X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   Third Party Add-Ons for X-Cart 4 (https://forum.x-cart.com/forumdisplay.php?f=45)
-   -   BCSE Point of Sale files show false positive when scanned for malware.. (https://forum.x-cart.com/showthread.php?t=70063)

kevinrm 09-23-2014 07:02 PM

BCSE Point of Sale files show false positive when scanned for malware..
 
This is a warning to those who may be using the BCSE Point-Of-Sale mod. My well secured site had recently started sending out spam, this was detected by CSF Firewall installed on my dedicated server. After a thorough scan of the server using Maldetect for Linux, it was traced back to BCSE files supplied for the Point-of-Sale mod. I am running X-Cart 4.6.4 and was using the mod for version 4.5x (it still worked fine in version 4.6.4). When I contacted BCSE, they said I need to upgrade to the latest version. Huh? Anyway, I did that. Here we are a few days later and once again, their files show up as malware after a scan. Only their files, no others on my entire site. So I *highly* recommend anyone here using this mod to run maldetect scan and verify this is not occurring with files supplied by them.

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 092414-0317.4115
FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/admin/bcse_point_of_sale.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/initialize.cim.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/sessions.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.conf.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/adpm.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/init.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/pos.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/hosted_return.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/products.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.cim.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/payment.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/display_page.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/order.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/config.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/configuration.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.cc.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.js.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/customer.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/initialize.php
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >

cflsystems 09-23-2014 07:11 PM

Re: BCSE Point of Sale files infected with Malware...
 
These files are encoded with base64. The malware scan you are running will report them as malware even though they are not just because malware is usually encoded this way. Your options are either to disregard this or ask bcse to provide you with ioncube encrypted files.

totaltec 09-23-2014 11:14 PM

Re: BCSE Point of Sale files infected with Malware...
 
Steve is right on, it is not malware just a poor encryption method. Encrypted files strike again! :-)

kevinrm 09-23-2014 11:48 PM

Re: BCSE Point of Sale files infected with Malware...
 
Okay, my bad if this is a false positive. BCSE files are the only ones showing like this now.

ITVV 09-24-2014 12:20 AM

Re: BCSE Point of Sale files infected with Malware...
 
Wow, I am amazed that BCSE (A well respected company - I have some of there great mods) do not / may not use ionCube 8O

Kind regards

ITVV

BCSE 09-24-2014 09:40 AM

Re: BCSE Point of Sale files infected with Malware...
 
We have been working on ioncube for a while. But you good customers keep us so busy we have a hard time working on internal items! :)


It is in progress and has been something I've wanted to do. Should have it done soon I hope. Getting a few clients here and there with their servers now checking for the encoding techniques we currently use.

It's something very embedded in our order distribution systems and we don't want to make it live without a lot of testing as we wouldn't want to take down any one's site over a new encryption technique. Drop us an email if you'd like to be a beta tester.

Thanks,

Carrie

kevinrm 09-25-2014 01:45 AM

Re: BCSE Point of Sale files infected with Malware...
 
Maldetect, a very common malware detection program, will show false positives on the current BCSE files. To make it not do that, you have to edit this file on your server:

/usr/local/maldetect/ignore_paths

and add the path to the BCSE files:

/home/user/public_html/modules/BCSE_Point_of_Sale
/home/user/public_html/admin/bcse_point_of_sale.php

The only problem with this would be the rare case where actual malware files were somehow put into that directory, they wouldn't be detected. I don't see that happening, but it could.

DanUK 09-25-2014 10:47 PM

Re: BCSE Point of Sale files show false positive when scanned for malware..
 
Firetank's Marketing Manager also does this, it is a false positive. I would be wary about ignoring paths on the server just in case and as unlikely as it may seem. I'd rather have a false positive than not know.


All times are GMT -8. The time now is 12:15 PM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.