Eli
Forum Replies Created
-
Hi @jaroslawistok,
This is a serious issue that you are reporting and I offer full support for my plugin to make sure that any issues like this are resolved quickly and completely. It is extremely important to me that we help each other set to the bottom on this so that whatever went wrong can be corrected and I can make sure that this does not happen again to anyone else with the same situation as you have here.Would you please be willing to work with me to find a solution to this issue that you had? I would like to review the logs from my plugin and any other data that you can give me that might help me fix this issue. I would also like to understand why the recovery link didn’t work for you. Can you please contact me on my own support forum or email me directly for more support?
eli AT gotmls DOT net
@josecarlostf,
Just wanted to say thanks for your contribution here. You advice is spot-on and I want to agree with you on all points.I especially want to reinforce that downloading plugins from an unofficial source is the easiest way to get your site hacked π
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] monit.php coming backThere is one important distinction that needs to be made before we can know how to proceed. You have said “can’t remove” the infection ,and the infection “comes back” and we need to know which one it is.
How long after the cleaning did you check the file?
Can you verify if that file was clean right after the fix was applied?
Can you verify if the fix failed to clean the file at all?
If the answer to any of these is unclean then you can send me a screenshot of the scan results, the fix results, the quarantine, and the stat results on that file (specifically the Changed and Modified timestamps on that file). Then I can determine what is actually going on here.
the URL https://nkfs.org/support-us/volunteer-programmes/ is not blocked by the Directory Traversal protection in my firewall. It is one of the URLs that your browser POSTs the update to in your wp-admin that is blocked (either post.php or admin-ajax.php) and I would need to know what variable are being posted to those URL to be able to whitelist those calls if they are not really Directory Traversal attacks. Can you please load the Network tab in your browser’s Inspector while you are clicking the update button with the firewall rule enabled so that we can see which URL is being redirected?
Then can you also Inspect the source and copy the HTML for the <FORM> and all the inputs within it so that I can see which variable are being flagged as a Directory Traversal attack?You can email this information directly to me if it contains any sensitive data that you don’t want to post on this forum:
eli AT gotmls DOT netThat means that one of the variables that is being posted to that page looks like a Directory Traversal attack. Can you tell me what the post URL is and what data is being posted to that page?
In the mean time you can disable the Directory Traversal protection on the Firewall Options page of the Anti-Malware Settings in your WP Admin.
@sahilkumargaba,
If you are charging a fee and are unwilling to admit that on this forum then you already know that this is not the place for your post. If you have a solution that you would like to share with other here then please post the full details of your solution here.Also, please note that my plugin can also automatically fix this threat and completely remove the malware from your site if you have the latest definition updates, so what are you offering that they cannot already get for free from my plugin.
Here is an outline of the infection you are seeing:
A malicious class called WPPlugingsOptions is created in the newly planted files ‘/inc/inc.php’ and ‘/inc/class_theme-functions.php’, then those files are included in your theme execution with a few line of PHP code injected into the top of your theme’s block-editor.php and class-css.php files.Your solution works fine for removing the infection and me plugin will also remove this threat from your theme. The bigger issue here is that this infection keeps coming back and there are a number of reasons why that might be happening.
The most likely cause of repeated infections if your site is on a shared hosting account is that there is another infected site on that server that is not being cleaned and is responsible for continuing to reinfect your site (and probably other sites on that server too). Less likely but still common enough is the possibility that your site has some major security flaw or vulnerability that has been exploited to plant these files and this infection could continues until the breach is found and fixed.
The only way to be sure of where this infection is coming from is to do a little searching in the log files on your server. The first and most important this you will need is the exact times that the infections occurred. If you used my plugin to clean up these infections then the original infection times will be recorded in the Anti-Malware Quarantine in your wp-admin. If you have been cleaning this threat manually by deleting these files and replacing your theme from the original source then you have erased all the evidence that your would need to find the cause and you will need you wait until you get infected again, then stat those infected files before you clean them so that you get the exact infection times from the changed/modified times on the altered files.
Armed with the knowledge of the precise time of the infection you should be able to find something in the server logs to indicate how the infection was written to your site. You may need help from your hosting provider to access and/or make sense of the information in the log files. If your hosting provider is unwilling or unable to help you with this investigation then I would strongly advise that you find a new host. A secure host with proactive helpful support can make all the difference in stopping these attacks.
