.
    Scanning Files: Suspicious code pattern matches:

    Any suggestions what could go wrong here? I have used the default scan settings.

    #33962

    AITpro Admin
    Keymaster

    The clues are:  The WP Core file MD5 file hash comparison completed.  The WP Core MD5 file hash comparison uses an array of WP Core file hashes to check all WP Core files.  Regular scanning of non-WP Core and non-image files using this PHP function:  file_get_contents() to open and scan the contents of files.  Maybe there is a problem with scanning plugin files or theme files or some other folder?  Try creating an exclude rule to exclude scanning the /wp-content/plugins/ folder and see if that works. Enter the path to your plugins folder in the MScan Exclude Individual Folders textbox, click the Save MScan Options button and run a scan.

    It appears that something is not allowing the file_get_contents() function to open and scan files in your Hosting Account Root folder.  Do you see any PHP Errors that offer any clues?  Do you see any Host server log error entries that offer any clues?  Go to the BPS System Info page and post this system information about your server/website.

    Server Type: Apache
    Operating System: Linux
    WP Filesystem API Method: direct
    Server API: cgi-fcgi CGI Host Server Type
    Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
    403: mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes
    403: mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
    403: mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
    200: mod_rewrite Module is Loaded
    cURL: cURL Extension is Loaded Version: 7.48.0
    cURL OpenSSL Version (Used by PayPal, etc.): OpenSSL/1.0.1e
    OpenSSL Library: OpenSSL 1.0.0-fips 29 Mar 2010
    Zend Engine Version: 2.4.0
    Zend Guard|Optimizer: A Zend Extension is Not Loaded
    ionCube Loader: ionCube Loader Extension is Not Loaded
    Suhosin: Suhosin is Not Installed|Loaded
    APC: APC Extension is Loaded and Enabled
    eAccelerator: eAccelerator Extension is Not Loaded
    XCache: XCache Extension is Loaded but Not Enabled
    Varnish: Varnish Extension is Not Loaded
    Memcache: Memcache Extension is Not Loaded
    Memcached: Memcached Extension is Not Loaded
    
    CAUTION:  Use X's to hide your php.ini and temp dir path information below
    PHP Version: 5.4.19
    PHP Memory Usage: 14.2 MB
    WordPress Admin Memory Limit: 256M
    WordPress Base Memory Limit: 40M
    PHP Actual Configuration Memory Limit: 128M
    PHP Configuration File (php.ini): /home/xxxxx/html/php5.ini
    WP Temp Dir: /home/xxxxx/tmp/
    PHP Temp Dir: /home/xxxxx/tmp
    PHP Upload Temp Dir: /tmp
    Session Save Path: Not set/defined or directory is not writable
    Garbage Collector: On | Cycles: 0
    PHP Max Upload Size: 150M
    PHP Max Post Size: 150M
    PHP Safe Mode: Off
    PHP Allow URL fopen: Off
    PHP Allow URL Include: Off
    PHP Display Errors: Off
    PHP Display Startup Errors: Off
    PHP Expose PHP: Off
    PHP Register Globals: Off
    PHP MySQL Allow Persistent Connections: Off
    PHP Output Buffering: Off
    PHP Max Script Execution Time: 30 Seconds
    PHP Magic Quotes GPC: Off
    PHP open_basedir: Off/Not in use
    PHP XML Support: Yes
    PHP IPTC Support: Yes
    PHP Exif Support: Yes

    Under the “File|Folder Permissions (CGI or DSO)|Script Owner User ID (UID)|File Owner User ID” System Info table are all of your Script Owner User ID (UID) and File Owner User ID the same ID number?

