MScan – Troubleshooting, questions, problems and code posting

Home Forums BulletProof Security Pro MScan – Troubleshooting, questions, problems and code posting

This topic contains 26 replies, has 7 voices, and was last updated by  AITpro Admin 2 weeks ago.

Viewing 12 posts - 16 through 27 (of 27 total)
  • Author
    Posts
  • #34157

    Tina Dubinsky
    Participant

    Hi, The weird thing is my host hasn’t disabled any files. The rest of BPS Pro works as per usual. I’ve run into a few other issues with them of late (old php and sql versions that wordpress doesn’t work so well on), so I’ll most likely migrate away in the next few months.

    Cheers

    -Tina

    #35344

    Paul
    Participant

    Altered or unknown WP Core file

     <?php
    /**
     * The WordPress version string
     *
     * @global string $wp_version
     */
    $wp_version = '4.9.4';
    
    /**
     * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
     *
     * @global int $wp_db_version
     */
    $wp_db_version = 38590;
    
    /**
     * Holds the TinyMCE version
     *
     * @global string $tinymce_version
     */
    $tinymce_version = '4607-20180123';
    
    /**
     * Holds the required PHP version
     *
     * @global string $required_php_version
     */
    $required_php_version = '5.2.4';
    
    /**
     * Holds the required MySQL version
     *
     * @global string $required_mysql_version
     */
    $required_mysql_version = '5.0';
    
    $wp_local_package = 'en_GB';
    
     if (empty($name) && !is_numeric($name)) {
                return 'The cookie name must not be empty';
            }
    
            // Check if any of the invalid characters are present in the cookie name
            if (preg_match(
                '/[\x00-\x20\x22\x28-\x29\x2c\x2f\x3a-\x40\x5c\x7b\x7d\x7f]/',
                $name)
            ) {
                return 'Cookie name must not contain invalid characters: ASCII '
                    . 'Control characters (0-31;127), space, tab and the '
                    . 'following characters: ()<>@,;:\"/?={}';
            }
    
            // Value must not be empty, but can be 0
            $value = $this->getValue();
            if (empty($value) && !is_numeric($value)) {
                return 'The cookie value must not be empty';
            }
    
    
        $created = 0;
        if (isset($this->token['created'])) {
          $created = $this->token['created'];
        } elseif (isset($this->token['id_token'])) {
          // check the ID token for "iat"
          // signature verification is not required here, as we are just
          // using this for convenience to save a round trip request
          // to the Google API server
          $idToken = $this->token['id_token'];
          if (substr_count($idToken, '.') == 2) {
            $parts = explode('.', $idToken);
            $payload = json_decode(base64_decode($parts[1]), true);
            if ($payload && isset($payload['iat'])) {
              $created = $payload['iat'];
            }
          }
        }

    last two and several others from a plugin called wp-mail-smtp

    #35345

    AITpro Admin
    Keymaster

    @ Paul – You can ignore all of these they are false alerts.  Select the Ignore File checkbox and click the Submit button.

    #35690

    Tony Payne
    Participant

    I ran MSCAN for the first time today and I have a MAJOR problem!

    I ran the scan time test, it said about 90 seconds.  Ran the test, it was running ok, then this displayed:
    Error establishing a database connection
    This either means that the username and password information in your wp-config.php file is incorrect or we can’t contact the database server at localhost. This could mean your host’s database server is down.

    • Are you sure you have the correct username and password?
    • Are you sure that you have typed the correct hostname?
    • Are you sure that the database server is running?

    If you’re unsure what these terms mean you should probably contact your host. If you still need help you can always visit the WordPress Support Forums.

    The odd thing is that it has taken down all 3 of my hosted WordPress sites:

    https://www.delovesto.com
    https://www.thelaughline.com
    https://www.squidblogs.com

    with the same database connection problem. All 3 are on the same hosted account, very low traffic, and not part of a multi-site WordPress installation.

    The databases are all accessible via PHP-MyAdmin so intact, and the wp-config.php files appear to be unchanged.
    Any ideas as to what might have happened and how to resolve this please as all 3 sites are currently down?
    NOTE: I have also raised a ticket with the host (X10-Infinity) in case it’s something they might have done and not BPS Pro.

    #35691

    Tony Payne
    Participant

    Forget my previous post, X10-Infinity confirmed that some limiting of the account had taken place due to excess activity, I assume related to running the scan.   Seems all is now ok on all 3 sites.

    #35697

    AITpro Admin
    Keymaster

    @ Tony Payne – Some web hosts automatically kill the server/website if resources exceed the limitation imposed by the host.  That typically happens on VPS and Dedicated servers.  Shared hosting is designed with flexible buffers since resource usage will fluctuate drastically when there are many accounts/websites hosted on one server.

    #35754

    Margaret
    Participant

    Hope i’m posting in the correct section.

    Hi, my site was hacked prior to installing BPS Pro and I was able to delete all files and do a fresh reinstall.  But a whole bunch of my files have gone into quarantine.  I ran the scanner and here’s a sampling.  There are 64 files.

    I’m confused as to what to do.
    [the data has been deleted since it is unreadable]

    #35755

    AITpro Admin
    Keymaster

    I assume you were manually editing/installing/uploading files on your website and the files were quarantined?  See the AutoRestore|Quarantine Guide forum topic > Help section > AutoRestore|Quarantine Manual File Editing/Uploading Procedural Steps > https://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/.  If that is not the answer you are looking for then please explain in exact details what you were doing when the files were quarantined.

    The MScan table data was deleted from your forum reply above because it was unreadable.  The general idea is that MScan will detect possible malicious code pattern matches and then you would need to select the View File Form checkbox option to view the code in the file to check it.  That is not going to do you any good if you do not know what you are looking at is good/bad/safe/malicious code.  😉  If you would like for me to login to your website and check the MScan form results then send a WordPress Administrator login for your website to:  info at ait-pro dot com.

    #35756

    Margaret
    Participant

    Thank you for the reply.  Yes, I install a new theme this morning.  Just worried as I don’t know what I’m looking for.  I will send you the login.  Thanks so much!  🙂

    #35757

    AITpro Admin
    Keymaster

    Did you install the Theme by using the WordPress Theme installer on the WordPress Themes page or did you manually upload the Theme folder to your website?

    #35758

    Margaret
    Participant

    Sent you an email..but it was through wordpress installer.

    #35759

    AITpro Admin
    Keymaster

    MScan has found multiple hacker files in several of your plugin folders.

    What you need to do is make a list of all of your plugins (you can use the BPS System Info > Get Plugins List button) and then delete all of the plugin folders in the WordPress /plugins/ folder and then reinstall all of your plugins again. By manually deleting the plugin folders you will not lose all of your plugin’s database option settings.

    The hacker files are in several plugin folders and have names like these below.
    It is better to completely delete all of your plugin folders under the /plugins/ folder instead of using the Delete feature in MScan since there may be more files in the plugin folders that MScan is not detecting because they do not contain any obvious hacker code.

    panel7.php
    panel9.php
    panel8.php
    dfpysadu.php
    xgduidbx.php
    mode-php.js

    Hopefully the hack is contained to only the /plugins/ folder, but you may want to consider the worst case scenario that your entire hosting account is still hacked.

Viewing 12 posts - 16 through 27 (of 27 total)

You must be logged in to reply to this topic.