Title: bulletproof-security/admin/options.php reporting as malware
Last modified: August 20, 2016

---

# bulletproof-security/admin/options.php reporting as malware

 *  Resolved [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/)
 * Starting last couple days, this update you have made to BBS has caused all kinds
   of alarms to go off on all our servers.
 * Please consider amending this file such that when a host does malware scans the
   file does not report as a hacker file.
 * # Known exploit = [Fingerprint Match] [Exploited .htaccess [P0176]]:
 * Thanks,
    Jim
 * [http://wordpress.org/extend/plugins/bulletproof-security/](http://wordpress.org/extend/plugins/bulletproof-security/)

Viewing 8 replies - 1 through 8 (of 8 total)

 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/#post-3139573)
 * All the coding in the .htaccess file is legitimate and valuable coding so what
   i actually need to know is why the scanner is seeing it as malicious coding because
   it is of course not malicious and is of course valid code. Can you get me the
   details of the exact coding that this scanner is misinterpreting as malicious
   coding? Thanks.
 *  Thread Starter [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/#post-3139577)
 * Compare the .htaccess format generated by BPS “today”
    with the one that was 
   generated “last week”
 * Whatever you changed in past week is what we’ll want to focus on.
 * Once we know what changed we can track down why the new entries are being marked
   as malicious.
 * It’s quite a mess. Hundreds of installations of BPS all sounding alarms they’ve
   been hacked. 🙁
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/#post-3139594)
 * Please see this thread >>> [http://wordpress.org/support/topic/bulletproof-security0475-not-working?replies=13](http://wordpress.org/support/topic/bulletproof-security0475-not-working?replies=13)
 * The Code Format was changed to UNIX LF when generating .htaccess files, which
   is the correct format so that Control M characters do not cause problems for 
   folks with Mac based Servers. Are you using NGINX by any chance?
 *  Thread Starter [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/#post-3139596)
 * Not using NGINX for this conversation.
    We use a number of different scanning
   tools, and not just one scanning system. Alarms all over the place is all I’m
   saying…
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/#post-3139598)
 * But actually more likely is that this does not have to do with the Code Format
   and has to do with the .htaccess code itself.
 * These 3 areas of the root .htaccess file have this new code added to it.
 *     ```
       # FORBID EMPTY REFFERER SPAMBOTS
       RewriteCond %{REQUEST_METHOD} POST
       RewriteCond %{REQUEST_URI} (wp-comments-post\.php)
       RewriteCond %{HTTP_REFERER} !^.*example.com.* [OR]
       RewriteCond %{HTTP_USER_AGENT} ^$
       RewriteRule .* - [F]
   
       RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
       RewriteCond %{HTTP_REFERER} ^.*example.com.*
       RewriteRule . - [S=1]
   
       # FORBID COMMENT SPAMMERS ACCESS TO YOUR wp-comments-post.php FILE
       # This is a better approach to blocking Comment Spammers so that you do not
       # accidentally block good traffic to your website. You can add additional
       # Comment Spammer IP addresses on a case by case basis below.
       # Searchable Database of known Comment Spammers http://www.stopforumspam.com/
   
       <FilesMatch "^(wp-comments-post\.php)">
       Order Allow,Deny
       Deny from 46.119.35.
       Deny from 46.119.45.
       Deny from 91.236.74.
       Deny from 93.182.147.
       Deny from 93.182.187.
       Deny from 94.27.72.
       Deny from 94.27.75.
       Deny from 94.27.76.
       Deny from 193.105.210.
       Deny from 195.43.128.
       Deny from 198.144.105.
       Deny from 199.15.234.
       Allow from all
       </FilesMatch>
       ```
   
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/#post-3139711)
 * Did you find the code line that the scanner is seeing as a threat in the options.
   php file?
 * # Known exploit = [Fingerprint Match] [Exploited .htaccess [P0176]]:
 * This exploit message above does not give me anything to reference since this 
   error is specific to whatever scanner you are using. Could it be as simple as
   the scanner sees the known deviant IP addresses in the options.php file and is
   triggered by that? I have gone through the options.php file and since the scanner
   is saying it has to do with .htaccess coding then the outputted code I posted
   is going to be pretty much identical to the .htaccess code in the options.php
   file, which is in a variable that is written using fwrite to output the code 
   to the .htaccess file.
 *  Thread Starter [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/#post-3139713)
 * Was hoping you could provide here what’s changed within the .htaccess settings
   for BPS in the past week.
 * That would make the “what” a lot easier to figure out.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/#post-3139715)
 * I did already. That is what i posted above. The options.php file stores the .
   htaccess code in a variable as a string. The .htaccess code that i posted is 
   that outputted .htaccess code after it has been written to the .htaccess file
   using frwrite.
 * Can you tell me what P0176 means or the name of the scanner so that i can look
   that up? I have already done Google searches and P0176 only brings up car part
   numbers. 😉 And of course variations of the message and still more car parts.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘bulletproof-security/admin/options.php reporting as malware’ is closed
to new replies.

 * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938)
 * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/)
 * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/)
 * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/)

 * 8 replies
 * 2 participants
 * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/)
 * Last activity: [13 years, 6 months ago](https://wordpress.org/support/topic/bulletproof-securityadminoptionsphp-reporting-as-malware/#post-3139715)
 * Status: resolved