Eli
Forum Replies Created
-
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Autoscan?No, that’s not how it works. You can restore any or all changes made during the cleaning from the quarantine page at any time. Keep in mind that it’s generally not a good idea to restore these changes from the quarantine back into the original files. If these files we’re infected and then cleaned then restoring the chances would put the malicious infection back on your site. So you only need to use this feature if there was some kind of mistake made during the cleaning.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Autoscan?The premium features include the automatic update method which enables the Core File Scan and Brute-Force Patch. The auto-scan feature is still under development and not yet available to anyone at this time.
The Quarantine is a record of those files that have been modified (cleaned) by my plugin. deleting the quarantine will only erase the record of those changes bot not revert the infections to those files. However, it can be super helpful to keep these quarantine records for many reasons.
Forum: Plugins
In reply to: [EZ SQL Reports Shortcode Widget and DB Backup] Error on TableLike all plugins this one uses your existing connection you your WordPress database. This connection is configured through your wp-config.php file on your server and I would not advise changing anything in that file.
If you have created a non-standard table in your WordPress database then you would just need to extend the same permissions to that new table as the rest of the table have for this plugin to query that data as it would any other table.
I don’t know what tools you might have used to create the new table with the wrong permissions but your hosting provider surely have their own tools in your control panel for you to examine and correct the table access permissions.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Cuenta Premiumthat TxID is actually from a different email address (looks like it might be your Gmail account) so the donation was automatically assigned to your other account under that gmail address. You can either transfer your registered domains into that other account if you want.
Please note that this type of question should be emailed directly to me and not posted on ww.wp.xz.cn, I don’t think they like it when people post account related inquiries on this public forum, they will want you to take this kind of question directly to the company you registered with (me).
You can email me any follow-up questions:
eli AT gotmls DOT netForum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] ElementorI have say, I don’t like this code and see no justification for using a variable function name here (especially one that is built from a $_REQUEST variable). However, I cannot find any real-world method of exploiting this code, so I have decided to go ahead and whitelist this particular usage of this code for now.
Thanks for sending me that file. I confirmed that threat is already in my definitions, so it would have have found and removed it for you if you had not already removed it 😉
Please email the files directly to me as attachments:
eli AT gotmls DOT netForum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] ElementorHey Bruno,
Thanks for reporting this to me. This is potentially a false positive but I want to do a little more investigation before I whitelist it.Generally it’s a bad idea to use a $_REQUEST index as a variable function, and I’m not even sure why the developers went to all the trouble to use such an unsafe method, but I can see that they have also gone to great lengths to make it more secure (like requiring a nonce token, and verifying that the user have edit privileges for the post type). I’m just not yet sure that it couldn’t be exploited though some kind of privilege escalation XSS attack to produce unintended results. It also seems to be connected to a file upload method which heightens the risk and makes me question the security of the whole design of this function.
Give me a little while to dig deeper into the code and run some test to make sure it is really safe and I’ll let you know what I find…
What were the results of the scan and how long did it take (normally less than an hour for a Complete Scan)?
My plugin should find this type of threat and remove it for you but there are sometime new variants that need to be added to my definition updates.
You can send me the infected files that you found and I will check them.
I’m not sure what you mean by this but I will try to explain the Anti-Malware Quarantine in the hope it will better answer your question.
There is no “quarantine folder” actually, but the “View Quarantine” option on the Anti-Malware menu will display a list of files that have been found to contain malicious code and already fixed. The malicious code that was found and removed has been stored in these record in your database where it is safe and cannot be executed. I think the description on that page says it best:
The following items highlighted in yellow had been found to contain malicious code, they have been cleaned and the malicious contents have been removed. A record of the infection has been saved here in the Quarantine for your review and could help with any future investigations. The code is safe here and you do not need to do anything further with these files.
If you have cleaned some files that have then been re-infected again then you will also see this message:
The items highlighted in red have been found to be re-infected. The malicious code has returned and needs to be cleaned again.
There would then be an option on the page to “Re-clean the re-infected files”, which is highly recommended.
There is also an option to select all records and delete them from the Quarantine, which is not recommended at all. These records can be very helpful to keep, especially if you are still working to remove more infection and patch potential vulnerabilities. The information in these Quaratine records can also be very helpful for any further investigation into where the hack came from and how it might have gotten onto your site.
Please let me know if I have missed your point here or if you have any further unanswered questions that need more elaboration.
Thanks you for reporting this. I have confirmed that this is a false positive and I have corrected the definition that was released yesterday. Please download the latest definition updates to fix this and confirm that these files are no longer incorrectly flagged as known threats.
When I rogue plugin is secretly installed on your site it’s usually done in one of two ways. Either someone has used brute-force or surveillance to gain access to an existing admin account and has then installed unwanted plugin as any admin might, or they have gained account (or root) access to the server through some similarly underhanded means and used this access to plant malicious code and or this rogue plugin on many sites. Given that you say “all my customer accounts sites got hacked” would suspect the latter. Someone has gain unauthorized access to your server and planted this hack on all your sites. It could be that they have cracked your Control Panel login or gotten in through an FTP account, or maybe even gained root access to the whole server. At this point you should assume that all your passwords to the server and hosting account have been compromised and change them all. Then get your hosting provider involved and have them check the server log files to make sure that nobody else has been accessing anything on the server that they shouldn’t be accessing. I know this last part is vague but it will vary from server to server and provider to provider what their protocol will be for a situation like this, unfortunately it is usually inadequate and sometime involve trying to up-sell you expensive security software or some kind of “better” hosting plan. If this is the case then you should probably consider looking for a better (more secure) hosting provider.
I have just updated my definitions to exclude this false positive so that it will not come up as a know threat in my plugin any more 😉
Thanks for contacting me about this. It looks like that CSV template has some HTML links to buy stuff on amazon. It might just be an example but it looks kind of spammy to me at first glance. I’m not even sure if it fall within the WordPress terms for being on their Plugin Repository if it has embedded ad links like that. I tried the plugin on one of my test sites and I could not even use it because the Content Security Policy on my server blocked the JavaScript stating that there was Unsafe Eval usage.
I will have to do some more research before I can make a clear determination on whether this is allowable or if it is just a false positive…
I will get back to you when I have more info. In the mean time please contact the developer and ask them why they added links to amazon products to that CSV template file in the latest update.
Thank you for posting this resolution. I have heard of Jetpack causing a lot of issues like this but it is so widely used that it ends up being a very small percentage of their users and it’s hard to replicate the issue or pinpoint the actual cause. There does seem to be something about certain servers that does not work well with Jetpack but I can’t get it to act up like this on any of my servers 😉
Anyway, I’m glad to hear that you got it all worked out and my plugin is running smoothly for you now.