    #33970

    David Versteeg
    Participant

    I don’t see anything in PHP Error Log for today. Please find the requested information below:

    Server Type: Apache/2.2.16 (Debian)
    Operating System: Linux
    WP Filesystem API Method: direct
    Server API: apache2handler DSO Host Server Type
    Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
    403: mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes
    403: mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
    403: mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
    200: mod_rewrite Module is Loaded
    cURL: cURL Extension is Loaded Version: 7.38.0
    cURL OpenSSL Version (Used by PayPal, etc.): OpenSSL/1.0.1k
    OpenSSL Library: OpenSSL 1.0.1e 11 Feb 2013
    Zend Engine Version: 2.6.0
    Zend Guard|Optimizer: A Zend Extension is Not Loaded
    Zend OPcache: Zend OPcache is Enabled Version: 7.0.6-dev
    ionCube Loader: ionCube Loader Extension is Not Loaded
    Suhosin: Suhosin is Not Installed|Loaded
    APC: APC Extension is Not Loaded
    eAccelerator: eAccelerator Extension is Not Loaded
    XCache: XCache Extension is Loaded but Not Enabled
    Varnish: Varnish Extension is Not Loaded
    Memcache: Memcache Extension is Not Loaded
    Memcached: Memcached Extension is Not Loaded
    
    PHP Version: 5.6.17-1~dotdeb+7.1
    PHP Memory Usage: 53.16 MB
    WordPress Admin Memory Limit: 256M
    WordPress Base Memory Limit: 40M
    PHP Actual Configuration Memory Limit: 128M
    PHP Configuration File (php.ini): /etc/php5/apache2/php.ini
    WP Temp Dir: /public/tmp/
    PHP Temp Dir: Not set/defined or directory is not writable
    PHP Upload Temp Dir: /public/tmp
    Session Save Path: /public/tmp
    Garbage Collector: On | Cycles: 0
    PHP Max Upload Size: 32M
    PHP Max Post Size: 32M
    PHP Safe Mode: Off
    PHP Allow URL fopen: On
    PHP Allow URL Include: Off
    PHP Display Errors: Off
    PHP Display Startup Errors: Off
    PHP Expose PHP: On
    PHP Register Globals: Off
    PHP MySQL Allow Persistent Connections: On
    PHP Output Buffering: 4096
    PHP Max Script Execution Time: 30 Seconds
    PHP Magic Quotes GPC: Off
    PHP open_basedir: Off/Not in use
    PHP XML Support: Yes
    PHP IPTC Support: Yes
    PHP Exif Support: Yes

    As the folder structure appears different from the one you suggest, I am not sure what to X out in there…
    All Owner User IDs are the same.

    #33988

    AITpro Admin
    Keymaster

    I combined my response yesterday into my previous forum reply above.  Check your web host server logs and see if there any any server log errors/entries that offer any clues to the problem and post it/them in your reply.

    #34058

    David Versteeg
    Participant

    Excluding the wp-content/plugins/ folder made quite a difference, it is completing the scan sometimes although it is still not a 100% guarantee. I am not sure where to locate the Host server log error entries?

    #34059

    AITpro Admin
    Keymaster

    Yeah, if you have more than the modest average number of plugins installed, which is around 7-12 plugins per WP site then MScan will probably not be able to scan more than 5 WordPress sites under a hosting account at one time.  Some plugins have 1,000’s of files and are as large or larger in total KB|MB size than WP itself. 😉  We expected that scanning the /plugins/ folder would be where problems would occur.  I have seen as many as 200 plugins installed on a website and lot of sites have around 40-50 plugins installed.  If each of those 40-50 plugins has an average of 200 files each then that would be 8,000-10,000 files to scan on top of all other hosting account files.  It is actually not a limitation in MScan itself, but the limitation occurs with a host server.  If peak resource usage exceeds allowed web host server limits then host servers will automatically abort script execution.  Basically the server automatically prevents an overload or crash by aborting script execution that is expected to cause a server crash.

    #34060

    AITpro Admin
    Keymaster

    So basically at this point the solution is simply to scan less files at one time.  We may add “chunk” scanning capability to MScan later on.  That just depends on how much extra work we feel like putting into a malware scanner.  We see malware scanners as a simple tool and not anything more significant than that especially when you compare malware scanners to BPS Pro ARQ IDPS. 😉

    #34063

    Living Miracles
    Participant

    Hi,

    I tried out the MScan on one of my GoDaddy Managed WordPress staging sites and a lot of plugin files were found to be suspicious. Also almost 1000 database entries were found to be suspicious; they were all iframes…

    Here are the files that were found (after the “–>” is the Pattern Match):

