MScan – Troubleshooting, questions, problems and code posting

[AITpro Admin]

This forum topic is for posting any MScan questions, issues, problems, etc. and is also for posting any code that MScan has detected as suspicious.  If MScan has detected some code that appears to be suspicious and you are not sure if that code is actually malicious then copy and paste the code in your forum Reply and we will let you know if the code is actually malicious or safe.

Note: As of BPS Pro 15.4 and BPS 4.8 MScan now uses file hash comparisons for all WP files (WP Core, Plugins and Themes). File hash comparisons are 100% accurate, which means no false positives will occur for any WP files. All other non-WP files are scanned using standard conventional pattern matching, but now that WP Files are all scanned with file hash comparisons this allowed increasing the detection sensitivity for pattern matching scanning. Additional pattern matching rules have been added to MScan

If you have general MScan questions, please click the MScan Read Me help button on the MScan BPS plugin page and also check the MScan Malware Scanner Guide forum topic to see if your question is already answered before posting your question.

Posting MScan Log file log entries:
The MScan Log file contains extensive detailed information about all phases of scans.  If a scan stops or fails prematurely or some other problem is occurring with a scan, please post ONLY the scan log entries for the scan that is stopping or failing.  Please do not post your entire MScan Log file contents.

Posting code that MScan has detected as suspicious:
When MScan detects suspicious code in files, the file will be added to the View|Ignore|Delete Suspicious Files Form under the View|Ignore|Delete Suspicious Files accordion tab.  To view the file contents click the View checkbox next to that file and click the Submit button.  Use your Browser’s Search or Find feature to search the file contents/code displayed to you using the MScan Pattern Match that is displayed to you for the suspicious code that was detected by MScan.  Copy only a section of the code that is relevant (5 to 10 lines of code above and below the MScan Pattern Match) – do not copy the entire file contents that is displayed to you.  Then paste the code that you copied from the file contents in a new forum Reply.  Please use “pre” tags when posting code.  Example: <pre> your code goes here </pre>

The Good News:
The MScan malware scanner will detect hacker files and code that other malware scanners do not detect.

The Bad News:
Because the MScan malware scanner will detect hacker files and code that other malware scanners do not detect there will also be more false positive matches made by MScan.

Known Issue|Problem: File Hashes do not match due to differences in file format: Windows (CR LF) vs Linux (LF)
Update: BPS Pro 16.3 and BPS 5.8 automatically convert Windows default Themes from CR LF to LF format.
This issue/problem typically only happens on Local Dev servers like XAMPP. Problem scenario:  All WP Core, Plugin and Theme files should be using Linux (LF) format.  On XAMPP during the file hash creation stage in MScan some files have the Windows (CR LF) format, which means the file size is slightly different and the file hash that is created will not match the file hash for the actual Live file. The result is MScan will detect that the file has been altered or tampered with and display “File Hash: Altered or unknown Theme file” for that file.  Example Scenario: When you update Themes older files will not be replaced for that Theme and only files that have been changed are replaced. The original Theme file has the Linux (LF) format, but the new Theme file in the Theme zip file has the Windows (CR LF) format.  The file hash that is created is for that Theme file will not match the file hash for the existing Theme file. The end result is a false positive since the file is seen as altered or not matching the file hash for that Theme file.

Known Issue|Problem: False positive suspicious WP Core files when manually installing WP Core versions:
Example Scenario:  If you manually copied the WP 5.9 folders and files over a WP 5.8 installation the old WP files that are automatically deleted when updating from your WP Dashboard will not be deleted.  WordPress does this in the WP Upgrader function and that function is only executed when doing Bulk or Automatic Updates. The end result of this scenario is that old WP Core files are seen as suspicious.  To fix this issue re-install WordPress on the Dashboard > Updates page.  Click the Reset MScan button and run a new scan.

Known Issue|Problem: PHP Parse error: Unclosed ‘(‘ on line 2 in plugin-hashes.php on line xxxx
Most likely the cause of this error is the hash file is being parsed before it has been completely updated/created. Looking into adding a condition to prevent this php error from intermittently occurring. This php error does not cause any problems and can be ignored.

