Support » Plugin: BulletProof Security » bulletproof-security/admin/options.php reporting as malware

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author AITpro


    All the coding in the .htaccess file is legitimate and valuable coding so what i actually need to know is why the scanner is seeing it as malicious coding because it is of course not malicious and is of course valid code. Can you get me the details of the exact coding that this scanner is misinterpreting as malicious coding? Thanks.

    Compare the .htaccess format generated by BPS “today”
    with the one that was generated “last week”

    Whatever you changed in past week is what we’ll want to focus on.

    Once we know what changed we can track down why the new entries are being marked as malicious.

    It’s quite a mess. Hundreds of installations of BPS all sounding alarms they’ve been hacked. 🙁

    Plugin Author AITpro


    Please see this thread >>>

    The Code Format was changed to UNIX LF when generating .htaccess files, which is the correct format so that Control M characters do not cause problems for folks with Mac based Servers. Are you using NGINX by any chance?

    Not using NGINX for this conversation.
    We use a number of different scanning tools, and not just one scanning system. Alarms all over the place is all I’m saying…

    Plugin Author AITpro


    But actually more likely is that this does not have to do with the Code Format and has to do with the .htaccess code itself.

    These 3 areas of the root .htaccess file have this new code added to it.

    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} (wp-comments-post\.php)
    RewriteCond %{HTTP_REFERER} !^.** [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* - [F]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.**
    RewriteRule . - [S=1]
    # This is a better approach to blocking Comment Spammers so that you do not
    # accidentally block good traffic to your website. You can add additional
    # Comment Spammer IP addresses on a case by case basis below.
    # Searchable Database of known Comment Spammers
    <FilesMatch "^(wp-comments-post\.php)">
    Order Allow,Deny
    Deny from 46.119.35.
    Deny from 46.119.45.
    Deny from 91.236.74.
    Deny from 93.182.147.
    Deny from 93.182.187.
    Deny from 94.27.72.
    Deny from 94.27.75.
    Deny from 94.27.76.
    Deny from 193.105.210.
    Deny from 195.43.128.
    Deny from 198.144.105.
    Deny from 199.15.234.
    Allow from all
    Plugin Author AITpro


    Did you find the code line that the scanner is seeing as a threat in the options.php file?

    # Known exploit = [Fingerprint Match] [Exploited .htaccess [P0176]]:

    This exploit message above does not give me anything to reference since this error is specific to whatever scanner you are using. Could it be as simple as the scanner sees the known deviant IP addresses in the options.php file and is triggered by that? I have gone through the options.php file and since the scanner is saying it has to do with .htaccess coding then the outputted code I posted is going to be pretty much identical to the .htaccess code in the options.php file, which is in a variable that is written using fwrite to output the code to the .htaccess file.

    Was hoping you could provide here what’s changed within the .htaccess settings for BPS in the past week.

    That would make the “what” a lot easier to figure out.

    Plugin Author AITpro


    I did already. That is what i posted above. The options.php file stores the .htaccess code in a variable as a string. The .htaccess code that i posted is that outputted .htaccess code after it has been written to the .htaccess file using frwrite.

    Can you tell me what P0176 means or the name of the scanner so that i can look that up? I have already done Google searches and P0176 only brings up car part numbers. 😉 And of course variations of the message and still more car parts.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘bulletproof-security/admin/options.php reporting as malware’ is closed to new replies.