Eli

This is probably a false positive but I’d like to be sure. Can you please send me the full log file so that I can check it and confirm this?

I am very curious to know what there would be in a log file that would look like a known threat, especially if it’s many lines long, and there is nothing suspicious in the 7 line excerpt that you posted above.

If possible, please attach the whole log file to an email so I can give you a better explanation:

eli AT gotmls DOT net

This is a duplicate of:

https://ww.wp.xz.cn/support/topic/still-have-malware-or-not/

Thanks again for sending me these additional files Dario!

There is a few new variants of one of the old ones again, this appears to be one threat that is rapidly evolving / morphing.

Just added these too though so download the latest definition updates and run the complete scan to see if it finds any more.

Yes, Please send me this new zip file too.

I am currently working through the first batch you sent me…

The condition for this error to be output is:

if (!function_exists(“mb_detect_encoding”))

so that means that the <meta http-equiv=”content-type” content=”text/html; charset=utf-8″></meta>function <meta http-equiv=”content-type” content=”text/html; charset=utf-8″></meta>”mb_detect_encoding” does not exist in the version of PHP that you are running on that site.

While it seams that you do have mbstring installed on the other site, this one does not seam to have those Multibyte functions available. It is possible that this is a plugin conflict, but only if you have some other plugin that is somehow disabling the <meta http-equiv=”content-type” content=”text/html; charset=utf-8″></meta>mb_detect_encoding function. You can try disabling other plugins if you think that is it, but it doesn’t seam likely to me.

Please check the version of PHP installed for that site and confirm that it is showing that mbstring is enabled. You can use the phpinfo() function to output all PHP settings for all installed modules.

You my also want to ask your hosting provider to help you confirm that <meta http-equiv=”content-type” content=”text/html; charset=utf-8″></meta>mbstring is enabled on that site.

Please let me know what you find.

Yes, you are correct that this is not the usual or expected behavior. When you click the Automatic fix button it should fix the infected files and clean the injections from the database records, moving the threats to your Anti-Malware Quarantine, and then show you the results of the fixing process.

When that loading icon is all you see, even after a few minutes, you are meant to click the “taking too long” button to see if there were some errors visible that might have prevented the proper results from showing up. If that page is black too it probably means that those errors are being suppressed. What we need now is to see what errors are causing the fixing process to hang on that blank page. Can you please look at the error_log file on your server too see if there are any errors recorded there that might explain this?

Another possibility is that you may have some other security plugin or firewall which is blocking the automatic fix process from executing on that page. Maybe you could disable your other security plugins while you run the scan and fix to see if that helps. Also make sure that your caching is disabled and delete any cache files on your server to speed up the scan and purge and threats that might have been cached.

You can email me directly if you want to share any results that might contain private information you wouldn’t want to post on this public forum:

eli AT gotmls DOT net

The first site I tried to test your Commission Calculator plugin on failed to create the tables on activation, I got the following error message in my log files:
WordPress database error Invalid default value for 'created_at' for query CREATE TABLE wp_mbcc_install_type

I am using PHP Version 7.4.8 and MySQL Client API library version 5.5.62 on that server.

I was able to install and activate your plugin on one of my other servers though, and I get this error in your code when I run this plugin on any of my test sites:
Notice: Undefined index: ms_login in .../wp-content/plugins/mb-commission-calculator/shortcodes/ms-commission-calculator.php on line 26

This is the code you have on that line:

    if($_SESSION['ms_login'] == false){

You might want to rethink your login conditions and take into account that there might not be a session at all the first time your code runs. For example this code change will fix that PHP Warning for you:

    if((isset($_SESSION['ms_login']) === false) || ($_SESSION['ms_login'] == false)){

Also, your logout link is set to "?logout=true" which only works if you are using permalinks URLs and does not work on my test post ID 1732 which has a URL of /?p=1732 (your ?logout=true overwrites my post_id and thus it never triggers your shortcode on that page, therefore I cannot logout). I can only login if I hack the URL to include both parameters required for your plugin to successfully log me out:

/?p=1732&logout=true

Then I noticed that your code executes the session_destroy() function on logout, which is not very friendly to any other plugins that might have stored any session variables for their own purposes. You will notice that my plugin never uses session_destroy() or $_SESSION = ... specifically so that I don't step on anyone else's toes.

Your login redirect also takes me away from the test post that I put your shortcode on so after logging in I have to manually navigate back to /?p=1732 to see your form.

But, other than all those issues I had no problems with your session vars after logging in, even with my plugin installed on that site too, so I don't see how my plugin has anything to do with whatever session issues you are having on your server. The only session vars accessed by my plugin are only within the array elements prefixed with GOTMLS, like $_SESSION["GOTMLS_... so my plugin cannot by overwriting your sessions.

I think the fact that you are using @ini_set( 'display_errors', 0 ); is a bad sign. You shouldn't really be expecting to have so many errors that you would need to suppress them like that and you won't be able to troubleshoot the issue you are having in your plugin if you suppress the errors either. I think if your turn off error suppression and weed out all the bugs in your code that might be causing the errors you are hoping to suppress (mostly caused by assuming that variables exist and using them without testing them using if isset first) then you might be able to pin down whatever anomalies are producing this unwanted session loss on your server.

If I had to guess I would say that you are probably getting cached results sometimes that are confusing the issue and making it hard for you to tell when you are getting real-time session results in your output.

Thank you so much for taking the time to send me all the details. With the information you have provided I have found a solution and released a new plugin update, version 4.21.87. Could you please download the latest version of my plugin on site A and site C and confirm that it fixes this issue for you?