wp-config.php Via MSCAN

[Lex]

This is the third install and mscan I have done as I migrate over from WordFence. This is the first fatal error I haven’t been able to undo.

I did a new install of a site and after I got everything the way I wanted it, I ran MSCAN to make sure everything is clean so that I can run a backup and proceed. the MSCAN found two suspicious files:

Suspicious File
/home/xxxx/xxxx.org/wp-config.php
Pattern Match: o0
2022-03-21 01:13:00

Suspicious File
/home/xxxx/xxxxx.org/wp-admin/error_log
File Hash: Altered or unknown WP Core file
2022-03-21

So I proceeded to delete the suscpicious files because this is what I have been doing with the two previous installs with no problems. However, this I got the WP configuration screen asking for language choice, and database connection, It looked like my site was erased. However, I entered the database name and new password to connect, and this Is the message I get:

403 Forbidden Error

If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.

IP Address: xxx.x.xxx.xxxx

BPS Pro Plugin 403 Error Page

What did I do wrong here? I just deleted all suspicious files as I did before in the exact same hosting environment.

Any way I can recover my work?

[AITpro Admin]

The reason I chose the word “suspicious” instead of “malicious” is that any file that is detected as suspicious should be checked.  And definitely checked manually before you delete the file.  Your wp-config.php file is critical and should not have been deleted.  There could be hacker code in your wp-config.php file.  So you would want to check the file contents to confirm that.  Without your wp-config.php file your website will not load.

The first and best way to quickly get your site back up are these steps:
Use FTP and rename the /bulletproof-security/ plugin folder to /_bulletproof-security/
Go to the autorestore backup folder here:  /wp-content/bps-backup/autorestore/root-files/
Copy the wp-config.php file to your WordPress installation folder.
Your site should be loading normally again.
Login and go to the Plugins page > that will deactivate BPS Pro automatically.
Use FTP and rename the /_bulletproof-security/ plugin folder back to /bulletproof-security/
Go to the BPS Pro Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard.

[AITpro Admin]

I will add a safety feature in the next BPS Pro version that will not allow the wp-config.php file to be deleted.

[Lex]

Thank you so much for your help. I was able to get everything working again! A safety feature would be great.

[AITpro Admin]

Great!  Glad to hear that.  I’m curious about what MScan detected as suspicious in the wp-config.php file.  Did you check your wp-config.php file contents to see if any suspicious or malicious code is in it? Pattern Match: o0 could match a Salt or DB connection information in a wp-config.php file, which would be a false positive match.

[Lex]

This is what it matched to:

define( ‘SECURE_AUTH_SALT’, ‘wcigccvrnnzkbh86z3fsapphkb8wtyruzo00mgaqq3ld2s6gyzbw54qoosguqoam’ );

[AITpro Admin]

Yep, it is a false positive match in your Salt string. I will create an exclude rule for that. Thanks for letting me know this. Very much appreciated.

[AITpro Admin]

I have added a safety feature that will prevent the wp-config.php file from being deleted.  Adding an exclude rule for Salt strings in the wp-config.php file creates an exploitable loophole.  So will not be adding an exclude rule for that.  You can either ignore the wp-config.php file from future scans or replace your Salt strings using the help info in the wp-config.php file for how to do that.  It’s going to be very rare that MScan pattern matching code matches Salt strings.

[Author]

Posts