Quarantine – Restore Files, Delete Files, View Files

Home Forums BulletProof Security Pro Quarantine – Restore Files, Delete Files, View Files

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #4988
    guy te watson
    Participant

    I have several files that keep getting Quarantined below. How can I tell if it is a bad file that needs to be Quarantine and deleted or if it is a file I need to restore?

    Thanks!
    guy te

    xmlrpc.php /home/xxxxxxxxx/public_html/xmlrpc.php 4/22/2013 20:34
    wp-comments-post.php /home/xxxxxxxxx/public_html/wp-comments-post.php 4/22/2013 20:34
    wp-links-opml.php /home/xxxxxxxxx/public_html/wp-links-opml.php 4/22/2013 20:34
    Apr-23-2013–03-34-02–wp-apps.php /home/xxxxxxxxx/public_html/wp-apps.php 4/22/2013 20:34
    Apr-23-2013–03-34-02–wp-count.php /home/xxxxxxxxx/public_html/wp-count.php 4/22/2013 20:34
    wp-var.php /home/xxxxxxxxx/public_html/wp-includes/wp-var.php 4/22/2013 20:34
    xmlrpc.php /home/xxxxxxxxx/public_html/xmlrpc.php 4/22/2013 20:35
    wp-comments-post.php /home/xxxxxxxxx/public_html/wp-comments-post.php 4/22/2013 20:35
    wp-links-opml.php /home/xxxxxxxxx/public_html/wp-links-opml.php 4/22/2013 20:35
    Apr-23-2013–03-35-48–wp-apps.php /home/xxxxxxxxx/public_html/wp-apps.php 4/22/2013 20:35
    wp-var.php /home/xxxxxxxxx/public_html/wp-includes/wp-var.php 4/22/2013 20:35
    xmlrpc.php /home/xxxxxxxxx/public_html/xmlrpc.php 4/22/2013 21:51
    wp-comments-post.php /home/xxxxxxxxx/public_html/wp-comments-post.php 4/22/2013 21:51
    wp-links-opml.php /home/xxxxxxxxx/public_html/wp-links-opml.php 4/22/2013 21:51
    Apr-23-2013–04-51-40–wp-apps.php /home/xxxxxxxxx/public_html/wp-apps.php 4/22/2013 21:51
    Apr-23-2013–04-51-40–wp-count.php /home/xxxxxxxxx/public_html/wp-count.php 4/22/2013 21:51
    wp-var.php /home/xxxxxxxxx/public_html/wp-includes/wp-var.php 4/22/2013 21:51
    #4992
    AITpro Admin
    Keymaster

    You would use the View File Option in Quarantine to view the contents of the file.  In general, if a file was sent to Quarantine while you were changing, updating, installing files on your website then you know with certainty that the file was sent to Quarantine for the obvious reason that you did not turn off AutoRestore while you were making changes to files on your website or you did not click the AutoRestore Backup Files buttons before turning AutoRestore back on.  If a file is sent to Quarantine and you were not doing anything then you should expect that that file is malicious/a hacker file.

    Please see the AutoRestore/Quarantine Guide posted here:  http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/

    #18424
    Bob
    Participant

    Hi in the thread #4992 you say: “You would use the View File Option in Quarantine to view the contents of the file.”
    Why, when I tick the View box, next the file, and click Submit, do I just get a refresh of the screen, but with the quarantine box now blank except for the original buttons – certainly no ‘contents of the file’?
    Thanks
    Robert

    #18425
    AITpro Admin
    Keymaster

    What is the file name?  Does the file actually have any contents or is it blank/empty?  You can manually view the file by going to:  /wp-content/bps-backup/quarantine/ using FTP.  There is a known issue where a blank/empty auto_.htaccess file gets quarantined due to several automated things occurring at the same time and a blank auto_.htaccess file is sent to quarantine.

    #18427
    Bob
    Participant

    The file names shown in the quarantine window are as follows:

    auto_.htaccess
    deleteme.wplcyj.php
    Oct-07-2014–17-16-32–auto_.htaccess
    p3-profiler.php
    deleteme.wpjytp.php
    deleteme.wpgbpz.php
    deleteme.wpogal.php
    deleteme.wpeu2i.php

    These are also shown in the appropriate bps-backup/quarantine folder for the site. I have viewed them and there is definitely a lot of content in each. Fortunately I can now see what they represent in terms of their origin – the deleteme files are from Installatron which is a bit of software used by my web host. The auto_.htaccess files are not blank in my case.