Under Investigation: MScan scan causes subdomain sites to freeze
This problem is only occurring on my 2 subdomain sites. MScan runs normally on all my other top level TLD and subdirectory sites.  This could be a GoDaddy issue or a general DNS problem or some other code problem.

[David Versteeg]

I have tried running the MScan several times today, without much success. The scan seems to stop without notification; see the log below:

[MScan Scan Start: 09/09/2017 18:23]
Scan Time Calculation: Start Count total files to scan.
Scan Time Calculation: Max File Size Limit to Scan: 400 KB
Scan Time Calculation: Total Website Files: 9055
Scan Time Calculation: Total Skipped Files (larger than 400 KB): 6
Scan Time Calculation: Total WP Core Files to Scan: 1321
Scan Time Calculation: Total non-Image Files to Scan: 2448
Scan Time Calculation: Total Image Files to Scan: 0
Scan Time Calculation: Total Files to Scan (WP Core + non-Image + Image): 3769
Scan Time Calculation: Hosting Account Root Folders to Scan: wp-admin, wp-content, wp-includes
Scan Time Calculation: WP Hash Time Estimate: +0 Seconds
Scan Time Calculation: WP Core Files Time Estimate: +3 Seconds
Scan Time Calculation: non-Image Files Time Estimate: +91 Seconds
Scan Time Calculation: Image Files Time Estimate: +0 Seconds
Scan Time Calculation: DB Size Time Estimate: +1 Seconds
Scan Time Calculation: Scan Time Estimate: 95 Seconds
Scan Time Calculation Completion Time: 00:00:42
WP Zip File Download: The wp-hashes.php file already exists for WordPress 4.8.1. The wordpress-4.8.1.zip was not downloaded again.
WP Zip File Extraction: The wp-hashes.php file already exists for WordPress 4.8.1. The wordpress-4.8.1.zip file does not need to be extracted.
WP MD5 File Hash Maker: The wp-hashes.php file already exists for WordPress 4.8.1. The wp-hashes.php file was not created again.
Scanning Files: Start scanning files.

The most succesful scan came a bit further:

[MScan Scan Start: 09/09/2017 14:09]
Scan Time Calculation: Start Count total files to scan.
Scan Time Calculation: Max File Size Limit to Scan: 400 KB
Scan Time Calculation: Total Website Files: 9055
Scan Time Calculation: Total Skipped Files (larger than 400 KB): 6
Scan Time Calculation: Total WP Core Files to Scan: 1321
Scan Time Calculation: Total non-Image Files to Scan: 2448
Scan Time Calculation: Total Image Files to Scan: 0
Scan Time Calculation: Total Files to Scan (WP Core + non-Image + Image): 3769
Scan Time Calculation: Hosting Account Root Folders to Scan: wp-admin, wp-content, wp-includes
Scan Time Calculation: WP Hash Time Estimate: +0 Seconds
Scan Time Calculation: WP Core Files Time Estimate: +3 Seconds
Scan Time Calculation: non-Image Files Time Estimate: +91 Seconds
Scan Time Calculation: Image Files Time Estimate: +0 Seconds
Scan Time Calculation: DB Size Time Estimate: +1 Seconds
Scan Time Calculation: Scan Time Estimate: 95 Seconds
Scan Time Calculation Completion Time: 00:00:33
WP Zip File Download: The wp-hashes.php file already exists for WordPress 4.8.1. The wordpress-4.8.1.zip was not downloaded again.
WP Zip File Extraction: The wp-hashes.php file already exists for WordPress 4.8.1. The wordpress-4.8.1.zip file does not need to be extracted.
WP MD5 File Hash Maker: The wp-hashes.php file already exists for WordPress 4.8.1. The wp-hashes.php file was not created again.
Scanning Files: Start scanning files.
Scanning Files: Start WP Core file scan.
Scanning Files: Suspicious|Modified|Unknown WP Core files:
Scanning Files WP Core: No Suspicious|Modified|Unknown WP Core files were found.
Scanning Files: WP Core file scan completed.
Scanning Files: Start non-Image file (php, js, etc) scan.
Scanning Files: Suspicious code pattern matches:

Any suggestions what could go wrong here? I have used the default scan settings.

