Eli
Forum Replies Created
-
Thanks you for contacting me about this issue. I have had one other report of a similar conflict with the REST user API and a cURL call before but it turned out to be caused by another plugin that was making the cURL call to /wp-json/wp/v2/users/### and my firewall was blocking it. I never did get the full details from that other user so I would very much appreciate it if you are willing to work with me to narrow it down and let me know what you find.
As was hinted, at above the REST user API is referenced using the path /wp-json/wp/v2/users/ on your site, followed by a number which corresponds to a User ID in your database. My firewall rule simply blocks this URL on your site, so if this is causing a cURL error it would mean that there is something trying to access this URL on your site through a cURL call. I can help you to figure out what is causing it but I would need you to send me some more information first. Can you please send me a list of all the folders in your plugins directory and mark which ones are active or if any are inactive? Can you please also confirm which version of WordPress you have installed and what version of PHP your server is running?
Hi Paul,
I sent a reply to your direct email 3 days ago and have not gotten any followup info from you so I will go ahead and respond here too.I don’t have the Scan history details feature finished yet so as of right now the scan log just shows the times and duration of past scans. The original design was that you would run the complete scan (which should usually only take between 10 to 30 minutes) and then fix the known threat immediately.
I rarely get any false positives but it does sometimes happen, and it is usually because the code is identical or at least very similar to a previously identified “Known Threat”. This pattern “echo div position absolute negative anchors” is looking for hidden link that use extreme or unusual ways to hide their content with a combination of styles like negative positions and transparencies together. From the snippets of code you have sent I can see how this might have matched this pattern but I would need to see the whole file to properly analyze why this code was detected and how to fix it. Could you please send me this whole file as an attachment?
Automatically fixing this code with my plugin would simply remove the suspicious part of the code from the file in question, so that would in fact be a bad thing if that code is a false positive. You would then need to restore the code from within the Anti-Malware Quarantine page to get that functionality working properly again.
As for the “GFForms::ensure_hook_js_output” hook, I wonder if it is part of Gravity Forms which you might be using on your site. If you are using Gravity Forms can you temporarily disable it to see if that warning goes away and the scan runs any faster. If the scan is still slow then you can also send me a few screenshots throughout the process so that I can try to pinpoint what might be causing this behavior.
This was most likely because the update was pushed out to your site before I had access to the release through the repository and I didn’t have a chance to update the core files definitions until the next day.
It should be all be working correctly and updated now but if you still did not get the update then try selecting the automatic update feature again and click save to refresh it.
You can contact me directly if you need more help:
eli AT gotmls DOT netThank you for reporting this error. I have just released a new plugin update to fix this issue. Please download the latest version of my plugin (4.20.93) and let me know if there is anything else.
Yes, my plugin should work fine on SiteGround hosting, and it was designed to be compatible with any other security plugin too. If you fine any possible conflicts please let me know and I will investigate.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Is there a whitelist option?Thanks for the additional info. As I suspected, the script is placed outside the BODY tags (below the closing </BODY> tag) and this is improper HTML. I suggest that you simply change the HTML from:
</body> <script src="html5/lib/scripts/ds-bootstrap.min.js"></script> </html>to:
<script src="html5/lib/scripts/ds-bootstrap.min.js"></script> </body> </html>so that the offending SCRIPT tag in correctly positions within the BODY as proper HTML code.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Is there a whitelist option?Yes, you can click on the file name that is listed as a “Known Threat” and click the white-list button, but that will only help YOU until that file changes or a new update replaces your whitelist. A better solution would be that we help each other figure out why it’s marked as a threat and correct that, so that this is not a problem for you (or anyone else) in the future. If I had to guess, I would say that one of the main factors that is causing this script tag to look malicious is that it is likely improperly placed within your HTML. All SCRIPT tags nee to be placed within either the BODY tag or the HEAD tag to be considered valid HTML. Any SCRIPT tags outside the BODY and HEAD tags are considered improper and will be more likely to be flagged as a maliciously injected script.
If you need any more help with this please provide more information, like a link to the page in question or a complete copy of the HTML on the page. You can also email me this information directly if you don’t want to post it on this public forum:
eli AT gotmls DOT netForum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Use with WordFenceYes, of course. You should be able to use my plugin in conjunction with any other security plugin.
Thanks for following up.
That’s great that you figured it out and fix it. Are that any other details that about were you found the injection or what was injected that you could share that might help others to find a solution if they have the same issue as you?
Also, what was the issue that enabled the injection in the first place?
If you still need help with this can you please post a link to your website so I can take a look?
You can email me directly if you don’t want to post that link on this public forum:
eli AT gotmls DOT netLooks like the site is working now and your last post suggest that you found a solution, am I right?
It sounds like you manually upgraded to the latest version of my plugin and that fixed the error you were getting, which I can only assume was coming from a compatibility issue with the newer version of PHP on your new server. I can confirm that you would need to have the latest release of my plugin to be compatible with newer versions of PHP, can you please confirm that is what the issue was?
