SiteLock Scan – Infected files detected

[Hannah]

Hi, The scan results that were reported by the web host of one of my clients included 4 detections of this file or files (below). The final one was easy – it was contained in a backup file which I removed from the server. However, the other three are actually in BPS Pro files. I installed Pro on this site quite a while back, so I was surprised that the infection hadn’t shown up before (from something that might have pre-existed BPS Pro protection). In light of the fact that it didn’t, I have to assume that it’s a recent infection. However, I’m not sure how to clean these files of the malicious code and where to look for other malicious files on the server that might be responsible for the problem. Should I just delete/reinstall BPS Pro, or is there an easier, more efficient approach?

Scan started at – Mon Jan 23 03:43:34 EST 2017
/public_html/wp-content/plugins/bulletproof-security/admin/wizard/swizard-functions.php: SiteLock-PHP-FILEHACKER-md5-amte.UNOFFICIAL FOUND
/public_html/wp-content/plugins/bulletproof-security/admin/core/core-forms.php: SiteLock-PHP-FILEHACKER-md5-amth.UNOFFICIAL FOUND
/public_html/wp-content/plugins/bulletproof-security/includes/firewall-autopilot.php: SiteLock-PHP-FILEHACKER-md5-amtk.UNOFFICIAL FOUND
/public_html/wp-content/updraft/backup_2017-01-20-1523_Silvia_Trujillo_d5b7e8227d6e-plugins.zip: SiteLock-PHP-FILEHACKER-md5-amtk.UNOFFICIAL FOUND

[AITpro Admin]

Send the files that SiteLock is detecting as infected to:  info at ait-pro dot com.  So I can check them.

[Hannah]

Thank you so much! I just downloaded, zipped, and sent them to you. Apologies for the delay. Looking forward to your opinion on these files.

[AITpro Admin]

Ok got the files and checked them and they are fine – they do not contain any malicious code.  The SiteLock scanner is malfunctioning. Scanners are designed to look for code pattern matches.  So obviously a code pattern matching rule that the SiteLock scanner is using is bad/invalid/fubar.  Notify SiteLock about their scanner malfunctioning and send them the BPS Pro files so they can figure out which SiteLock scanner pattern matching rule is fubar and fix that SiteLock scanner rule.

[Hannah]

Oh, I see how you are…Awesome!! What a relief. I’ll double check to see if Silvia has Sitelock in her account or if this was one of her host’s Sitelock scans but I will do my best to get the message back to them. I’ll post the files to the host so they can see for themselves that they are clean. Thank you so much.

[AITpro Admin]

Yep, all good.  I think over the past 6 years there has only been 1 time out of 100+ false reports by various scanners where something bad was actually detected.  Pretty much why we don’t bother creating a scanner for the BPS plugin.  Scanners are a good general checking tool, but since scanners are very easily beaten/fooled by hackers and there is very high chance of false positive detections then it is not worth the time and trouble to bother with creating a scanner for BPS. 😉

[Hannah]

I thought I’d bring you up to date on this situation.

Yesterday I spoke with two reps from Sitelock, one assigned to silviatrujillo.com and the other to kimnovakartist.com. I told them I was confident that Sitelock’s findings were false positives in both instances since I have such high regard for BPS Pro adn its developers. They sounded a bit sceptical but seemed to accept your analysis that the files contained only your original code and no malware, indicating that they were most concerned that Ipower’s hosting policy would cause the sites to be taken down if we did not contact them and ask them to examine the files themselves.

