Eli
Forum Replies Created
-
Thanks for the quick reply. Please let me know when you have it fix or if there is anything else you need from me.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Checking if valid threatJust wanted to follow up here and say that I received a copy of this file in it’s entirety and was able to confirm that it is in fact not malicious, so I have updated my definitions to omit this pattern from my scans while still being able to detect the original pattern that is similar to this class but used in a malicious way. Please download the latest definition updates so you can run the complete scan again without flagging this plugin file to be quarantined. If you have already quarantined this file then you can restore it from the Anti-Malware Quarantine page in your wp-admin.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] WP CLI supportThank you for your interest in my plugin. Unfortunately the scan engine is not compatible with any CLI at this time. However, I am currently working on a scheduled scan feature but it will not be ready until I can re-engineer the scan process to run without a browser window.
Thanks for sending me that file. As it is from a paid plugin it is not held to the opensource standards that other free plugin are and it is not available for me to look at without paying for it. After reviewing the code in that file I have confirmed that it is in fact not malicious, so I have updated my definitions to omit this pattern from my scans while still being able to detect the original pattern that is similar to this class but used in a malicious way. Please download the latest definition updates so you can run the complete scan again without flagging this plugin file to be quarantined. If you have already quarantined this file then you can restore it from the Anti-Malware Quarantine page in your wp-admin.
Hi Bruno,
Yes, can you please email me that file so that I can check it out and confirm if this is a false positive or not?
eli AT gotmls DOT netI would certainly be able to offer a lot more helpful advice is you could point me to an infected page so that I could see how this malicious script presented itself in the code. From your description it sounds like there might still be some malicious injection in the database that my plugin might have missed, or maybe the malicious code is just cached on your site.
Make sure and delete all your cache files and then run the Complete Scan again to make sure there is no new injections that were add back after your last cleaning. You can also check the contents of each of the infected pages for any code that may have been inserted into you page but it might be hard to spot in the block editor.
If you need more help finding it then please send me a link to the infected page. If you don’t want to post it here on the public forum then you can email it to me directly:
eli AT gotmls DOT netI have released a new plugin update which should resolve this issue for you. Please download the new plugin version 4.20.92 and let me know if you are still having any issue with this.
The best way to scan those other sites would be to install my plugin on each of them individually and scan them each from within their own wp-admin.
The easiest way to include other directory trees in the complete scan of the public_html directory would be to create a symlink in to those outside directories and put it inside the public_html directory. However, this is not necessarily a good idea because any directory outside the public_html is outside it for a reason and it is generally safer to keep private files outside the public_html directory. It is also lees likely to get hacked if it is outside the public_html directory, can I ask what these other directories are and why you would want to scan them?
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] good idea or bad ideaPersonally I think more protection is better. As long as the other plugin is effective and doesn’t conflict with any others that you are using then you should use it. Wordfense it pretty good and the last time I checked there were no conflicts with my plugin. Overall I would say try it and let me know if you run into any unexpected issue.
Try refreshing your login page and make sure that there are no JavaScript errors before you try and login otherwise you might not be creating a valid session on the server.
If you still cannot login then you can manually delete the gotmls folder from your plugins directory. Then you can reinstall my plugin once you login and run the complete scan to find out if that 404 Error is being caused by a malware infection.
You might also check your .htaccess file and review your error_log files on the server to see if there are any other indications of what might be causing this “not Found” error.
Let me know if you need more help.
This warning you are getting is because the Brute Force Protection in my plugin uses Sessions to prevent Brute Force and DDoS attacks on your login page. You can disable the Brute Force Protection on the Firewall Options page.
This security warning indicates that there must be a saved report with exactly the same query saved in your report list. Every symbol, including SPACE characters must match exactly. To help avoid unseen difference that might be causing this error try removing all the line-feed/returns in the query string so that the string is all on one line. Also make sure that there are no leading or trailing spaces. Save the query as a report with a unique name, making sure that it runs without errors and returns results, then try using the name of the report instead of the whole SQL Query in the sqlgetvar shortcode to call up this value on the page.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Checking if valid threatI cannot confirm without more information. The code you provided here does not actually match any of the known threats in my current definitions so I can only image a few possible explanations for it being detected as a threat on your system:
1. The code posted may not be an exact match for the code that is actually being identified as a threat. To rule this out please make sure that this code is from the same copy of the same file in the same path modified at the exact same time as the suspected file in question (it should not be the original installation file, or a backup file, or the same file but from another site or another directory, or any other version of that file other than the one that was detected).
2. It also be that the code here got altered somehow when copying and pasting onto this forum. Try emailing me the file in question as an attachment: eli AT gotmls DOT net
3. It is also possible that there is some kind of Regular Expression bug in your version of PHP or you may have an older version of the definition. Please let me know what version of PHP you are running on your server, and what version of the plugin you have, and also what version of the definition you have downloaded on this site.
You can also click on the file listed in red on the Scan Results to view the potential threat in the file. You can then click on the numbered threats found at the top of that popup winder to highlight the suspected code. If you just hover over that numbered link without clicking then it will tall you the name of the threat that was detected. If you can send my that information as well then it would help me tremendously in troubleshooting this issue for you.
@manujks,
You did not understand my suggestion then because I ask users to send me the infected files only if the it was not detected by my plugin and this infection is already in my definition updates so it can already be removed automatically by running the Complete Scan and clicking the Automatic Fix button.However, if this infection keeps coming back every time you remove it then you need to follow steps 1 through 7 outlined in my last post. That simple process will uncover the source of this infection and if the threats you find are not already detected by my plugin then that is what you should send me.
If you are unable to state the infected file because it was delete or the stat shows only the date that you removed the infection because it was already fixed then it is possible to get the origin infection times from the Anti-Malware Quarantine page in your wp-admin if you used my plugin to fix those infected files. Use those infection times to cross-reference with your access_log files to see what scripts were were called to write the infections to those files.