Eli

Ok, I see the live site now…

The first thing I noticed was this error:
Fatal error: Uncaught Error: Call to undefined function wp_foots() in …wp-content/themes/genesis/footer.php on line 56

I didn’t see that redirect script until I looked at some of the sub-pages. Now I see that the remaining malicious scripts were probably injected directly into your page content.

I have added these new script references to my definition updates so they should be found by the Complete Scan now, and you can remove them using the Automatic Fix.

If they are still not found then please let me know and I will look for another source for this malicious output.

It looks like it cleaned some stuff, did you “Force a Re-scan” to clear the cache on that sucuri page after you cleaned the site?

It looks like you just have a holding page up now. How do you know that you are still infected?

This threat is usually triggered from a malicious include in your theme’s functions.php file. Can you check the Anti-Malware Quarantine to see if that was found and cleaned?

If you want to share anything with me that you don’t want to post on this public forum then you can email me directly:
eli AT gotmls DOT net

@jdembowski,
I think that the POST_log is the most private value that should be removed.

Thanks for reporting this. I would like to verify that this was isolated to a single Firewall rule violation and confirm that it was do to a vulnerability in another plugin.

First, you would only need to Disable the “False blog_admin” Protection in the Firewall Options to suspend this odd behavior, it is not necessary that you deactivate the whole GOTMLS plugin.

More important, is that this firewall rule is in place to stop the known exploit of a plugin called “WP Cost Estimation & Payment Forms Builder”. This plugin can be exploited and used by anyone (even a non-authenticated user) to upload and execute PHP code. This particular firewall rule prevents this exploit but it may interfere with the functionality of this vulnerable plugin as well.

If you are willing to help me get to the bottom of this then I would like to work with you to verify the deficiencies and improve this firewall rule.

Can you please confirm if you have the WP Cost Estimation & Payment Forms Builder plugin installed on this site?

Also, would you be willing to re-activate the GOTMLS plugin and then disable the False blog_admin Protection in the Firewall Options to make sure that everything works as expected?

It shows his POST_log (login) and REMOTE_ADDR mainly but the whole think can be removed.

Hi Minh,
There were issues with the NO_HTTP_REFERER error coming up on some iPad devices but that was fixed in the latest version of my plugin and I’m not sure that it was even relevant to Firefox on a OS X anyway, but I see that you are using an older version and so the first thing you should try is to update my plugin to the latest release. You can also try logging in with a different computer (I do not get that redirect page when I fail to login to your site from my PC).

Secondly, There does seem to be some missing hidden fields on the login page for your site and it does not seem to be outputting the right HTML form if you have the Brute-force Login protection turned on in the Anti-Malware Fire Settings. There must be some other plugin or manipulative code that is altering your login page and interfering with my plugin. Do you have any caching plugin enabled?

You should start by deactivating and deleting my plugin from your site. You can simply delete the gotmls folder from the plugins directory on your server using FTP or the File Manager in your hosting control panel if you cannot get into your wp-admin. Then you can login to your wp-admin and install my Anti-Malware plugin again. Then I would suggest that you got to the Firewall Options and Disable the Brute-Force protection right away. Then test your login page and re-enable the protection while you can test the login from the original Mac while you are still logged in and can disable it again if it still does not work. You can also do more testing by disabling any caching on your site and deactivating any other plugins that might be interfering.

Please let me know what you find, and if you need any more help, you can also contact me directly:
eli AT gotmls DOT net
… especially if you want to share any info that you don’t want on this public forum. You only needed to provide me with the error number 147229470 for me to know what the problem was, all that other info in the safe-load URL that you posted might give away personal details that you don’t really want to have out there. If you can I would suggest editing your post and removing that safe-load URL.

Make sure to use regular single quotes around the last value in the SQL string, not the fancy curly quotes that this forum uses

DELETE FROM wp_options WHERE option_name LIKE 'gotmls_definitions_%'

also, if you try the new version you cannot just replace the older version with the new files via FTP. The old version of the plugin must be deleted, and then you can go into your wp-admin and install the new version through your plugins menu. Then, when you activate the new plugin it will purge the old definitions.

As I said, you can delete all the GOTMLS definitions in your DB and then you can reactivate the plugin.

In PhpMyAdmin you can run a query like this to purge the old updates:
DELETE FROM wp_options WHERE option_name LIKE ‘gotmls_definitions_%’