@ahmedmustafahashmi,
Please read my response this time: if you want help with your specific issue you should post some details so that we can provide helpful suggestions relevant to your problem. It does no good to just say “same here” when everyone else is presenting specific problems and getting solutions that should be helping you too if you have the same issue. Posting a URL to your infected pages or screenshots of the scan results can also be very helpful.@neocraft,
Ss you describe your infection: no file named monit.php; no page at the URL …/wp-admin/options-general.php?page=monit ; and the scripts you found int your theme’s header.php or functions.php file. So, this is not the same infection that everyone else is talking about here in this thread. You don’t have these scripts injected into your DB you have some hacker writing these scripts into your theme files. These scripts generate ads from an ad network and hackers are making money by injecting ads with their key into thousands of site using many different methods, not just this hidden monit plugin. However, I have added these new variants to my definition updates so that those ads can be automatically removed from your theme files too using my plugin now.@descargandolo,
If you can still access the setting page at …/wp-admin/options-general.php?page=monit then you have not removed the hidden plugin yet. You need to remove the plugin plus all the script tags that were injected into your DB content. My plugin should be able to do all this for you automatically when you run the complete scan if you have downloaded the latest definition updates.@josecarlostf,
Yes, hosting matters … a lot. Many of these instances of people getting reinfected again after they have completely cleaned their site site are because they are on a shared hosting environment that simply allows these type of infections to spread from one site to another. This kind of circular infection pattern can continue indefinitely if it is not addressed on all the affected site at once. For those that cannot stay clean and keep getting hit with the same threat it is sometimes best to move to a more secure hosting environment.@sahilkumargaba,
Dude, I told you before. This is not a place to phish for leads. If you need work then advertise, but not here. If you have a solution then post it already and stop trying to bait these victims into emailing you for some miraculous fix. If the forum moderators see these posts of yours they will probably ban you. I see you have been phishing on other threads too and even asking for other peoples wp-admin logins on the forum, not cool.@superzambezi,
Thanks for posting the full contents of that file. This was not at all the same threat as everyone else in this thread was talking about, but it was a new threat that I had not seen before, so I added it to my definition updates and it too can now be automatically found and fixed using my plugin with the latest definitions.@tozaorg,
Your screenshots only show a bit of the malicious code but it looks like the same thing almost everyone else here was dealing with, and it is already in my definitions, so if you make sure that you have the latest definition updates and run the complete scan again then my plugin should find it and remove it. If you have anything else that was not found by my plugin then please post the full contents of the infected files or send them to me directly: eli AT gotmls DOT net@sahilkumargaba,
Really? It sounds like you are just advertising yourself here and were smart enough to not mention money up front. If you have something helpful to contribute or if you know of a specific solution that worked for you then please feel free to post the details here, as @cyrse did, because it might be helpful to others who are having the same issue.@ahmedmustafahashmi,
If your issue is truly the same than something here should have worked for you as this issue is already resolved. Also, if you want more help with your specific issue you should post more details so that we can assess you situation and provide helpful suggestions. Posting URLs to relevant info or screenshots of the scan results can usually be very helpful too.Also, please not that this topic was resolved because my plugin can detect and remove this threat for you automatically, and if you are having any issues with my plugin you can also contact me directly free support or you can post your questions on my own forum at https://gotmls.net/support/forum/
@sahilkumargaba,
Thanks you for posting this. While this additional info might be helpful to some, I feel it’s important to note that this topic has been marked resolved because my plugin can fully remove these DB injection you listed here, as well as the PHP code that was responsible for injecting these scripts into your database.Also, Sucuri has their own cache of their scan results so you still need to βForce a Re-scanβ on the Sucuri page to see their updated scan results.
Great, thanks for confirming that the new update works.
Yes, Sucuri caches their scan results so you need to “Force a Re-scan” to see the updated scan results.
send me a link to the results if there is anything else I should look at.
Hi everyone,
Big thanks to Floris for sending me the contents of this monit.php file. I have added this new threat to my definition update so it can now be automatically removed using my plugin. Please download the latest definition updates and run the complete scan to remove this threat πForum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] where to find DB injection?There is a hidden plugin (usually in a file called monit.php) that creates these entries in your database. I have added this new threat to my definition update so the source of this threat can now be automatically removed using my plugin. Please download the latest definition updates and run the complete scan to remove this threat π
Thanks for posting that solution. That will work when the file is called monit.php but hacker often change the names of the files they use or copy the same malicious code into other files to avoid detection. Is there any chance that you could send me the contents of that monit.php file so that I can add this threat to my definition update? then it can be automatically removed no matter what file it’s injected into π
eli AT gotmls DOT net
Hi everyone,
Please read and follow the suggestions in my first reply before flooding this thread with “same”, “same”, “same”…If you want to find the source of this infection then follow these steps and report back to me with the results.
I will be the one to add this to the definition updates and post the solution once someone sends me the source code for this new threat. I have had multiple reports of similar infections but nobody has bothered to follow the trail back to script that is generating these injections.
Here are three things you can do to trace these infections back to the source of the malicious code:
1. When you see the admin_ips.txt file, but before you make any changes to it (or delete it), stat the file to get the modified time. Then you can cross-reference the modified timestamp with the entries in the access_log files on your server. This may point you to the script that is responsible for writing that file.
2. Use grep, or some equivalent text search command on your server, to locate any file that contains the text “admin_ips.txt”. if you are a coder and familiar with WordPress then you could also look for any “wp_footer” hook references and week out all the legitimate functions to find the misused function that has added this hook to inject this malicious code.
3. You could try the core files definitions as there is some indication that this code might have been injected into WP Core Files.
Please contact me directly if you would like more personalized support in tracking down the source of this infection:
eli AT gotmls DOT net