MScan – Troubleshooting, questions, problems and code posting

[Tina Dubinsky]

Hi, The weird thing is my host hasn’t disabled any files. The rest of BPS Pro works as per usual. I’ve run into a few other issues with them of late (old php and sql versions that wordpress doesn’t work so well on), so I’ll most likely migrate away in the next few months.

Cheers

-Tina

[Paul]

Altered or unknown WP Core file

 <?php
/**
 * The WordPress version string
 *
 * @global string $wp_version
 */
$wp_version = '4.9.4';

/**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
 *
 * @global int $wp_db_version
 */
$wp_db_version = 38590;

/**
 * Holds the TinyMCE version
 *
 * @global string $tinymce_version
 */
$tinymce_version = '4607-20180123';

/**
 * Holds the required PHP version
 *
 * @global string $required_php_version
 */
$required_php_version = '5.2.4';

/**
 * Holds the required MySQL version
 *
 * @global string $required_mysql_version
 */
$required_mysql_version = '5.0';

$wp_local_package = 'en_GB';

 if (empty($name) && !is_numeric($name)) {
            return 'The cookie name must not be empty';
        }

        // Check if any of the invalid characters are present in the cookie name
        if (preg_match(
            '/[\x00-\x20\x22\x28-\x29\x2c\x2f\x3a-\x40\x5c\x7b\x7d\x7f]/',
            $name)
        ) {
            return 'Cookie name must not contain invalid characters: ASCII '
                . 'Control characters (0-31;127), space, tab and the '
                . 'following characters: ()<>@,;:\"/?={}';
        }

        // Value must not be empty, but can be 0
        $value = $this->getValue();
        if (empty($value) && !is_numeric($value)) {
            return 'The cookie value must not be empty';
        }

    $created = 0;
    if (isset($this->token['created'])) {
      $created = $this->token['created'];
    } elseif (isset($this->token['id_token'])) {
      // check the ID token for "iat"
      // signature verification is not required here, as we are just
      // using this for convenience to save a round trip request
      // to the Google API server
      $idToken = $this->token['id_token'];
      if (substr_count($idToken, '.') == 2) {
        $parts = explode('.', $idToken);
        $payload = json_decode(base64_decode($parts[1]), true);
        if ($payload && isset($payload['iat'])) {
          $created = $payload['iat'];
        }
      }
    }

last two and several others from a plugin called wp-mail-smtp

[AITpro Admin]

@ Paul – You can ignore all of these they are false alerts.  Select the Ignore File checkbox and click the Submit button.

[Tony Payne]

I ran MSCAN for the first time today and I have a MAJOR problem!

I ran the scan time test, it said about 90 seconds.  Ran the test, it was running ok, then this displayed:
Error establishing a database connection
This either means that the username and password information in your wp-config.php file is incorrect or we can’t contact the database server at localhost. This could mean your host’s database server is down.

• Are you sure you have the correct username and password?
• Are you sure that you have typed the correct hostname?
• Are you sure that the database server is running?

If you’re unsure what these terms mean you should probably contact your host. If you still need help you can always visit the WordPress Support Forums.

The odd thing is that it has taken down all 3 of my hosted WordPress sites:

https://www.delovesto.com
https://www.thelaughline.com
https://www.squidblogs.com

with the same database connection problem. All 3 are on the same hosted account, very low traffic, and not part of a multi-site WordPress installation.

The databases are all accessible via PHP-MyAdmin so intact, and the wp-config.php files appear to be unchanged.
Any ideas as to what might have happened and how to resolve this please as all 3 sites are currently down?
NOTE: I have also raised a ticket with the host (X10-Infinity) in case it’s something they might have done and not BPS Pro.

[Tony Payne]

Forget my previous post, X10-Infinity confirmed that some limiting of the account had taken place due to excess activity, I assume related to running the scan.   Seems all is now ok on all 3 sites.

