Eli
Forum Replies Created
-
Thanks for posting the malicious code you found in this file. I have just added this new threat to my definition updates, so can now be found and automatically fixed with my plugin.
Thanks for reporting this new threat!
I have just added this variant to my latest definition updates for my Anti-Malware Security and Brute-Force Firewall plugin 😉
Thanks for the detailed explanation. I can understand why you have added that extra layer of security. My job is to find plugins with exploitable security holes or any code that can be used in a malicious way by unprivileged users. I have already decided that your code meets neither of those criteria so you’re all good in my book.
Hi Jose (@giuse),
I was composing my reply and doing a little research on your plugin so I did not see your response until after my own reply.
I have whitelisted your usage of this function so there is no further need to change your code, but here is what my plugin was previously identifying as malicious:
add_filter( 'all_plugins','eos_dp_plugins_in_list' );
//Remove plugins from plugins table in the page wp-admin/plugins.php according to the FDP Settings
function eos_dp_plugins_in_list( $plugins ){
$fdp_caps = eos_dp_user_capabilities();
if( $fdp_caps && is_array( $fdp_caps ) && in_array( 'see_plugin',$fdp_caps ) && !$fdp_caps['see_plugin'] ){
if( in_array( EOS_DP_PLUGIN_BASE_NAME,array_keys( $plugins ) ) ){
unset( $plugins[EOS_DP_PLUGIN_BASE_NAME] );
}
if( in_array( EOS_DP_PRO_PLUGIN_BASE_NAME,array_keys( $plugins ) ) ){
unset( $plugins[EOS_DP_PRO_PLUGIN_BASE_NAME] );
}
}
return $plugins;
}I am curious as to why you felt the need to hide your plugin from the plugin list and did feel you could rely on the standard WP User Capabilities to protect your plugin, and why would you allow admins to hide your plugin from other admins?
Thanks for bringing this plugin to my attention. The malware definition in question was designed to find fake or rogue plugins that try to hide themselves from admin users so that the admin don’t even realize they have this plugin installed on their site.
I have review the code in this freesoul-deactivate-plugins plugin and determined that they do in fact have this code to hide their plugin from the wp-admin Plugins menu but only under certain conditions where the setting have determined that the current use should not that this plugin is installed. This is dubious IMHO, and I do not understand why the developers didn’t feel that they could rely on the normal WP User Capabilities to restrict access to their plugin. However, I cannot assert that this feature was designed to be malicious and it does not appear to hide itself from admin users (unless you select those admin users specifically). Therefore I have decided to whitelist this particular usage in this plugin.
Could you please download the latest definition update (version N5V4L or higher) and run the complete scan again to confirm that this plugin is no longer identified as a Known Threat?
I left my email address at the bottom of my last reply here and it can also be found in the list of helpful links on the right sidebar of my plugin’s setting page in your wp-admin, as well as a link to my own forum page on my website: https://gotmls.net/support/forum/
Also, any comment on any page of my website will start an email thread directly to me that I can reply to. Please contact me directly by any of these methods and I will promptly respond.
Please understand that this is not a typical outcome. Most people find that my plugin fixes the problem on the first try, as you can see from all the other reviews. I don’t know why it didn’t work for you on your site but I’m sure that I could help you find the solution if you had been interested enough in a solution to contact me for support. I offer excellent support for my plugin too, so I am surprised and disappointed that you did not even try to contact me before writing your review. Why not start with a support ticket?
If you are actually interested in a solution then please contact me directly:
eli AT gotmls DOT net
I do believe my plugin can help you with this infection. Your biggest problem will be the number of sites affected and the speed at with this infection spreads. I can tell you it won’t be easy to contain the rapid spread of this type of infection on a shared hosting platform but my plugin could help you perform rapid cleaning to compete with the rapid spreading of the threats.
First, I would encourage you to try out my plugin for free, as it was designed to this kind of work without any payment. If you choose to make a premium donation then you will get the added feature the automatic-updates, which include core file definition and this may make the scans faster as well. Also, you like that you can use these additional features on all your sites as long as you register each of the sites/keys under the same email address so that they are on the same account.
Please let me know if you have any further question. You can also contact me directly for faster support:
eli AT gotmls DOT net
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Spam link injectionThanks for the followup explaining your solution. I just want to clarify that no malware scanners found anything on this site because there was not any malware on the site to be found.