[AITpro Admin]

The clues are:  The WP Core file MD5 file hash comparison completed.  The WP Core MD5 file hash comparison uses an array of WP Core file hashes to check all WP Core files.  Regular scanning of non-WP Core and non-image files using this PHP function:  file_get_contents() to open and scan the contents of files.  Maybe there is a problem with scanning plugin files or theme files or some other folder?  Try creating an exclude rule to exclude scanning the /wp-content/plugins/ folder and see if that works. Enter the path to your plugins folder in the MScan Exclude Individual Folders textbox, click the Save MScan Options button and run a scan.

It appears that something is not allowing the file_get_contents() function to open and scan files in your Hosting Account Root folder.  Do you see any PHP Errors that offer any clues?  Do you see any Host server log error entries that offer any clues?  Go to the BPS System Info page and post this system information about your server/website.

Server Type: Apache
Operating System: Linux
WP Filesystem API Method: direct
Server API: cgi-fcgi CGI Host Server Type
Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
403: mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes
403: mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
403: mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
200: mod_rewrite Module is Loaded
cURL: cURL Extension is Loaded Version: 7.48.0
cURL OpenSSL Version (Used by PayPal, etc.): OpenSSL/1.0.1e
OpenSSL Library: OpenSSL 1.0.0-fips 29 Mar 2010
Zend Engine Version: 2.4.0
Zend Guard|Optimizer: A Zend Extension is Not Loaded
ionCube Loader: ionCube Loader Extension is Not Loaded
Suhosin: Suhosin is Not Installed|Loaded
APC: APC Extension is Loaded and Enabled
eAccelerator: eAccelerator Extension is Not Loaded
XCache: XCache Extension is Loaded but Not Enabled
Varnish: Varnish Extension is Not Loaded
Memcache: Memcache Extension is Not Loaded
Memcached: Memcached Extension is Not Loaded

CAUTION:  Use X's to hide your php.ini and temp dir path information below
PHP Version: 5.4.19
PHP Memory Usage: 14.2 MB
WordPress Admin Memory Limit: 256M
WordPress Base Memory Limit: 40M
PHP Actual Configuration Memory Limit: 128M
PHP Configuration File (php.ini): /home/xxxxx/html/php5.ini
WP Temp Dir: /home/xxxxx/tmp/
PHP Temp Dir: /home/xxxxx/tmp
PHP Upload Temp Dir: /tmp
Session Save Path: Not set/defined or directory is not writable
Garbage Collector: On | Cycles: 0
PHP Max Upload Size: 150M
PHP Max Post Size: 150M
PHP Safe Mode: Off
PHP Allow URL fopen: Off
PHP Allow URL Include: Off
PHP Display Errors: Off
PHP Display Startup Errors: Off
PHP Expose PHP: Off
PHP Register Globals: Off
PHP MySQL Allow Persistent Connections: Off
PHP Output Buffering: Off
PHP Max Script Execution Time: 30 Seconds
PHP Magic Quotes GPC: Off
PHP open_basedir: Off/Not in use
PHP XML Support: Yes
PHP IPTC Support: Yes
PHP Exif Support: Yes

Under the “File|Folder Permissions (CGI or DSO)|Script Owner User ID (UID)|File Owner User ID” System Info table are all of your Script Owner User ID (UID) and File Owner User ID the same ID number?