[AITpro Admin]

@ Tony Payne – Some web hosts automatically kill the server/website if resources exceed the limitation imposed by the host.  That typically happens on VPS and Dedicated servers.  Shared hosting is designed with flexible buffers since resource usage will fluctuate drastically when there are many accounts/websites hosted on one server.

[Margaret]

Hope i’m posting in the correct section.

Hi, my site was hacked prior to installing BPS Pro and I was able to delete all files and do a fresh reinstall.  But a whole bunch of my files have gone into quarantine.  I ran the scanner and here’s a sampling.  There are 64 files.

I’m confused as to what to do.
[the data has been deleted since it is unreadable]

[AITpro Admin]

I assume you were manually editing/installing/uploading files on your website and the files were quarantined?  See the AutoRestore|Quarantine Guide forum topic > Help section > AutoRestore|Quarantine Manual File Editing/Uploading Procedural Steps > https://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/.  If that is not the answer you are looking for then please explain in exact details what you were doing when the files were quarantined.

The MScan table data was deleted from your forum reply above because it was unreadable.  The general idea is that MScan will detect possible malicious code pattern matches and then you would need to select the View File Form checkbox option to view the code in the file to check it.  That is not going to do you any good if you do not know what you are looking at is good/bad/safe/malicious code.  😉  If you would like for me to login to your website and check the MScan form results then send a WordPress Administrator login for your website to:  info at ait-pro dot com.

[Margaret]

Thank you for the reply.  Yes, I install a new theme this morning.  Just worried as I don’t know what I’m looking for.  I will send you the login.  Thanks so much!  🙂

[AITpro Admin]

Did you install the Theme by using the WordPress Theme installer on the WordPress Themes page or did you manually upload the Theme folder to your website?

[Margaret]

Sent you an email..but it was through wordpress installer.

[AITpro Admin]

MScan has found multiple hacker files in several of your plugin folders.

What you need to do is make a list of all of your plugins (you can use the BPS System Info > Get Plugins List button) and then delete all of the plugin folders in the WordPress /plugins/ folder and then reinstall all of your plugins again. By manually deleting the plugin folders you will not lose all of your plugin’s database option settings.

The hacker files are in several plugin folders and have names like these below.
It is better to completely delete all of your plugin folders under the /plugins/ folder instead of using the Delete feature in MScan since there may be more files in the plugin folders that MScan is not detecting because they do not contain any obvious hacker code.

panel7.php
panel9.php
panel8.php
dfpysadu.php
xgduidbx.php
mode-php.js

Hopefully the hack is contained to only the /plugins/ folder, but you may want to consider the worst case scenario that your entire hosting account is still hacked.

[Steve Lubetkin]

I have one website that has been getting repeatedly hit. ImmunifyAV removes the infections, but it kept getting reinfected. I reinstalled BPS pro and ran MSCAN. It found a few more hidden files that I deleted, and one database entry that it marked suspicious. Here is the database entry:

This was on line 722401 of Table: QFbu3uKE_options

The item is called option_name: bulletproof_security_options_vcheck 

option_value: a:1:{s:10:"bps_vcheck";s:102:"<iframe src="https://www.ait-pro.com/vcheck/" style="width:0;height:0;border:0;border:none;"></iframe>";}

Should I be modifying or deleting this table entry?

[AITpro Admin]

@ Steve Lubetkin – That BPS database option value is safe.  You should assume the worst case scenario and that is you need to cleanup your entire hosting account using the help steps in this forum topic > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

Note: You do not need to do the database steps #4 and #9 in the help forum topic link, but you should check for any WordPress Administrator User Accounts that you did not create or that you do not recognize.

[AITpro Admin]

Actually before you assume that ImmunifyAV has actually found a real infection don’t do anything.  It is very possible that what ImmunifyAV found is a false positive.  Post what ImmunifyAV found or send the ImmunifyAV scan results to:  info at ait-pro dot com.  So I can see if this is a false positive or a real infection.

[Author]

Posts