Host Virus Scan – Virus Detected Warning in BPS Security Log file

[Sebastian Schertel]

Howdy!

Quick question. I got this message from my host:

>>>>

You are receiving this automated email from our virus monitoring system.

Your email address had been entered as the primary contact address for the respective account.

* VIRUS FOUND *

During a routine virus scan, our system has detected files containing malicious code on your account xyz (xyz). In order to protect the visitors of your website, we have renamed and blocked these files. You can find a list of the affected files on your FTP account under: /www/htdocs/xyz/logs/<wbr />viren_log_2016-12-04.txt

* ACTIONS TO BE TAKEN *

We recommend to instantly change all of your passwords (FTP, KAS panel, mail accounts) and to undertake a thorough virus and malware check on your computer. Usually there has been an unauthorized access on your account exploiting a security hole or a vulnerability in one of your scripts.

1) Please update your CMS immediately!

2) Check all folders on your webspace for infected files and assume that the scanner has not found all malware files!

3) In the case that viruses have been detected repeatedly, please clear your webspace and completely reinstall your website(s). Cleaning up a once infected website is not possible and also not useful!

4) If multiple viruses have been found, we need to reserve for ourselves to completely lock your account for webaccess in order to protect the security and the integrity of our servers and to not compromise the visitors of your website.

* HELP *

– In the above-mentioned file you can find the timestamp when the affected file has been last changed.
– Please check the hits on your account at that time using the FTP and access logs inside the subfolder “/logs/”.

>>>>

and this is in the virus.log (domain removed):

02:53:09 Virus “php_obfus_409.UNOFFICIAL” found in file “/www/htdocs/xyz/xyz/wp-content/bps-backup/logs/http_error_log.txt” (chown: xyz:xyz | ctime: 2016-12-04 01:14:04 | mtime: 2016-12-04 01:14:04 | chmod: 644) -> File was renamed to “/www/htdocs/xyz/xyz/wp-content/bps-backup/logs/VIRUS_php_obfus_409.UNOFFICIAL_http_error_log.txt” and locked (chmod: 0)

Since its about a text file – is this just a logged event code that triggered the virus warning and can be ignored? None of the BPS warnings is going off and there are no new or changed files anywhere to be found (so far).

Thanks for your help!

Best regards,

[AITpro Admin]

The BPS Security Log has the capability to capture entire hacker scripts and log them in the Security Log if the Limit POST Request Body Data Security Log option checkbox is unchecked.  So yes this may trigger a Host virus scanner to see the text in the Security Log file as a hacker file since the text is an actual hacker script, but in text format in a .txt file vs PHP or js in either .php or .js files.  So you can either ignore this host scanner warning (CAUTION: your host may take action against your website/hosting account), but talk to them first and refer them to this forum topic or you can just check the Limit POST Request Body Data Security Log option checkbox to prevent this issue from reoccurring.

Limit POST Request Body Data
The maximum Security Log Request Body Data capture/log limit is 250000 maximum characters, which is roughly about 250KB in size. The Limit POST Request Body Data checkbox option limits the maximum number of Request Body Data characters captured/logged in the Request Body logging field to 500 characters, which is roughly 5KB in size. The Limit POST Request Body Data checkbox is checked by default. You can capture/log entire hacking scripts if you uncheck the Limit POST Request Body Data checkbox (See Note below), but that means your log file size could increase dramatically and you could receive more automated Security Log zip file emails. If you are using email security protection on your computer then your zipped Security Log files may be seen as containing a virus (hacker script/code) and they could be automatically deleted by your email protection application on your computer. Your computer security protection software may also see the Security Log file as malicious and block it. If you do not want to capture/log entire hacker scripts/files/code in the Request Body logging field then keep the Limit POST Request Body Data checkbox checked. Note: To capture/log all POST Request Attacks against your website you will need to add the POST Request Attack Protection Bonus Custom Code. A link to that Bonus Custom Code is at the top of this Read Me help window. If you do not want to add the Bonus Custom Code then some, but not all POST Request Attacks will be captured/logged in the Security Log.

[Sebastian Schertel]

Alright, thank you very much.

I looked at my sites where I got this warning and the Limit POST Request Body Data was already checked.

I just saved again and will keep an eye on that. If it occurs again even though the option is checked I will inform you.

Thanks so far. Great support. Great day.

[AITpro Admin]

I guess whatever your host scanner detected in the Security Log file was in the 500 characters of the captured data in the particular log entry.

The Limit POST Request Body Data checkbox option limits the maximum number of Request Body Data characters captured/logged in the Request Body logging field to 500 characters, which is roughly 5KB in size.

[Author]

Posts