[David Versteeg]

I don’t see anything in PHP Error Log for today. Please find the requested information below:

Server Type: Apache/2.2.16 (Debian)
Operating System: Linux
WP Filesystem API Method: direct
Server API: apache2handler DSO Host Server Type
Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
403: mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes
403: mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
403: mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
200: mod_rewrite Module is Loaded
cURL: cURL Extension is Loaded Version: 7.38.0
cURL OpenSSL Version (Used by PayPal, etc.): OpenSSL/1.0.1k
OpenSSL Library: OpenSSL 1.0.1e 11 Feb 2013
Zend Engine Version: 2.6.0
Zend Guard|Optimizer: A Zend Extension is Not Loaded
Zend OPcache: Zend OPcache is Enabled Version: 7.0.6-dev
ionCube Loader: ionCube Loader Extension is Not Loaded
Suhosin: Suhosin is Not Installed|Loaded
APC: APC Extension is Not Loaded
eAccelerator: eAccelerator Extension is Not Loaded
XCache: XCache Extension is Loaded but Not Enabled
Varnish: Varnish Extension is Not Loaded
Memcache: Memcache Extension is Not Loaded
Memcached: Memcached Extension is Not Loaded

PHP Version: 5.6.17-1~dotdeb+7.1
PHP Memory Usage: 53.16 MB
WordPress Admin Memory Limit: 256M
WordPress Base Memory Limit: 40M
PHP Actual Configuration Memory Limit: 128M
PHP Configuration File (php.ini): /etc/php5/apache2/php.ini
WP Temp Dir: /public/tmp/
PHP Temp Dir: Not set/defined or directory is not writable
PHP Upload Temp Dir: /public/tmp
Session Save Path: /public/tmp
Garbage Collector: On | Cycles: 0
PHP Max Upload Size: 32M
PHP Max Post Size: 32M
PHP Safe Mode: Off
PHP Allow URL fopen: On
PHP Allow URL Include: Off
PHP Display Errors: Off
PHP Display Startup Errors: Off
PHP Expose PHP: On
PHP Register Globals: Off
PHP MySQL Allow Persistent Connections: On
PHP Output Buffering: 4096
PHP Max Script Execution Time: 30 Seconds
PHP Magic Quotes GPC: Off
PHP open_basedir: Off/Not in use
PHP XML Support: Yes
PHP IPTC Support: Yes
PHP Exif Support: Yes

As the folder structure appears different from the one you suggest, I am not sure what to X out in there…
All Owner User IDs are the same.

[AITpro Admin]

I combined my response yesterday into my previous forum reply above.  Check your web host server logs and see if there any any server log errors/entries that offer any clues to the problem and post it/them in your reply.

[David Versteeg]

Excluding the wp-content/plugins/ folder made quite a difference, it is completing the scan sometimes although it is still not a 100% guarantee. I am not sure where to locate the Host server log error entries?

[AITpro Admin]

Yeah, if you have more than the modest average number of plugins installed, which is around 7-12 plugins per WP site then MScan will probably not be able to scan more than 5 WordPress sites under a hosting account at one time.  Some plugins have 1,000’s of files and are as large or larger in total KB|MB size than WP itself. 😉  We expected that scanning the /plugins/ folder would be where problems would occur.  I have seen as many as 200 plugins installed on a website and lot of sites have around 40-50 plugins installed.  If each of those 40-50 plugins has an average of 200 files each then that would be 8,000-10,000 files to scan on top of all other hosting account files.  It is actually not a limitation in MScan itself, but the limitation occurs with a host server.  If peak resource usage exceeds allowed web host server limits then host servers will automatically abort script execution.  Basically the server automatically prevents an overload or crash by aborting script execution that is expected to cause a server crash.

[AITpro Admin]

So basically at this point the solution is simply to scan less files at one time.  We may add “chunk” scanning capability to MScan later on.  That just depends on how much extra work we feel like putting into a malware scanner.  We see malware scanners as a simple tool and not anything more significant than that especially when you compare malware scanners to BPS Pro ARQ IDPS. 😉

[Living Miracles]

Hi,

I tried out the MScan on one of my GoDaddy Managed WordPress staging sites and a lot of plugin files were found to be suspicious. Also almost 1000 database entries were found to be suspicious; they were all iframes…

Here are the files that were found (after the “–>” is the Pattern Match):

