Eli
Forum Replies Created
-
Thanks for reporting this. I have examined that plugin and the file in question is not a threat. This is a false positive from a definition that I just released yesterday, so I have corrected this definition and released a new definition update which will not flag that file as a threat. Please download the latest definition updates and let me know if that solved it for you. Also, if you have already used my plugin to Auto-Fix this file on your sites you can go to the Anti-Malware Quarantine page in you wp-admin and restore that file to repair the full functionality of the code-snippets plugins.
It took some searching but I found the file …/controllers/twofa/mo2fa_inline_registration.php in theplugin called miniorange-2-factor-authentication. Next time please give the full plugin name or a link to the full contents of the file so that I can tell what you are referring to.
This does look like a false positive so I would suggest that you white list this file and do not fix it using my plugin. The problem that was found was that the developers put a lot of their JavaScript tags after the closing </body> tag. This is improper HTML coding, nothing should ever go between the </body> and </html> tags. It is usually malicious scripts that are injecting into your HTML after the closing </body> tag. This kind of sloppy HTML coding is usually forgiven by most browsers and it ends up working the way it was intended (which is how hackers get away with executing their scripts there) but it is improper and should really be moved inside the BODY. I will contact the developer about this so that they may change their code in the next release.
This topic would be more appropriate on my site as the WordPress forum is not for premium issues or discussing financial arrangements. Hopefully they won’t find it too inappropriate if I answer your question by confirming that making a donation on my site is exactly how you can unlock the premium features.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Scan not finding MalwareOh, so this wasn’t actually malware, that’s good. Thanks for following up with your discovery and the solution here 😉
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Scan not finding MalwareI replied to your email. I’m going to need a little more to go on, as I don’t see or hear the unwanted ads that you are referring to when I pull up your site in any of my browsers.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Scan not finding MalwareYes, I would love to help with this. Te screenshot would be a good start so that I can see that everything looks right.
Also, if you can send me a screenshot of the page with the ads that you’re trying to remove that would help too.
If you want to send me anything that you don’t want to post publicly then you can email me directly:
eli AT gotmls DOT netForum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] monit.php coming backIs this script tag injected into your DB or added to a file on your server?
Where did you find this script?
I need the full context of this scrip inorder to write a definition for it. Can you please send me the infected file?
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Test with EICAR test filesWhat EICAR test file are you using?
If you have download the standard test file from https://www.eicar.org/ and uploaded that to your site to test my plugin then I can confirm that it will not identify that file as a threat, because it isn’t a threat to your site. Those test files are for binary malware of the kind that would be found on your PC by Windows based Anti-Malware software. Web-based malware is quite different and my plugin is designed to look for malicious code that would be executed by your server not compiled binary code which will have not effect on your server 😉
While binary malware cannot be remotely executed on a server and is therefore relatively safe to upload I would strongly advise you not to upload and know PHP threats or any other malicious CGI/Perl/Python code that that could be called remotely or accidentally executed on the server.
Please let me know if you have any more questions on any of this.
If I have misunderstood about what kind of EICAR test files you are using then please send me that file so that I can examine it and give you a better answer.
Aloha, Eli
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Definitions listThose are good ideas. I have been wanting to integrate a ranking system for a while now but it would be a fundamental shift in my scan engine and I just haven’t had the time to prioritize it.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Definitions listIt not a bad idea, and I have considered it in the past. The biggest thing that keeps me from white-listing plugin files just because they match the origin install source is that there are sometimes plugins that contain malicious code or a security vulnerability in the source code that is available for download and the WordPress community (and sometimes the developer too) is unaware of the threat until it is discovered by another developer or a plugin like mine.
There are also many plugin developers that do a poor job of maintaining the consistency of their own trunk and don’t know how to use the tags path correctly so it makes it hard for a 3rd-party like me to trust that the information in the repository correctly reflects the plugin files found on sites that have installed these plugins. It is also common for plugins to write new files into their own path after install and these cannot be assumed to be maliciously added or you would have too many false positives for that kind of scan to be trusted.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Definitions listI don’t put plugins on any definition list. The various threat definition are used to identify malicious code in any file, regardless of what directory it’s in (plugins or otherwise).
The definition white-list is used to omit files that match a safe md5 hash (these files may otherwise have been flagged as malware but later found to be safe).
The Core Files definition are used to compare WP Core Files with the original installation source and search for alteration to the files, but that feature does not extend to plugins or themes.
Please let me know if you have any more questions.
