Eli
Forum Replies Created
-
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] More than 24 hours to scan?First of all, there is something very wrong if the scan is taking that long. In general, the Complete Scan should not take more than 1 hour even on a large site. If you have lots of plugins or if there are many other websites installed in sub-directories under the web-root of this main website then it can sometimes take longer, but it is usually an indication of a massive amount of scan errors or else something critically wrong with the website that is causing the scan to fail or slow to intolerable levels. Under normal conditions the scan should process each folder in under a second, only taking a few seconds if there is a problem with one or some of the files in that folder, but the scan is not designed to allow any folder to take more than 65 seconds without skipping that folder with an error or failing. So I don’t see any way that you could be observing each folder taking a whole hour.
You do have to lease the page open while the scan is running or it will not progress any further and the scan will need to be restarted. At this point it sounds like the scan would need to be restarted anyway, and you should watch the first part of the scan closely, when it says “Preparing …” to see if it gets stuck in any potentially problematic folders. I could get a better idea of what might be causing this issue if you could send me a screenshot of the scan in progress, especially after it has go on for a while. If the first scan is still going you should get a screenshot of that now before you close it and restart the scan. You could also look in the error_log files on your server to see if there are any clues in there as to what is causing this slowness. Also check the Console tab in your browser’s Inspector to see if there are any error on the scan results page.
If you have any details that you want to share with me that might help me resolve this for you but you don’t want to post them on this public forum then you email me directly for more support with this issue.
eli AT gotmls DOT net
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Deactivated.Thanks for reporting this error, but I will need more information from you if I am to provide a solution.
First, it’s important for me understand the situation that lead to this error being generated, and I think it would help you to understand the nature of the error too. In this case the error was cause simply because a scan process took longer than the maximum execution time of 60 seconds, which is a restriction setup in your PHP configuration on your server. To be clear, this is not a bug in the code or an error caused by any specific thing that my code is doing. It is actually not uncommon for any intensive process to run longer 60 seconds, so I would not expect that there is anything to be fixed in the plugin because of this error.
Based on the line number logged here I can deduce that the scan process reached 60 seconds while executing the function GOTMLS_check_threat, which tells me that you were running a manual scan but it does not tell me what type of scan or what part of your system you were scanning. If this was a Quick Scan than I would presume that whatever content you were scanning was too great to be completed withing the 60 second limit allowed by your PHP settings.
If you would like to reinstall my plugin and try the scan again to confirm that the error is repeatable then relay to me the circumstances that lead up to this error being generated then I can help you find a solution. You could also try other types of scans to see if some of them are able to complete without generating this error and note which ones work and which ones don’t. Also, you should know that it will not do any harm to your site by generating this error, it is simply reporting that the max time limit was reached and the only negative implication of that is that the scan you were running was unable to be completed.
If I were to guess at a possible solution, based on only the data available from your first post here, then I would suggest that your issue may be resolved by simply increasing the max_execution_time value in your php.ini file on your server, maybe try 90 or 120 seconds to see if that makes any difference.
You can also contact me directly for support if you want to provider any sensitive details that you would rather not post on this public forum: eli AT gotmls DOT net
Yes, alternatively you could just add the cache folder to the list of directories to be skipped and the scan will simply skip that folder. Just type “cache” in that field on the settings page (no quotes).
Keep in mind that will leave the cache folder as a potential place for malicious code to hide. Also, note that if you were to get some kind of infection then your cache might contain replicas of that script and should be cleared out anyway.
Check that URL that is giving the error in your browser console. If you open that URL in a new tab then you should see Javascript rendered as the result of that URL, but if there is any HTML on that page then it is likely injected from another source. Please send me the output of that URL and I can help you figure out what is crashing that script.
I have just verified that the current version available for download is the same code as when I released it. There is no malware in that code, so the plugin source has not been compromised. However, it is possible that the copy of the index.php file that you had in the folder public_html/wp-content/plugins/elisqlreports/ was somehow injected with malware on your server, maybe even before you tried to install my plugin, or this might have just been a false positive. Either way, I would love to take a look at the code that was in that file, and also any detailed reports from your hosting provider about what kind of threat they found in that file.
Can you please p=contact me directly and help me get in contact with the SiteGround support team that you dealt with on this issue?
eli AT gotmls DOT net
The MIME Type on that call that would be returned from my plugin is “text/javascript”. If the call is returning HTML it must be because of other code that is interrupting my scan code or injecting some other output into the returned Javascript. Have you checked for related errors in the error_log files on the server?
