Eli
Forum Replies Created
-
Is “ERR_SSL_BAD_RECORD_MAC_ALERT”the error you are getting?
If your issue is ERR_SSL_BAD_RECORD_MAC_ALERT then it is likely caused by your own computer or browser being out of date.
Have you tried getting the updates on these sites from another computer or even from your phone browser?
I cannot recreate this issue on any of my test sites.
What definition version do you currently have?
What is the URL of the “page not found” error?
Can you please send me a screenshot?
eli AT gotmls DOT net
Hi Bruno,
That mailster.co is a premium plugin so I cannot be sure without seeing the rest of the code in that file. If it is only the one ini_set that is highlighted then Yes, this is probably a False Positive. I have updated the definitions for this threat and, if the code is just as you say here, then it will not be flagged as a know threat any more.
If you have any further troubles with this after downloading the latest definition updates then please send me a copy of the whole file so that I can address the issue more completely.
Your website is loading fine for me. Maybe your browser is too busy trying to load the scan page to load other pages. Try pausing the scan and then you should be able to load other pages on the site. Some browsers just won’t load two pages at the same time from the same site, they get buffered and take turns loading instead.
As for the issue of getting stuck on the DB Scan, it should be breaking down the DB Scan into smaller jobs and searching for one type of malicious link of script at a time. Is there one in particular that it is getting stuck on?
Can you send me a screenshot of video capture of the scan?
I guess you could say that. The fact is that the code in that file does actually match the pattern of the known threat that has been used to infect other sites. It is essentially a back-door not so much unlike any other back-door that a hacker might use to exploit a website. The only difference here is that this back-door is designed to be used for a specific purpose by users like you to easily install other new plugin code from third-party sources like github.
I would be very curious to know more about how you personally use this plugin and what other plugins and add-ons you have used it to install. Could you give me some details about how and why you use this plugin?
Also, what prompted you to find and install this plugin in the first place?
- This reply was modified 2 years, 10 months ago by Eli.
I can’t speak to reputation of the developer, although I did notice that there are a rather high number of 1-Star reviews (some are even reports of being hacked, though they were either unsubstantiated or replied to as fixed by the developer).
However, I think you are correct that this is a false positive. The code in this file that my plugin is having a problem with is the following hidden DIV that is output around whatever string is passed to this internal function. The div looks like this and uses the same techniques as some hackers use to hide their injected SEO content:
<div style="display:none;font-size:1px;color:#ffffff;line-height:1px;max-height:0px;max-width:0px;opacity:0;overflow:hidden;">Perhaps you can see how this code might be considered malicious. I am still not 100% sure how the developer intends to use this suspicious code but I have whitelisted this plugin for now.
Please download the latest definition updates and run the scan again to confirm that this file is no longer identified as a Known Threat.
Thanks again for reporting this to me, and please fell free to let me know if you have any further questions or concerns.
Thanks for bringing this code to my attention. I admit that this is my first time viewing this code but from what I can tell it appears to be just as insecure as my plugin suggests. From looking at the code I can see that it is designed to automatically install other “plugins” from external sources that have not been verified by WordPress. It also appears to accept $_REQUEST variable as active parameters for taking these actions and it even creates it’s own WP Nonce Token which could essentially circumvent the security feature built into WordPress. If this is meant to be a legitimate plugin then you have to wonder why it is not available on the WordPress Plugin Repository, I personally doubt that the Plugin Moderators would allow such code on their Repository as it seems to violate several plugin guidelines.
I have not had the time to make a thorough case study or generate a proper outline of how this code can be exploited, and I don’t see myself doing this any time soon either. This code is suspicious enough for me to keep it designated as a known threat unless I see evidence to the contrary. If the developers what to assert that their code is safe and complies with the WordPress Plugin Guidelines then they should simply submit it to the WordPress Plugin Moderators for a proper review.
Please let me know if you have any further questions or concerns.
I think I found the code, based on the file name you gave me: https://github.com/awslabs/aws-crt-php/blob/main/gen_stub.php
This code is flagged by SiteLock as suspicious, but from what I can tell it cannot be exploited via direct URL calls as the parameters must all be passed from the command line.
I am whitelisting this file for now but I will keep my eyes open for any signs that this code could be used maliciously, so I might update this definition in the future if I ever get confirmation of an exploit in this code.
Is this a premium plugin? I don’t see it on the WordPress Plugin Repository.
Yes, please send me the file so that I can investigate this further.
Can you please send me the Bluehost scan results, so that I can see what you are dealing with?
you can email me directly with any attachments that might help:
eli AT gotmls DOT net
Forum: Reviews
In reply to: [Anti-Malware Security and Brute-Force Firewall] Honestly the bestCan you please contact me for support on this? I can help you with any differences you find between my plugin’s scan results and any other results you have.
You can send the scan results from your hosting provider directly to me and I will follow up on those ASAP:
eli AT gotmls DOT net
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Not plugin relatedThanks for noticing and pointing that out.
To be honest, I don’t really like to blog and I haven’t had anything resembling “spare time” in quite a few years. So I will probably not be doing anything new to that old blog 😉
For account related support you should really contact me directly. This forum is for basic plugin support. You can find my email address and links to my own site on the right side of the Anti-Malware Settings page in your wp-admin.
That said, I see your registration on my end so there are two likely possibilities here: either your wp-admin page has been cached and you are not seeing the live results that reflect your registration; or else you might have two or more URLs, only some of which are registered (e.g. http://veneratech.com , http://www.veneratech.com , https://veneratech.com , https://www.veneratech.com ).
If the former just clear you cache and refresh your wp-admin page. If the latter, then simply register any additional URLs under the same email address so that they are all on the same account.
- This reply was modified 2 years, 11 months ago by Eli.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Mailster malware (2 new)Well then, yes, as I said, always feel free to contact me directly via email if you find anything new to report.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Mailster malware (2 new)Just marked this thread resolved since we worked on this via email and the new threats were added to my definition updates and your last email reported “there has not been any suspicious activity since”.
Always feel free to contact me directly via email if you find anything new to report.