Hello John,
This is a recurring question and it is NOT a bug or an issue in Akeeba Backup or any of our software. This kind of software is simply looking for patterns of code which are usually – but not exclusively – used in malicious software. These patterns consist of infrequently used PHP features such as base64 encoding, binary file format writing and heavy use of regular expressions. These are all patterns which have to be used to create backup archives in Akeeba Backup, extract backup archives in Akeeba Restore / UNiTE / Akeeba Kickstart (they all use the Akeeba Restore engine) or scan files for malware in Admin Tools. So it’s normal for these patterns to appear in our software. The problem with “malware scanners” which deal with source code is that they can only check the presence of patterns, marking files for further human inspection. They can NOT positively identify the intent of the code. Code is like prose. Our current level of technology as a species is not yet at the point where a machine can read free form text and understand its intent.
Please contact your host and let them know that our code, which has been around for more than twelve years, is definitely legitimate and they can actually take a look themselves. This is exactly what their “malware scanner” did, it’s just that they have no idea how to use it and for what purpose. Take this from the person who writes his own “malware scanner” (Admin Tools’ PHP File Change Scanner has the Threat Score feature which is exactly that), understands the pitfalls and has clearly documented them.
For your information, restore.php (Akeeba Restore) is also used by Joomla! itself to apply its own updates. An older version of that file can be found in all Joomla! releases in the folder administrator/components/com_joomlaupdate since Joomla! 2.5.1. Kickstart is a web interface around Akeeba Restore and includes Akeeba Restore.
So, not to put too fine a point on it, your host is incompetent. Ask them for a full refund (at the very least!) since they screwed up your site for no reason whatsoever. Better yet, find a different hosting company where they know what they are doing. Hosting companies who know what they are doing do not rely on "malware scanners" because they know they can't rely on their results to take automated action (FYI, 5% to 10% of the core files distributed with Drupal, Joomla! and WordPress trigger a malware scanner – since I have written such a thing I have of course tested it thoroughly!). Even if they did work, they are like the notorious Maginot line during WW2: when (not if!) the attacker works past them you are screwed. Really good hosts employ anomaly detection which consists of perimeter security including but not limited to operating system and web server firewalls, email scanning and traffic analysis at the very least. The idea is you watch what is going in and what is going out. If they detect an anomaly then and only then will they suspend the account until the client communicates with them. Good hosts don't use proven to be ineffective and error-prone technology to block sites and then not allow the client to state that the code is legitimate for Pete's sake!
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!