plugin firewall and quarantine

[Marsha Marrings]

2 malware files were recently found. 1 in root dir was quarantined by bps, thank you. 1 in a plugins dir was not blocked. Wondering if I should include plugins directory in autorestore/quarantine config or how to configure plugins firewall properly.

[AITpro Admin]

How were the malware files found/detected?  By AutoRestore|Quarantine?  By MScan?  By something else?

[Marsha Marrings]

2 files were found by autorestore quarantine. The other, in the plugins dir, was found by manual inspection.

[AITpro Admin]

You can configure AutoRestore|Quarantine to check the plugins folder (all plugins files), but if you have a large number of plugins installed (50+ plugins installed) it is not recommended that you do that.  The Plugin Firewall protects the plugins folder from being accessed remotely/externally by anyone except for you (your current IP address).  So if the malicious file in the plugins directory was intended to be accessed remotely/externally by a hacker/hackerbot then it would already be blocked by the Plugin Firewall.  If on the other-hand the malicious file was designed to work independently and do server-side writing then the Plugin Firewall would not protect against that type of code/attack vector.  I would need to see the malicious file’s code to be able to assess its capabilities.  If you still have the malicious file email it to info at ait-pro dot com so I can take a look at the code.  Typically most hacker/malicious files are designed to be accessed remotely/externally (90%).

To allow/configure AutoRestore|Quarantine to monitor the WordPress plugins folder you would do these steps:
1.  Go to AutoRestore > Exclude wp-content Folders tab page.
2.  Delete “plugins” found in one of the the Exclude wp-content Folders text box slots.
3.  Click the Save Folder Exclude Rules button (automatically turns AutoRestore Off).
4.  Go to the BPS Pro Setup Wizard page.
5.  Click the Pre-Installation Wizard and Setup Wizard buttons. (backs up all plugin folders/files and turns AutoRestore On).

[Marsha Marrings]

Thank you for the instruction. I deleted the word plugins, then clicked save button. The screen refreshed and the word plugins displayed again, the box did not stay blank. Repeated a few times. Tried removing one of the other dirs with same result. Is there another method? I’d like all directories scanned.

[AITpro Admin]

If the BPS AutoRestore Exclude wp-content Folders form is not working then most likely the cause for that problem is Mod Security is enabled in your web host control panel.  Mod Security breaks various BPS forms, features and other things.  See this Mod Security forum topic for more information on what to do to fix Mod Security problems > https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/.  You may need to get your web host support folks involved in this problem.

[Marsha Marrings]

Thank you for your reply. Is there a manual edit of db or files which would allow autorestore/quarantine to scan plugin directory please?

[AITpro Admin]

Yes, you can do the very complicated manual steps below, but I recommend that you fix the Mod Security problem instead.  If Mod Security is breaking this particular AutoRestore form then most likely Mod Security is also breaking other BPS Pro plugin forms too.  😉

1. Turn AutoRestore Off.
2. The AutoRestore wp-content folder exclude rule DB setting option name is: bulletproof_security_options_exclude_folder
This BPS option setting is in the WordPress wp_options database table.
Edit this BPS option setting and change: s:18:”bpsexclude_input_1″;s:7:”plugins”; to s:18:”bpsexclude_input_1″;s:7:””;
Notes: The “s” number values will be different and the input_ number value may be different. All that you are changing/editing is deleting the word [plugins] from the database option value. Important: Do not delete the double quotes around the “plugins” option value. Only delete the word [plugins].

Do the same thing for the Form’s Label option value:
Edit this BPS option setting and change: s:24:”bpsexclude_input_1_label”;s:22:”Exclude plugins Folder”; to s:24:”bpsexclude_input_1_label”;s:22:”Exclude Folder”;. All that you are changing/editing is deleting the word [plugins] from the database option value.

3. Use FTP and edit these 2 files:  /bulletproof-security/includes/class.php and /wp-content/bps-backup/master-backups/class.php

This is difficult/tricky so you need to pay attention to the correct value to replace in this code, which is in both of the 2 files listed above. There are 3 different Classes in each of these 2 files.  You need to manually change the code in each of these 6 Classes in both files (3 Classes per file = 6 total Classes that need to be edited).  So you will be making a total of 6 different code edits.  The example code below is probably going to be different then the code you see in the 2 files above.  So the most important thing you need to pay attention to is the bps-hard-excludexxx number value. In the example code below I would change the ‘plugins’ value to:  bps-hard-exclude003 because ‘plugins’ comes right before this value: bps-hard-exclude004.  If the value after ‘plugins’ was:  bps-hard-exclude005 then the value that I would use for ‘plugins’ would be:  bps-hard-exclude004.  The value number system in this code and files goes in order from:  bps-hard-exclude001 to bps-hard-exclude020.

class BPSCopyWPCRecursiveFilterIterator extends RecursiveFilterIterator {

public static $FILTERS = array('uploads', 'upgrade', 'blogs.dir', 'bps-backup', 'w3tc', 'cache', 'plugins/si-captcha-for-wordpress/captcha/temp', 'plugins/jetpack', 'languages', 'mu-plugins', 'plugins', 'bps-hard-exclude004', 'bps-hard-exclude005', 'bps-hard-exclude006', 'bps-hard-exclude007', 'bps-hard-exclude008', 'bps-hard-exclude009', 'bps-hard-exclude010', 'bps-hard-exclude011', 'bps-hard-exclude012', 'bps-hard-exclude013', 'bps-hard-exclude014', 'bps-hard-exclude015', 'bps-hard-exclude016', 'bps-hard-exclude017', 'bps-hard-exclude018', 'bps-hard-exclude019', 'bps-hard-exclude020');

public function accept() {
return !in_array( $this->getSubPathName(), self::$FILTERS, true );
}
}

After I have made edits to this 1 section of code it would look like this below. IMPORTANT: This is only 1 section of code in this example. There are a total of 6 sections of code. The edits will be identical for each of the 6 sections of code in the 6 total Classes (3 Classes in each file = 6 total sections of code Classes for both files).

class BPSCopyWPCRecursiveFilterIterator extends RecursiveFilterIterator {

public static $FILTERS = array('uploads', 'upgrade', 'blogs.dir', 'bps-backup', 'w3tc', 'cache', 'plugins/si-captcha-for-wordpress/captcha/temp', 'plugins/jetpack', 'languages', 'mu-plugins', 'bps-hard-exclude003', 'bps-hard-exclude004', 'bps-hard-exclude005', 'bps-hard-exclude006', 'bps-hard-exclude007', 'bps-hard-exclude008', 'bps-hard-exclude009', 'bps-hard-exclude010', 'bps-hard-exclude011', 'bps-hard-exclude012', 'bps-hard-exclude013', 'bps-hard-exclude014', 'bps-hard-exclude015', 'bps-hard-exclude016', 'bps-hard-exclude017', 'bps-hard-exclude018', 'bps-hard-exclude019', 'bps-hard-exclude020');

public function accept() {
return !in_array( $this->getSubPathName(), self::$FILTERS, true );
}
}

4. After you have manually edited these 2 files > Very Important!!! Do not turn AutoRestore On manually on the AutoRestore page. You need to re-run the BPS Pro Wizards after making the edits to the 2 files. Click the Pre-Installation Wizard button and then the Setup Wizard button.

[Author]

Posts