    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-post-scraper-540.min.js 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-admin-540.min.js 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-metabox-540.min.js 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-term-scraper-540.min.js
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/configuration-wizard-540.min.js
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-recalculate-540.min.js
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/skins/lightgray/fonts/tinymce-small.json --> Altered or unknown WP Core file
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/skins/lightgray/fonts/readme.md --> Altered or unknown WP Core file
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/skins/lightgray/fonts/tinymce.json --> Altered or unknown WP Core file
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/skins/lightgray/skin.ie7.min.css --> Altered or unknown WP Core file
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/plugins/media/moxieplayer.swf --> Altered or unknown WP Core file 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/themes/Chameleon/includes/import_settings.php --> o0
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/themes/Chameleon/js/DD_belatedPNG_0.0.8a-min.js --> visibility:hidden 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/themes/Chameleon/core/admin/includes/class-portability.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wp-security-audit-log/wp-security-audit-log.php --> base64_decode(
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wp-security-audit-log/classes/Connector/MySQLDB.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/sumome/js/preload.php --> 00000000 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/sumome/classes/class_sumome.php --> 00000000 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/DES.php --> \x00\x00 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/Rijndael.php --> 00000000 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/Twofish.php --> 00000000
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/RSA.php --> \x2a\x86 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/Base.php --> \xFF\xFF
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/File/ASN1.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/File/X509.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Math/BigInteger.php --> 10000000
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Net/SSH1.php --> 00000001 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Net/SSH2.php --> 00000001
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Net/SFTP.php --> 00000001 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/Google/ApiUtils.php --> base64_decode(
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MMB/Comment.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MMB/Helper.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/Worker/Configuration.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/Worker/Request.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/Action/ConnectWebsite.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/Action/IncrementalBackup/UploadCloner.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/System/Environment.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/EventListener/MasterRequest/VerifyConnectionInfo.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/EventListener/MasterRequest/AuthenticateLegacyRequest.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/EventListener/PublicRequest/AutomaticLogin.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/Dropbox/Client.php --> \x1f\x7f
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/Dropbox/ValueStore.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/Dropbox/Path.php --> \x09\x0A 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/functions.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/autoptimize/classes/autoptimizeBase.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/autoptimize/classes/autoptimizeStyles.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/captcha/captcha.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/captcha/bws_menu/js/codemirror.js --> \x80"
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/monarch/includes/oauth.php --> base64_decode( 
    /var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/monarch/core/components/Portability.php --> base64_decode( 
    

    Can you say whether these are all false positives (including the iframes found in the database… we do use iframes for certain things, you know…)? I can’t imagine that this site has malicious code as I’ve had BPS Pro installed for a couple of years now.

    Thank you!

    #34064

    AITpro Admin
    Keymaster

    @ Living Miracles – Most likely all of the suspicious code detected by MScan are false positives.  That is unfortunately the limitation and nature of malware scanners vs something like BPS Pro ARQ IDPS, which is 100% accurate every time/all of the time. 😉  We created the MScan malware scanner because a lot of folks requested a malware scanner.  Malware scanners are a useful tool, but are insignificant compared to BPS Pro ARQ IDPS, which is far superior to malware scanners including MScan.

    Basic Info:
    The #1 most common likely place hacker files and code would be is your hosting account root folder.

    It is very unlikely that any suspicious code detected in any plugin files is actually malicious code.  So you can ignore all of those files using the View|Ignore|Delete Suspicious Files Form.  You can of course check the plugin files if you would like to do that, but the chance that they actually contain malicious code is pretty much nil.

    Since you use iframes code then can ignore all of the database entries detected as suspicious using the View|Ignore Suspicious DB Entries Form. You can of course check the database entries if you would like to do that, but the chance that they actually contain malicious code is pretty much nil.

    #34065

    Living Miracles
    Participant

    Thank you for explaining!

    #34071

    David Versteeg
    Participant

    Well, I don’t know. I run only one website with 13 plugins and even after excluding the plugin folder the process is still pretty much hit & miss – sometimes it finishes, more often it does not. As I have similar results as Living Miracles (probably all false positives), I will just ignore the functionality – I have ARQ IDPS up and running anyway.