Therefore, I contacted Ipower about both accounts. The situation was over the head of the first rep I spoke with, so he escalated it to a higher level tech. I heard back from him this morning and he said he had rescanned both accounts and did not find any malware. Of course. He thanked me for removing the infected files, and I replied by saying that I had not removed any files, but that Sitelock’s scans had turned up false positives in both instances. Here is the text of his response, which was the same for both sites:

~~~~~~~~~~~~~~
Hello Hanna,

I have rescanned your account and did not find any malware content. Thank you for removing the infected files. Your account is clean from malware and active. Please check it from your end and let us know if you have additional query.

If you have any further questions, please chat with us at http://www.ipower.com/chat/ .

Sincerely,

Dikshith S
Technical Specialist
~~~~~~~~~~~~~~~~~~~
Just as I was writing a comment to add to the forward of these emails to the Sitelock reps, who had requested that I let them know what Ipower’s response was, one of them called. I filled him in on the emails I had received, then went ahead and forwarded both emails to both reps so they would have all this on file. Here was my comment in the last one (which was similar to the first):
~~~~~~~~~~~~~~~

Hello gentlemen,

This is the second email I received from the tech to whom our question regarding the alleged malware found in BulletProof Security files was escalated. As with the first, he found them to be clean and thanked me for removed the infected files, though I did not remove anything.

As I mentioned in my first email, he did not specify which of these emails was for the silviatrujillo.com account and which was for kimnovakartist.com.

In case this one was for the kimnovakartist.com account, I should again mention that yesterday I installed the GOTMLS (Get Off That Malicious Software) security scanner on Ms. Novak’s website and did a complete scan of the entire public_html folder, and it did not find anything. I’ve found this one to be very good at finding files with malicious code in them. I have spoken with the developer and he is committed to updating his plugin with current malware definitions. I used it recently on an infected account of another client and it found 4 backdoor scripts and 14 files with malicious code! He makes it pretty easy to remove the malware by placing the infected files in quarantine and replacing them with files found in the repository with one click. When this happens, I leave the scanner plugin installed and monitor the site for some weeks afterward to make sure it remains clean, and so far I have not found any re-infections on sites I have cleaned using Eli’s plugin.

I hope this information will help Sitelock to maintain its high standard of accuracy and effectiveness.

Sincerely,

Hannah West

~~~~~~~~~~~~~~~

I want to thank you for your patience with these inquiries. I realize they challenge the effectiveness of the BPS Pro plugin and you as developers. Yet I have always felt confident in both BPS free and Pro and told Sitelock and Ipower so emphatically. I also told them that I had never had a site compromised after installing either one of your security plugins. I may have felt as vindicated as you when I saw these emails this morning!

And, while I know you don’t hold security scanners in high regard, I do have to say that I have found the GOTMLS plugin by Eli Sheets (I believe that’s the correct surname) to be accurate and a useful tool for finding and removing malware from infected sites. He is committed to keeping it up to date with the latest malware definitions and so far I have not gotten false positives from it. Prior to installing BPS free or Pro onto an existing site, I scan it with GOTMLS and use it to clean up the site. I’ve had hosts rescan sites in several instances after doing this, and they have always turned up clean. I never feel I need it after installing BPS Pro, or even BPS free. Just FYI. I know you’re more interested in prevention, but Eli could be an ally-in-waiting. I respect both of you for your efforts to keep websites clean and secure, as both prevention and cure are important to me in the maintenance of about 50 websites, with new ones coming in all the time.

So, have a great day and a fabulous weekend, and thank you so much once again for all you do!

[AITpro Admin]

UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account or database. Note: ARQ IDPS is still far superior to any/all malware scanners including BPS MScan Malware Scanner

Great!  Well I think GOTMLS is a great scanner, but what I know for a fact is that any scanner can be fooled/beaten.  The reason for that is hackers intentionally create particular files that contain only code that looks legitimate and that do not have any code that matches what scanners are designed to look for.  Typically scanners will find all the obvious hacker files that contain matching patterns that scanners are designed to look for, but the hacker file that is intentionally not detectable by any scanners is the “workhorse” hacker file that has the capability to create new hacker files automatically.  So you should not just rely on what any scanner does or does not find and not assume a scanner found everything.  The best method/approach is to use a scanner to find all the obvious hacker files/code and then manually visually check all folders throughout your entire hosting account and look for any files that should not be there or that look suspicious.  There is no need to check any WordPress folders or files and instead what you should do is take the site offline, delete all WordPress folders and files and then upload new WordPress folders and files.

If you we do ever create a scanner for BPS, it will have this disclaimer in BOLD TEXT:  “Scanning for malicious code or hacker files is the first step in cleaning up a website or hosting account that is already hacked.  Scanners are capable of finding all obvious hacker files and code, but are not capable of finding hidden hacker files that do not contain any obvious hacker code.  You need to do X, Y and Z after using this scanning tool.”

[Author]

Posts