Maybe also try opening that URL in another tab in your browser and view the source to see what the output contains. You can send me the output so that I can figure out where the code is getting hijacked if you want.
eli AT gotmls DOT net
I released the update last week. Please let me know if there is anything else.
I’m glad my plugin was helpful in removing this threat for you. With the added protection in place let’s hope you will not need to worry about any further exploits. If you find any more security concerns then please feel free to contact me again for further support or advice.
Thanks for sending me that code. I have confirmed that it is in fact a malicious threat and you should let my plugin perform the automatic fix or else just delete that whole folder off your server. If you delete it manually then make sure to get the file timestamps first (you will want to know when that file was last changed/modified.
The more important issue is to determine how that plugin got on there in the first place. You should check log files on the server to see if there was any suspicious activity at the exact time that this malicious file was installed (that is why your want to get the timestamps before deleting files). You should also check your WP Users page for any unrecognized users (especially administrators). If you have FTP logs then you can also check those for any connections that are unaccounted for and might have been used to upload this malware.
At this point it’s also a good idea to change all your passwords for all admin users, FTP user, control panel access, and any other means that you have of connecting to your server.
I am not familiar with any plugin path that uses wp-content/plugins/wp-compat/wp-compat.php so I would need to see the contents of this file to determine if this is really a threat that is not getting fully cleaned or if it is a False Positive. Can you please send me that file as an attachment directly to my email address or upload it somewhere that I could download it from so that I can check it out thoroughly?
You can contact me directly here: eli AT gotmls DOT net
If there are other files in that plugins/wp-compat/ folder please include those as well.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Skipped files- Without more info I can only assume that you must not have the “Database Injection” checked under “What to look for:”, but I cannot make any better guesses without seeing more of your setting. Your screenshots are so specifically cropped in on a very small section of the screen that there is not enough data for me to determine anything other than that does appear to be skipping the Database.
- That is weird indeed. Given the assumption from Question #1 I would be inclined to suggest the possibility that you have not download any of the definition updates and are possibly only scanning for “Potential Threats”. If this is the case than you need download the latest definition updates and then run another Complete Scan with all the categories in the first column check, then I would bet that it will find this undetected threat. If not then please send me as much data about the scan setting and all the results from that scan, as well as any known info about this infection or any affected files that you have found.
You can also contact me directly with any data that you feel is too personal to share on this public forum:
eli AT gotmls DOT net
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Skipped filesThanks for the screenshot! so it looks like the plugins folder is not being skipped because all the files listed there (that are being skipped) are in sub-directories of plugin folders that are inside the “plugins” folder. You can hover your mouse over any of those skipped files and it will tell you why it was skipped, but form the file extension I can tell you that those in the screenshot are likely all being skipped because they are SVG files (which are images) and cannot contain executable code to be executed directly by your server. You can change the default list of file extension to be skipped but that would just make the scan take a lot longer and use a lot more of your server’s resources for no reason.
Hi Andy,
I fixed that error on line 823 by changing:
if ($GLOBALS["ELISQLREPORTS"]["settings_array"]["menu_display"] || ($_GET["page"] == $Rslug))to:
if ($GLOBALS["ELISQLREPORTS"]["settings_array"]["menu_display"] || (isset($_GET["page"]) && $_GET["page"] == $Rslug))… but I have not released the update yet because I am still working on another feature which I think you could use to get the same effect as a confirmation control. I am adding an optional password protection feature for each report that can be set and applied individually and would thus require the end user to perform an additional step before the report is executed. I suppose you could publish the password on the page with the report if you wanted anyone to be able to unlock it and that extra step would prevent the report from running until it was confirmed with the password. What do you think, would that be useful to you?
If you just need the fix for the error you initially reported to be fixed then you can make the change illustrated above to the plugins/elisqlreports/index.php file on line 823 in your current copy of the plugin and then update to the new release once I have finished and tested all the new changes.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Possible false positives?Thanks for reporting this! I have confirmed this False Positive and corrected the last definition update with a new definition just released (version P6FEO). After downloading the new definitions please run the scan again and confirm that it no longer finds and flags these files as Known Threats.
Sorry for the inconvenience and thanks again for reporting this issue!
I see the undefined array key, but I cannot recreate that error in my logs. Can you tell me what URL you are getting this error on and what version of PHP you are using?