| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
BCSE Point of Sale files show false positive when scanned for malware.. | |||
|
|
Thread Tools |
#1
|
|||||||
|
|||||||
BCSE Point of Sale files show false positive when scanned for malware..
This is a warning to those who may be using the BCSE Point-Of-Sale mod. My well secured site had recently started sending out spam, this was detected by CSF Firewall installed on my dedicated server. After a thorough scan of the server using Maldetect for Linux, it was traced back to BCSE files supplied for the Point-of-Sale mod. I am running X-Cart 4.6.4 and was using the mod for version 4.5x (it still worked fine in version 4.6.4). When I contacted BCSE, they said I need to upgrade to the latest version. Huh? Anyway, I did that. Here we are a few days later and once again, their files show up as malware after a scan. Only their files, no others on my entire site. So I *highly* recommend anyone here using this mod to run maldetect scan and verify this is not occurring with files supplied by them.
NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 092414-0317.4115 FILE HIT LIST: {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/admin/bcse_point_of_sale.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/initialize.cim.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/sessions.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.conf.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/adpm.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/init.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/pos.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/hosted_return.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/products.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.cim.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/payment.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/display_page.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/order.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/config.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/configuration.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.cc.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.js.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/customer.php {HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/initialize.php =============================================== Linux Malware Detect v1.4.2 < proj@rfxn.com >
__________________
X-Cart 5.4.1.39 Live PHP 7.4.33 5.5.5-10.3.38-MariaDB MariaDB Apache 2.4 CENTOS 7.8 64Bit Single Quad-Core E3-1241v3 3.4Ghz 8M 1600 w/ HT 32GB RAM 2x 512GB Samsung 850 Pro SSD RAID 1 |
|||||||
#2
|
|||||||||
|
|||||||||
Re: BCSE Point of Sale files infected with Malware...
These files are encoded with base64. The malware scan you are running will report them as malware even though they are not just because malware is usually encoded this way. Your options are either to disregard this or ask bcse to provide you with ioncube encrypted files.
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
|
#3
|
|||||||||
|
|||||||||
Re: BCSE Point of Sale files infected with Malware...
Steve is right on, it is not malware just a poor encryption method. Encrypted files strike again!
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey XcartGuru X-cart Tutorials | X-cart 5 Tutorials Check out the responsive template for X-cart. |
|||||||||
|
#4
|
|||||||
|
|||||||
Re: BCSE Point of Sale files infected with Malware...
Okay, my bad if this is a false positive. BCSE files are the only ones showing like this now.
__________________
X-Cart 5.4.1.39 Live PHP 7.4.33 5.5.5-10.3.38-MariaDB MariaDB Apache 2.4 CENTOS 7.8 64Bit Single Quad-Core E3-1241v3 3.4Ghz 8M 1600 w/ HT 32GB RAM 2x 512GB Samsung 850 Pro SSD RAID 1 |
|||||||
#5
|
|||||||
|
|||||||
Re: BCSE Point of Sale files infected with Malware...
Wow, I am amazed that BCSE (A well respected company - I have some of there great mods) do not / may not use ionCube
Kind regards ITVV
__________________
X-Cart Pro 4.7.12 Active and working great with reBOOT-reDUX X-Cart Pro 4.6.6 Retired after 6 years of first class service X-Cart Pro 4.1.7 Retired after 9 years of first class service Apache: 2.4.25 PHP: 7.4.5 MariaDB: 10.1.44 Arch: x86_64 |
|||||||
#6
|
|||||||||
|
|||||||||
Re: BCSE Point of Sale files infected with Malware...
We have been working on ioncube for a while. But you good customers keep us so busy we have a hard time working on internal items!
It is in progress and has been something I've wanted to do. Should have it done soon I hope. Getting a few clients here and there with their servers now checking for the encoding techniques we currently use. It's something very embedded in our order distribution systems and we don't want to make it live without a lot of testing as we wouldn't want to take down any one's site over a new encryption technique. Drop us an email if you'd like to be a beta tester. Thanks, Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002! We support X-cart versions 3.x through 5.x! Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more! Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com Please E-Mail us for questions/support! |
|||||||||
|
#7
|
|||||||
|
|||||||
Re: BCSE Point of Sale files infected with Malware...
Maldetect, a very common malware detection program, will show false positives on the current BCSE files. To make it not do that, you have to edit this file on your server:
/usr/local/maldetect/ignore_paths and add the path to the BCSE files: /home/user/public_html/modules/BCSE_Point_of_Sale /home/user/public_html/admin/bcse_point_of_sale.php The only problem with this would be the rare case where actual malware files were somehow put into that directory, they wouldn't be detected. I don't see that happening, but it could.
__________________
X-Cart 5.4.1.39 Live PHP 7.4.33 5.5.5-10.3.38-MariaDB MariaDB Apache 2.4 CENTOS 7.8 64Bit Single Quad-Core E3-1241v3 3.4Ghz 8M 1600 w/ HT 32GB RAM 2x 512GB Samsung 850 Pro SSD RAID 1 |
|||||||
|
#8
|
|||||||
|
|||||||
Re: BCSE Point of Sale files show false positive when scanned for malware..
Firetank's Marketing Manager also does this, it is a false positive. I would be wary about ignoring paths on the server just in case and as unlikely as it may seem. I'd rather have a false positive than not know.
__________________
4.4.2 and 4.6.1 |
|||||||
|
|||
X-Cart forums © 2001-2020
|