Hey @galdub,
Thanks for chiming in.I’ve just checked the current trunk and I only see a couple uses of “opacity:0” in this file:
https://plugins.trac.ww.wp.xz.cn/browser/chaty/trunk/admin/assets/js/cht-scripts-heart.min.jsExample:
d+='<div class="get" style="opacity:0; position: absolute;width: 100%;text-align: center;"> <a href="https://premio.io/downloads/chaty/?utm_source=wpplugin" target="_blank" style=" font-size: 11px; top: -5px; position: relative; color: #8c8585;">Get Widget</a></div>'It looks like you are using opacity to fade DIVs in and out under certain condition so I don’t see this as a malicious usage, that is why I have white-listed this file. It was being flagged before because a single anchor tag in a hidden div that links to an outside site is exactly what SEO Spam links look like ( in general terms ; – )
Thanks @jaroslawistok,
I just wanted to reply here, publicly, with my general findings and my solution in case it might help anyone else who had this issue. Much thanks for contacting me directly and providing all the info I needed to find the solution!!!So, it turn out that my plugin was flagging a file in the “Chaty” plugin as being a malicious threat because it uses an opacity of “0” in the style property to hide a link to their own website (which is exactly like so many SEO Spam hackers do to affect their back-links and your sites reputation). I am still not sure how legitimate this practice is or how exactly they are using this in there code but I have whitelisted this file for now so that it does not cause any more problems for anyone else like it did with @jaroslawistok.
After further research I found this review where the user complained that it “Puts an advert text and link everywhere”:
https://ww.wp.xz.cn/support/topic/puts-an-advert-text-and-link-everywhere/Other than a few complaint the plugin get mostly 5-star review and the author replied to this complaint with “we’ve removed the credit link”, so I’m not sure why they are still using hidden links to promote their site.
Anyway, my plugin will not break this link any more unless I get more evidence that this is actually malicious, in which case I will then determine how to safely remove this link without causing any errors 😉
I understand that you might not have been able to wait for my response and that you would need act take every action you could to correct the error as fast as possible, but you didn’t even ask for help. I not saying you should have waited for me, I’m only saying that you could have at least reached out.
As it is now, I am not actually asking for you do all the same damage to your site but rather I am asking if you would be willing to take a nother look at it with me. You may have erased most of the evidence when you restored you backup but maybe not all of it. If there is anything left I’m sure that it can help me piece together what might have gone wrong.
You can also run the scan again and let me see the results without running the automatic fix, so there will be no risk to you of messing things up again.
The .ICO files are not dangerous by themselves but they can contain malicious code, and when that code is executed by including the icon files from within other PHP files on your site then you have a real problem.
I also want to point out that my plugin does not delete these files because that would certainly cause the type of failure that you originally described. Instead my plugin only removes the malicious code and the include lines that execute that code, so it could be that you started to have problems when someone else (or one of those other plugins) deleted those files that were included. That would also explain why the restore failed because my plugin could not put the contents of those files back if the files were no longer there. I am just hypothesizing based on the limited info the you have provided thus far, but if you were willing to try my scan again (without actually allowing it to “fix” anything this time) then I would have a lot more info to go on.
Of course I don’t like bad review, who does, but more importantly: I don’t like knowing that there was a potential problem with my plugin that I cannot explain or fix. So I ask for your help in finding the cause of this because it is extremely important for me to get the the bottom of this issue. As you are the only person who has reported this issue I beg you to let me help you with this so that I can personally find a resolution that is satisfactory. Otherwise, something like this could possibly happen to someone else who has a similar situation as you did.
Mainly, I just can’t get my head around what went wrong with the Restoration from your Quarantine. This is the fail-safe that I have designed to work if all else fails, and I can’t understand from your description how it went wrong. If you truly restored all files from the quarantine and you got the green test results then your site must have been back to the way it was before my plugin cleaned it. Thus, I have to assume that there was some other reason that coincided with the cleaning or the restoring that was responsible for your remaining functionality and layout issues.
If you would be willing to work with me then you might be surprised at what we will be able to discover. Even if it only uncovers move about how your site was hacked in the first place or what these infected files did to break your site.
Also, I don’t know why you didn’t contact me at the first sign of trouble, because I could have helped you then to get the proper files recovered and fix the original problem too, and all without relying on your backup (which seems to have caused you some grief as there was still a lot of work to be done even after the backup). All that might have been avoided if you had asked for my help before you completely gave up.
I know that this all might sound superfluous now but if you will please give me a chance I think will can still salvage something of value for both of us if we work together to better understand what happened. All I ask is that you give me a change to properly support my plugin before you write it off.