/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-post-scraper-540.min.js 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-admin-540.min.js 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-metabox-540.min.js 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-term-scraper-540.min.js
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/configuration-wizard-540.min.js
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wordpress-seo/js/dist/wp-seo-recalculate-540.min.js
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/skins/lightgray/fonts/tinymce-small.json --> Altered or unknown WP Core file
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/skins/lightgray/fonts/readme.md --> Altered or unknown WP Core file
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/skins/lightgray/fonts/tinymce.json --> Altered or unknown WP Core file
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/skins/lightgray/skin.ie7.min.css --> Altered or unknown WP Core file
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-includes/js/tinymce/plugins/media/moxieplayer.swf --> Altered or unknown WP Core file 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/themes/Chameleon/includes/import_settings.php --> o0
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/themes/Chameleon/js/DD_belatedPNG_0.0.8a-min.js --> visibility:hidden 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/themes/Chameleon/core/admin/includes/class-portability.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wp-security-audit-log/wp-security-audit-log.php --> base64_decode(
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/wp-security-audit-log/classes/Connector/MySQLDB.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/sumome/js/preload.php --> 00000000 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/sumome/classes/class_sumome.php --> 00000000 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/DES.php --> \x00\x00 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/Rijndael.php --> 00000000 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/Twofish.php --> 00000000
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/RSA.php --> \x2a\x86 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Crypt/Base.php --> \xFF\xFF
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/File/ASN1.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/File/X509.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Math/BigInteger.php --> 10000000
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Net/SSH1.php --> 00000001 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Net/SSH2.php --> 00000001
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/PHPSecLib/Net/SFTP.php --> 00000001 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/Google/ApiUtils.php --> base64_decode(
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MMB/Comment.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MMB/Helper.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/Worker/Configuration.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/Worker/Request.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/Action/ConnectWebsite.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/Action/IncrementalBackup/UploadCloner.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/System/Environment.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/EventListener/MasterRequest/VerifyConnectionInfo.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/EventListener/MasterRequest/AuthenticateLegacyRequest.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/MWP/EventListener/PublicRequest/AutomaticLogin.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/Dropbox/Client.php --> \x1f\x7f
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/Dropbox/ValueStore.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/src/Dropbox/Path.php --> \x09\x0A 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/worker/functions.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/autoptimize/classes/autoptimizeBase.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/autoptimize/classes/autoptimizeStyles.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/captcha/captcha.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/captcha/bws_menu/js/codemirror.js --> \x80"
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/monarch/includes/oauth.php --> base64_decode( 
/var/chroot/home/content/xxxxxxxxxxxxxxxxxxxxxxxx/xx/xxxxxxxxx/html/wp-content/plugins/monarch/core/components/Portability.php --> base64_decode( 

Can you say whether these are all false positives (including the iframes found in the database… we do use iframes for certain things, you know…)? I can’t imagine that this site has malicious code as I’ve had BPS Pro installed for a couple of years now.

Thank you!

[AITpro Admin]

@ Living Miracles – Most likely all of the suspicious code detected by MScan are false positives.  That is unfortunately the limitation and nature of malware scanners vs something like BPS Pro ARQ IDPS, which is 100% accurate every time/all of the time. 😉  We created the MScan malware scanner because a lot of folks requested a malware scanner.  Malware scanners are a useful tool, but are insignificant compared to BPS Pro ARQ IDPS, which is far superior to malware scanners including MScan.

Basic Info:
The #1 most common likely place hacker files and code would be is your hosting account root folder.

It is very unlikely that any suspicious code detected in any plugin files is actually malicious code.  So you can ignore all of those files using the View|Ignore|Delete Suspicious Files Form.  You can of course check the plugin files if you would like to do that, but the chance that they actually contain malicious code is pretty much nil.

Since you use iframes code then can ignore all of the database entries detected as suspicious using the View|Ignore Suspicious DB Entries Form. You can of course check the database entries if you would like to do that, but the chance that they actually contain malicious code is pretty much nil.

[Living Miracles]

Thank you for explaining!

[David Versteeg]

Well, I don’t know. I run only one website with 13 plugins and even after excluding the plugin folder the process is still pretty much hit & miss – sometimes it finishes, more often it does not. As I have similar results as Living Miracles (probably all false positives), I will just ignore the functionality – I have ARQ IDPS up and running anyway.

