BulletProof Security
[resolved] bulletproof-security/admin/options.php reporting as malware (9 posts)

  1. The Hack Repair Guy
    Posted 3 years ago #

    Starting last couple days, this update you have made to BBS has caused all kinds of alarms to go off on all our servers.

    Please consider amending this file such that when a host does malware scans the file does not report as a hacker file.

    # Known exploit = [Fingerprint Match] [Exploited .htaccess [P0176]]:



  2. AITpro
    Plugin Author

    Posted 3 years ago #

    All the coding in the .htaccess file is legitimate and valuable coding so what i actually need to know is why the scanner is seeing it as malicious coding because it is of course not malicious and is of course valid code. Can you get me the details of the exact coding that this scanner is misinterpreting as malicious coding? Thanks.

  3. The Hack Repair Guy
    Posted 3 years ago #

    Compare the .htaccess format generated by BPS "today"
    with the one that was generated "last week"

    Whatever you changed in past week is what we'll want to focus on.

    Once we know what changed we can track down why the new entries are being marked as malicious.

    It's quite a mess. Hundreds of installations of BPS all sounding alarms they've been hacked. :(

  4. AITpro
    Plugin Author

    Posted 3 years ago #

    Please see this thread >>> http://wordpress.org/support/topic/bulletproof-security0475-not-working?replies=13

    The Code Format was changed to UNIX LF when generating .htaccess files, which is the correct format so that Control M characters do not cause problems for folks with Mac based Servers. Are you using NGINX by any chance?

  5. The Hack Repair Guy
    Posted 3 years ago #

    Not using NGINX for this conversation.
    We use a number of different scanning tools, and not just one scanning system. Alarms all over the place is all I'm saying...

  6. AITpro
    Plugin Author

    Posted 3 years ago #

    But actually more likely is that this does not have to do with the Code Format and has to do with the .htaccess code itself.

    These 3 areas of the root .htaccess file have this new code added to it.

    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} (wp-comments-post\.php)
    RewriteCond %{HTTP_REFERER} !^.*example.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* - [F]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*example.com.*
    RewriteRule . - [S=1]
    # This is a better approach to blocking Comment Spammers so that you do not
    # accidentally block good traffic to your website. You can add additional
    # Comment Spammer IP addresses on a case by case basis below.
    # Searchable Database of known Comment Spammers http://www.stopforumspam.com/
    <FilesMatch "^(wp-comments-post\.php)">
    Order Allow,Deny
    Deny from 46.119.35.
    Deny from 46.119.45.
    Deny from 91.236.74.
    Deny from 93.182.147.
    Deny from 93.182.187.
    Deny from 94.27.72.
    Deny from 94.27.75.
    Deny from 94.27.76.
    Deny from 193.105.210.
    Deny from 195.43.128.
    Deny from 198.144.105.
    Deny from 199.15.234.
    Allow from all
  7. AITpro
    Plugin Author

    Posted 3 years ago #

    Did you find the code line that the scanner is seeing as a threat in the options.php file?

    # Known exploit = [Fingerprint Match] [Exploited .htaccess [P0176]]:

    This exploit message above does not give me anything to reference since this error is specific to whatever scanner you are using. Could it be as simple as the scanner sees the known deviant IP addresses in the options.php file and is triggered by that? I have gone through the options.php file and since the scanner is saying it has to do with .htaccess coding then the outputted code I posted is going to be pretty much identical to the .htaccess code in the options.php file, which is in a variable that is written using fwrite to output the code to the .htaccess file.

  8. The Hack Repair Guy
    Posted 3 years ago #

    Was hoping you could provide here what's changed within the .htaccess settings for BPS in the past week.

    That would make the "what" a lot easier to figure out.

  9. AITpro
    Plugin Author

    Posted 3 years ago #

    I did already. That is what i posted above. The options.php file stores the .htaccess code in a variable as a string. The .htaccess code that i posted is that outputted .htaccess code after it has been written to the .htaccess file using frwrite.

    Can you tell me what P0176 means or the name of the scanner so that i can look that up? I have already done Google searches and P0176 only brings up car part numbers. ;) And of course variations of the message and still more car parts.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic


No tags yet.