To answer your question about loosing your reports: If you had deactivate or deleted my plugin then you could upgrade or install the latest version from the WordPress Plugin Repository in the normal way through your wp-admin and you would not have lost any reports that you had.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] WP CLI supportAs a hosting agency, I too understand the concern any scan might impact the server’s performance. The current scan process requires a browser to queue up linear scan batches and track the results until the scan is complete so it is not compatible with any CLI or scheduling agent.
The new scan engine I am working on will be independently coordinated so it will not rely on an active browser to maintain a continuous session, thereby enabling a scheduling agent to initiate scans. This will also be much more efficient in many ways so you and I will not have to worry so much about the impact of the scans on our system resources. Although the impact will still be as real as the threat of malware it will not be as risky as you might be thinking.
My main goal has always been and always will be to help the end user remove malware and protect their site from infections, but I know that my plugin is used by a lot of hosting and cleaning agencies as well. In the end I will do what I can for the overall success of my plugin to have the greatest effectiveness for the most users.
Thanks again for your continued interest. I hope you will find the new scan engine beneficial for your usage need when the upgrade is finally available. If you want to keep in touch with my directly then I can let you know how you can become a BETA tester when the time comes so that you might have the most potential to influence the course of the development of this new feature.
In my particular case it is very specific, yes. However, there is a potential that the code loophole that I outlined about could interfere with other plugin in other cases as well. I’m not sure that you will even be able to recreate the exact scenario that I have been made aware of by my clients and have yet to recreate myself. So wouldn’t it be easier and more preemptively solution oriented to just close hole in the condition that allows this erroneous message to to be returned?
I don’t know how but there is obviously some conditions present in the wild that are resulting in an empty scalar value of support_mwp_message being passed along and your function is hooked into the admin init action so it responds and kills the page before my ajax-admin hook can respond. I propose that you either change your return condition to include empty support_mwp_message values as well as non-scalar values so that you don’t return this “Please enter a message” response or find another way to safely exit your handleSupportForm function if the admin_init is called from any calls to admin-ajax.php that does not have your own ajax action hook. Is there any reason why neither of these two proposed fixes would sound reasonable to your developers?
My plugin is https://ww.wp.xz.cn/plugins/gotmls/
…and this only seems to be a problem when there are known threats (infected files) on the user’s site and they try to clean them using the Automatic fix feature in my plugin.
The form that my plugin posts should look something like this:
<form method="POST" action="/wp-admin/admin-ajax.php?GOTMLS_mt=[MD5_HASH]&page=GOTMLS-settings" target="GOTMLS_iFrame" name="GOTMLS_Form_clean"><input type="hidden" name="action" value="GOTMLS_fix"><input type="hidden" id="GOTMLS_fixing" name="GOTMLS_fixing" value="1"><input type="hidden" name="GOTMLS_mt" value="[MD5_HASH]"><input type="hidden" name="scan_type" value="Complete Scan"><input type="hidden" name="check[]" value="db_scan"><input type="hidden" name="check[]" value="htaccess"><input type="hidden" name="check[]" value="timthumb"><input type="hidden" name="check[]" value="known"><input type="hidden" name="check[]" value="wp_core"><input type="hidden" name="scan_what" value="0"><input type="hidden" name="scan_depth" value="-1"><input type="hidden" name="exclude_ext" value="png,jpg,jpeg,gif,bmp,tif,tiff,psd,svg,webp,doc,docx,ttf,fla,flv,mov,mp3,pdf,css,pot,po,mo,so,exe,zip,7z,gz,rar"><input type="hidden" name="exclude_dir" value=""> <input type="checkbox" name="GOTMLS_fix[]" value="[BASE64_HASH]" checked="known"> </form>… but several clients that use both of our plugins together report that they receive the response
{“success”:false,”message”:”Please enter a message.”}
when submitting this form unless they deactivate your plugin.
I have looked at your code and it does appear that your intention is to only respond if support_mwp_message is passed …
if (!isset($request->request['support_mwp_message']) || !is_scalar($request->request['support_mwp_message'])) { return; }… and yet somehow this code on line 205 of /src/MWP/EventListener/PublicRequest/BrandContactSupport.php in your plugin does execute on these user’s sites instead of my action hook’s response.
I have been unable to recreate this issue on any of my test sites because I don’t know what conditions would have your plugin activating the enableContactSupport function in you plugin which must be inadvertently adding this support_mwp_message value to the post or at least somehow creating the empty scalar value $request->request[‘support_mwp_message’] which slips through your conditions and returns the false response message.
I also don’t know how you would recreate this issue on your end unless you had real infections on one of your test sites so that you could try using my plugin to clean them. Maybe we can work together to recreate this scenario, or maybe it would just be better if your developer closed the loophole that is permitting an empty scalar value of support_mwp_message to slip through the cracks. Maybe the if statement on line 184 of /src/MWP/EventListener/PublicRequest/BrandContactSupport.php mentioned above should read like this:
if (!isset($request->request['support_mwp_message']) || empty($request->request['support_mwp_message'])) { return; }Thank you so much for reporting this to me. Those were in fact just false positives. I have corrected the definition (LBE7s) that mistakenly flagged those files so it should not identify those files as a known threat any more.
Please download the latest definition updates (LBFBR) and run the complete scan again to confirm that it is fixed.
- This reply was modified 4 years, 6 months ago by Eli.