    #34075

    AITpro Admin
    Keymaster

    @ David Versteeg – Yeah, we kind of expected that to be the case on some host servers.  MScan currently does not have any sort of limitations/restrictions and is not using “chunk scanning”.  So if a scan exceeds what a web host server allows then the web host server will automatically abort/stop the scan.  For now the most practical/logical usage for MScan would be scenarios like this:  Someone suspects or wants to know if their website(s) is already hacked or they are installing BPS Pro for the first time and want to check if their website(s) is already hacked.  To make automated MScan sheduled scans a consistently working feature we would need to add limitations/restrictions and chunk scanning to MScan so that scanning would be well below the limitations/restrictions/thresholds on all web host servers worldwide.

    #34088

    Tina Dubinsky
    Participant

    I’m unure if this is the correct place to post this so please move it if its not.

    I have tried to run this on two different subdomains (rather than across 5  at once). Unfortunately, I ran into the issue of my hosts malware scanner detecting mware. I contacted my host (Site5) about whitelisting and they flat out said “No, not going to happen on a shared server.”

    Does this pose an issue for continued use of bps pro?

    Can I turn off mware feature for now or does it just stay dormant until I try to run again?

    I haven’t set up any automatic scans since the first attempt on both which did not appear to finish and caused my php error log to fill up (because of the hosts scanner). It did appear to pick up a lot of what I think were false positives from modules such as jetpack, shortcodes ultimate and bootstrap to name a couple off the top of my head.  But because of the advice that it can’t be run correctly until whitelisted I had ignored the list.

    Cheers,

    -Tina

    #34091

    AITpro Admin
    Keymaster

    @ Tina Dubinsky – This is a perfect example of why malware scanners are a poor method of “security” for websites/servers. Your web host malware scanner and all malware scanners including MScan will always detect false positives.  Malware scanners and anti-virus computer software used on computers on the other hand are a good method of security protection because of the major differences in website tech vs computer tech.  We researched creating a website malware scanner in BPS Pro 6+ years ago and discovered that website malware scanners are an inferior method of website security.  We created something far superior to a website malware scanner 6+ years ago instead > BPS Pro ARQ IDPS.

    Important Notes:
    We created MScan to catch/detect malware/hacker files/hacker code that was being missed/not detected by all the other WP plugins that we tested that have malware scanners.  Unfortunately, the downside of detecting hacker files and code that other WP plugin malware scanners miss/do not detect is that more false positives are detected by MScan.  MScan matches common PHP functions used by hackers in hacker code, the PHP functions themselves are not malicious and those PHP functions are also used in some plugins legitimately.  MScan also matches a wide range of common obfuscation methods used by hackers in hacker code to hide hacker code, but will obviously catch legitimate obfuscation methods used in some plugins that are obfuscating plugin code for legitimate reasons and methods.

    Ok so to answer your questions, I assume your web host has just disabled only this BPS file, which contains the MScan pattern matching code used to check for malware/malicious hacker files and code:  /bulletproof-security/includes/mscan-ajax-functions.php.  If your host has only disabled this 1 BPS file then everything else in BPS will work fine with the exception of MScan of course.  You should ask your host if that is what they have done to make sure that everything else in BPS will still work normally.

    Possible future solutions:
    We could store the MScan pattern matching code on our API Server, which would be called remotely only during MScan scanning.  By doing that a web host would not detect the MScan pattern matching code in BPS since it would not actually exist in the /bulletproof-security/includes/mscan-ajax-functions.php BPS plugin file.

    We could add an option to remove/delete MScan from BPS like we did with the BPS Pro Base64 Decoder/Encoder Pro-Tools, which were also being falsely detected as malicious by web hosts.

    Summary:
    Since BPS Pro already has ARQ IDPS, which is far superior to malware scanners then MScan falls into a “useful” tool category, but malware scanners are a very poor method of website security vs ARQ IDPS due to the common issue that website malware scanners will always find false positives.  That is just what is for website malware scanners vs computer malware scanners.  What I mean by “poor method” is not that MScan will not be able to find all hacker code and files on a website/server, but instead “poor method” means that malware scanners come with the very common problem of detecting false positives – that is just the general nature and shortcoming of website malware scanners unfortunately.  😉

Viewing 15 posts - 1 through 15 (of 27 total)

You must be logged in to reply to this topic.