Wordfence scanner – File appears to be malicious warning

[Master Kim]

I have two websites with pretty much same configurations and settings, not just BPS Pro but all others. Actually, one of your employees has installed BPS Pro plugin for both sites at the same time.
When I scanned both sites with WordFence plug in I have two different warnings as below.

If these are inaccurate or false warnings due to the conflicts between BPS and WordFence, I think the warning should have been identical but they are not.

Would you please have a look at this and let me know what to do?

Thank you for your kind help in advance.
Site #1
File appears to be malicious: wp-content/bps-backup/logs/http_error_log.txt
Type: File
Issue Found 2018년 9월 21일 03:12 AM
Critical
Filename: wp-content/bps-backup/logs/http_error_log.txt
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: eval($_REQUEST[1]);

The infection type is: Backdoor:PHP/eval-i
Description: A backdoor known as eval-i
Site #2
This file may contain malicious executable code: wp-content/plugins/bb-plugin-pro/includes/vendor/infusionsoft/xmlrpc-3.0/lib/xmlrpc.inc
Type: File
Issue Found 09/21/2018 4:39 AM
Critical

Filename: wp-content/plugins/bb-plugin-pro/includes/vendor/infusionsoft/xmlrpc-3.0/lib/xmlrpc.inc
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file is a PHP executable file and contains the word “eval” (without quotes) and the word “base64_decode(” (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.

[AITpro Admin]

I sent an email reply to the email that you sent to us about these Wordfence Scanner false positives. Did you get this email reply below? If not, check your email Spam or Junk folder.  These are not conflicts.  All malware scanners scan for matching code patterns using a set of code patterns to match against.  That is why ALL malware scanners typically detect lots of false positives since “good code” patterns can match “bad code” patterns.  The code pattern matches will most likely be different on each of your websites unless of course the same hacker or spammer uses the same exact attacks against both websites.

All you need to do regarding the BPS Security Log false positive is to tell Wordfence to ignore this false positive warning.  I’m not sure if you can tell Wordfence not to scan the BPS Pro Security Log file, but that would be the best thing to do if you can do that in Wordfence since Wordfence will continue to match any/all BPS Pro Security Log entries in the future.

The BPS Pro http_error_log.txt file is the BPS Pro Security Log file. It logs blocked spammers and hackers and logs the attack strings used to attack your website. So Wordfence is just detecting the attack strings that were logged in the BPS Pro Security Log file. You can choose to ignore the BPS Pro Security Log file in Wordfence settings since this is a false positive/alarm.

Contact the bb-plugin-pro plugin author and send him/her the Wordfence scan message so they can tell you if the Wordfence scan message is a false positive/alarm.

[Author]

Posts