    So, I am stumped! If I can help further with anything then do let me know. Whilst I can now at least check the files via FTP, there does seem to be a bug?
    Thanks
    Bob

    #18428
    AITpro Admin
    Keymaster

    I cross referenced your Forum user account to get your BPS Pro account info so that I could check the frontend of your website domains for anything unusual that could be causing this issue/problem on your site(s).

    This website domain (domain name obfuscated):  darxxxxxxxxxxxxxxxxxxx.org.uk is showing a couple of 403 errors for some additional frontloading plugin scripts that need to added/whitelisted in the Plugin Firewall whitelist text area.  Copy the 2 plugin script whitelist rules below to the Plugin Firewall whitelist text area and do the rest of the Plugin Firewall manual steps below.

    /clever-youtube-plugin/(.*).js, /thrive-visual-editor/editor/js/(.*).js

    Plugin Firewall Setup Steps When Manually Adding Plugin Scripts To The Plugins Script/File Whitelist Text Area
    1. Copy and paste plugin scripts/whitelist rules to the Plugins Script/File Whitelist Text Area.
    2. Click the Save Whitelist Options button.
    3. Click the Plugin Firewall BulletProof Mode Activate button.

    Ok now back to troubleshooting the Quarantine issue/problem on your website.  Do these troubleshooting steps:

    Try and use the Delete File option for ONLY the auto_.htaccess file.  Do NOT delete any other files in Quarantine.  If the Delete File option does not also work then I will need to login to this website to figure out what is causing problems for / breaking BPS Pro Quarantine Form options on your website.

    #18440
    Bob
    Participant

    Actually, the files in quarantine that I copied to you are on the Roxxxx.xxe.me domain, Not the Daxxxxxxxxxxxxxxxxxxxxxxxct.org.uk domain. I appreciate that the CleverYouTube Plugin is on the Daxxxxxxxxxxxxxxxxxxxxxxxct.org.uk site though and also the ThriveVisualEditor too. In fact, neither of these is used in the Roxxxx.xxe.me domain.

    So, I did what you said regarding the Daxxxxxxxxxxxxxxxxxxxxxxxct.org.uk site since it is running BulletProofPro plugin and I understand that it might affect other sites too. I left in the whitelist stuff that was already there:

     /clever-youtube-plugin/jquery-patch.js, /clever-youtube-plugin/cyp-client.js, /clever-youtube-plugin/the_library_iframe_contents.php, /thrive-visual-editor/editor/js/thrive_content_builder_frontend.min.js, 

    and added:

     /clever-youtube-plugin/(.*).js, /thrive-visual-editor/editor/js/(.*).js 

    as you suggested, followed by the other actions to set up the firewall.

    I then tried to delete the auto_.htaccess on the Roxxxx.xxe.me domain (interestingly, whilst there are quarantined files like the deleteme files in the Daxxxxxxxxxxxxxxxxxxxxxxxct.org.uk domain, there is no auto_.htaccess file there). In fact I tried a couple of times but it refuses to delete. The display originally just shows: “Total number of Quarantined Files: 8” within the blue top and bottom bars. No files are listed. When you refresh the quarantine display the whole list of quarantined files shows again – including the auto_.htaccess.

    Perhaps you could let me know how I can send you the access details for the website in a secure manner. Do you have my email address?
    Many thanks for your time and patience,
    Bob

    #18441
    AITpro Admin
    Keymaster

    The Plugin Firewall issue on the Daxxxxxxxxxxxxxxxxxxxxxxxct.org.uk site was a completely separate issue.  Each website has its own independent website security that does not affect other sites under your hosting account.

    I still see 403 errors for those plugin scripts.  Do this step first on the Daxxxxxxxxxxxxxxxxxxxxxxxct.org.uk site:  Select the Delete plugins htaccess File Radio button and then click the Activate button.  Replace/overwrite ALL of your existing Plugin Firewall rules in the Plugin Firewall Whitelist text are with these whitelist rules below.  Then do the rest of the Plugin Firewall setup steps.

    /clever-youtube-plugin/(.*).js, /clever-youtube-plugin/the_library_iframe_contents.php, /thrive-visual-editor/editor/js/(.*).js

    Back to the separate Quarantine issue:  Yep, I need to login and see what is breaking the Quarantine Form on this website.  Create a temporary Administrator login to this website and send that login info to:  edward at ait-pro dot com.

Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.