[AITpro Admin]

@ David Versteeg – Yeah, we kind of expected that to be the case on some host servers.  MScan currently does not have any sort of limitations/restrictions and is not using “chunk scanning”.  So if a scan exceeds what a web host server allows then the web host server will automatically abort/stop the scan.  For now the most practical/logical usage for MScan would be scenarios like this:  Someone suspects or wants to know if their website(s) is already hacked or they are installing BPS Pro for the first time and want to check if their website(s) is already hacked.  To make automated MScan sheduled scans a consistently working feature we would need to add limitations/restrictions and chunk scanning to MScan so that scanning would be well below the limitations/restrictions/thresholds on all web host servers worldwide.

[Tina Dubinsky]

I’m unure if this is the correct place to post this so please move it if its not.

I have tried to run this on two different subdomains (rather than across 5  at once). Unfortunately, I ran into the issue of my hosts malware scanner detecting mware. I contacted my host (Site5) about whitelisting and they flat out said “No, not going to happen on a shared server.”

Does this pose an issue for continued use of bps pro?

Can I turn off mware feature for now or does it just stay dormant until I try to run again?

I haven’t set up any automatic scans since the first attempt on both which did not appear to finish and caused my php error log to fill up (because of the hosts scanner). It did appear to pick up a lot of what I think were false positives from modules such as jetpack, shortcodes ultimate and bootstrap to name a couple off the top of my head.  But because of the advice that it can’t be run correctly until whitelisted I had ignored the list.

Cheers,

-Tina

[AITpro Admin]

@ Tina Dubinsky – This is a perfect example of why malware scanners are a poor method of “security” for websites/servers. Your web host malware scanner and all malware scanners including MScan will always detect false positives.  Malware scanners and anti-virus computer software used on computers on the other hand are a good method of security protection because of the major differences in website tech vs computer tech.  We researched creating a website malware scanner in BPS Pro 6+ years ago and discovered that website malware scanners are an inferior method of website security.  We created something far superior to a website malware scanner 6+ years ago instead > BPS Pro ARQ IDPS.

Important Notes:
We created MScan to catch/detect malware/hacker files/hacker code that was being missed/not detected by all the other WP plugins that we tested that have malware scanners.  Unfortunately, the downside of detecting hacker files and code that other WP plugin malware scanners miss/do not detect is that more false positives are detected by MScan.  MScan matches common PHP functions used by hackers in hacker code, the PHP functions themselves are not malicious and those PHP functions are also used in some plugins legitimately.  MScan also matches a wide range of common obfuscation methods used by hackers in hacker code to hide hacker code, but will obviously catch legitimate obfuscation methods used in some plugins that are obfuscating plugin code for legitimate reasons and methods.

Ok so to answer your questions, I assume your web host has just disabled only this BPS file, which contains the MScan pattern matching code used to check for malware/malicious hacker files and code:  /bulletproof-security/includes/mscan-ajax-functions.php.  If your host has only disabled this 1 BPS file then everything else in BPS will work fine with the exception of MScan of course.  You should ask your host if that is what they have done to make sure that everything else in BPS will still work normally.

Possible future solutions:
We could store the MScan pattern matching code on our API Server, which would be called remotely only during MScan scanning.  By doing that a web host would not detect the MScan pattern matching code in BPS since it would not actually exist in the /bulletproof-security/includes/mscan-ajax-functions.php BPS plugin file.

We could add an option to remove/delete MScan from BPS like we did with the BPS Pro Base64 Decoder/Encoder Pro-Tools, which were also being falsely detected as malicious by web hosts.

Summary:
Since BPS Pro already has ARQ IDPS, which is far superior to malware scanners then MScan falls into a “useful” tool category, but malware scanners are a very poor method of website security vs ARQ IDPS due to the common issue that website malware scanners will always find false positives.  That is just what is for website malware scanners vs computer malware scanners.  What I mean by “poor method” is not that MScan will not be able to find all hacker code and files on a website/server, but instead “poor method” means that malware scanners come with the very common problem of detecting false positives – that is just the general nature and shortcoming of website malware scanners unfortunately.  😉

[Author]

Posts