Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

BCSE Point of Sale files show false positive when scanned for malware..

 
Reply
   X-Cart forums > X-Cart 4 > Third Party Add-Ons for X-Cart 4
 
Thread Tools
  #1  
Old 09-23-2014, 07:02 PM
 
kevinrm kevinrm is offline
 

X-Adept
  
Join Date: Aug 2003
Posts: 998
 

Default BCSE Point of Sale files show false positive when scanned for malware..

This is a warning to those who may be using the BCSE Point-Of-Sale mod. My well secured site had recently started sending out spam, this was detected by CSF Firewall installed on my dedicated server. After a thorough scan of the server using Maldetect for Linux, it was traced back to BCSE files supplied for the Point-of-Sale mod. I am running X-Cart 4.6.4 and was using the mod for version 4.5x (it still worked fine in version 4.6.4). When I contacted BCSE, they said I need to upgrade to the latest version. Huh? Anyway, I did that. Here we are a few days later and once again, their files show up as malware after a scan. Only their files, no others on my entire site. So I *highly* recommend anyone here using this mod to run maldetect scan and verify this is not occurring with files supplied by them.

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 092414-0317.4115
FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/admin/bcse_point_of_sale.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/initialize.cim.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/sessions.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.conf.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/adpm.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/init.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/pos.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/hosted_return.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/products.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.cim.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/payment.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/display_page.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/order.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/config.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/configuration.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.cc.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/functions.js.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/customer.php
{HEX}gzbase64.inject.unclassed.15 : /home/server/public_html/modules/BCSE_Point_of_Sale/initialize.php
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >
__________________
X-Cart 5.4.1.21 Live
PHP 7.3
FPM/FastCGI - enabled
Zend OpCache OFF - Won't work with phar extension in cPanel on
10.3 MariaDB
Apache 2.4
CENTOS 7.8 64Bit Single Quad-Core E3-1241v3 3.4Ghz 8M 1600 w/ HT
32GB RAM 2x 512GB Samsung 850 Pro SSD RAID 1
Reply With Quote
  #2  
Old 09-23-2014, 07:11 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,024
 

Default Re: BCSE Point of Sale files infected with Malware...

These files are encoded with base64. The malware scan you are running will report them as malware even though they are not just because malware is usually encoded this way. Your options are either to disregard this or ask bcse to provide you with ioncube encrypted files.
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote

The following user thanks cflsystems for this useful post:
kevinrm (09-23-2014)
  #3  
Old 09-23-2014, 11:14 PM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,823
 

Default Re: BCSE Point of Sale files infected with Malware...

Steve is right on, it is not malware just a poor encryption method. Encrypted files strike again!
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.
Reply With Quote

The following user thanks totaltec for this useful post:
kevinrm (09-23-2014)
  #4  
Old 09-23-2014, 11:48 PM
 
kevinrm kevinrm is offline
 

X-Adept
  
Join Date: Aug 2003
Posts: 998
 

Default Re: BCSE Point of Sale files infected with Malware...

Okay, my bad if this is a false positive. BCSE files are the only ones showing like this now.
__________________
X-Cart 5.4.1.21 Live
PHP 7.3
FPM/FastCGI - enabled
Zend OpCache OFF - Won't work with phar extension in cPanel on
10.3 MariaDB
Apache 2.4
CENTOS 7.8 64Bit Single Quad-Core E3-1241v3 3.4Ghz 8M 1600 w/ HT
32GB RAM 2x 512GB Samsung 850 Pro SSD RAID 1
Reply With Quote
  #5  
Old 09-24-2014, 12:20 AM
 
ITVV ITVV is online now
 

X-Wizard
  
Join Date: Nov 2006
Location: UK
Posts: 1,094
 

Default Re: BCSE Point of Sale files infected with Malware...

Wow, I am amazed that BCSE (A well respected company - I have some of there great mods) do not / may not use ionCube

Kind regards

ITVV
__________________
X-Cart Pro 4.7.12 Active and working great with reBOOT-reDUX
X-Cart Pro 4.6.6 Retired after 6 years of first class service
X-Cart Pro 4.1.7 Retired after 9 years of first class service

Apache: 2.4.25
PHP: 7.4.5
MariaDB: 10.1.44
Arch: x86_64
Reply With Quote
  #6  
Old 09-24-2014, 09:40 AM
  BCSE's Avatar 
BCSE BCSE is offline
 

X-Man
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 2,933
 

Default Re: BCSE Point of Sale files infected with Malware...

We have been working on ioncube for a while. But you good customers keep us so busy we have a hard time working on internal items!


It is in progress and has been something I've wanted to do. Should have it done soon I hope. Getting a few clients here and there with their servers now checking for the encoding techniques we currently use.

It's something very embedded in our order distribution systems and we don't want to make it live without a lot of testing as we wouldn't want to take down any one's site over a new encryption technique. Drop us an email if you'd like to be a beta tester.

Thanks,

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote

The following user thanks BCSE for this useful post:
ITVV (09-24-2014)
  #7  
Old 09-25-2014, 01:45 AM
 
kevinrm kevinrm is offline
 

X-Adept
  
Join Date: Aug 2003
Posts: 998
 

Default Re: BCSE Point of Sale files infected with Malware...

Maldetect, a very common malware detection program, will show false positives on the current BCSE files. To make it not do that, you have to edit this file on your server:

/usr/local/maldetect/ignore_paths

and add the path to the BCSE files:

/home/user/public_html/modules/BCSE_Point_of_Sale
/home/user/public_html/admin/bcse_point_of_sale.php

The only problem with this would be the rare case where actual malware files were somehow put into that directory, they wouldn't be detected. I don't see that happening, but it could.
__________________
X-Cart 5.4.1.21 Live
PHP 7.3
FPM/FastCGI - enabled
Zend OpCache OFF - Won't work with phar extension in cPanel on
10.3 MariaDB
Apache 2.4
CENTOS 7.8 64Bit Single Quad-Core E3-1241v3 3.4Ghz 8M 1600 w/ HT
32GB RAM 2x 512GB Samsung 850 Pro SSD RAID 1
Reply With Quote

The following user thanks kevinrm for this useful post:
totaltec (09-25-2014)
  #8  
Old 09-25-2014, 10:47 PM
 
DanUK DanUK is offline
 

X-Adept
  
Join Date: Dec 2003
Location: UK
Posts: 800
 

Default Re: BCSE Point of Sale files show false positive when scanned for malware..

Firetank's Marketing Manager also does this, it is a false positive. I would be wary about ignoring paths on the server just in case and as unlikely as it may seem. I'd rather have a false positive than not know.
__________________
4.4.2

and

4.6.1
Reply With Quote
Reply
   X-Cart forums > X-Cart 4 > Third Party Add-Ons for X-Cart 4


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 10:04 AM.

   

 
X-Cart forums © 2001-2020