Furthermore, I would like to expand on true cause of this exploit and propose an alternate solution for those who do not use Yoast on their site. First, it is important to understand that this type of exploit uses the search results page on your site to produce a page that contain whatever text is supplied as the search phrase. Therefore, this technique only works if your theme is designed to repeat back the search text on the results page (which most are). The most direct solution in all cases would be to simply remove the output of the given search phase from the search results template of your theme, or just use a theme that does not carelessly print out on the page whatever text anyone happens to search for on your site.
To see if your site’s theme is susceptible to this exploit simply type your domain into your browser followed by this:
/?s=You+have+been+hacked
Don’t worry, you haven’t really been hacked, but you can then understand that you wouldn’t want just anybody to link to a page like this on your own site that could essentially say whatever they want to the visitors that follow such a link. Obviously, further consideration should be made when evaluating the way most themes handle this input/output relationship.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Scanning is SlowOn average the Complete Scan should usually take around 30 minutes to scan the database and every file on the site (except for files on the exclude list). On a simple site with an optimum host it could take 10 minutes or less, and on big sites with lots of plugins and extra files it can easily take an hour or more. There are many reasons that could cause the scan to run slow but I have found that if the scan takes more than an hour there is usually a simple fix that will speed it up depending on the primary cause of the slowness. One easy thing to try would be to increase the memory_limit in your php.ini file (the more memory you allocate to each PHP process, the more likely that each process will complete quickly). You might also check the scan results for Read Errors that have caused the scan to get stuck on various files throughout the scan, figure out what caused the error and the scan continue at normal speed. You can also delete any inactive plugins and themes, clear all cache, and delete all unneeded files from the site to lighten the workload for the scan.
If you need more help figuring out what is causing the slowness you can send me some screenshots of the scan at various points throughout so that I can get an idea of the general progress and scan stats.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Spam link injectionThat depends… Are these spam links in comments? My plugin does not handle comment spam, there are lots of great plugins specifically for dealing with spam comments.
If this not a comment based issue then, yes, in general, this is one of the types of threats that my plugin was designed to find. Make sure that you have the latest definition updates and run the Complete Scan, if it doesn’t find anything then maybe this threat has found a new way to conceal itself.
If your are looking for more than just a general overview then I would need more information to go on. The example excerpt you posted could be generated anywhere on your site and from almost any file on your server, or it could even have been injected directly into your database. The source code for a hack like this can vary greatly and can even be made to look like other legitimate PHP code, and it might in no way resemble the output you have found on your pages.
If it turns out that nothing malicious is found on your site but this unwanted injection remains then would you please be willing to provide more information, to start with: Where is this output found on your site (please include a URL so that I can see this output on the page)?
You can contact me directly if you don’t want to post any links on this public forum:
eli AT gotmls DOT net
The firewall in my plugin is a bit different than BBQ. To be fair, no two firewalls are the same (unless one is just copy-cat software that has been re-branded).
My firewall’s target is to stop some of the most popular exploits of WordPress sites with a focus on preventing DDoS attacks from affecting the performance of your server. You have the option of disabling any of the individual protections in the Firewall Options which can help if you need to allow certain request that might look like an attack.
I cannot speak for BBQ but if you look at the source code in their main plugin file you can that their technique is pretty straight forward. They basically deny access to your site if any of the request parameters match strings in four list corresponding to the URI, the Query_String, the User Agent, or the referrer. These are basically custom blacklists of key words or symbols that the developer has decided to block.
If the BBQ plugin works for you and it doesn’t stop you from performing the actions that you need to access on your site then you should keep it in place and add my plugin too. Typically multiple firewall plugins should not conflict with each other and if they do then one of them might be overzealous or too aggressive in their techniques.
It sounds like you have a number of core files that are being repeatedly and rapidly reinfected. It also looks like you may have multiple WordPress installations within sub-directories of the main site. It is very common, and seems most likely in your case, that there are some sites within your account that are not getting cleaned at the same time and these site are reinfecting the other sites you just cleaned almost immediately.
Cross contamination is all too easy to accomplish on a shared hosting environment and extremely hard to stop with the limitations on restricting access, given that all the sites are running out of the same root directory with the same user permissions.
What you really need to do is isolate each site from one another while you clean all the infected files. Then you should only see the One or maybe Two sites that have actually been breached. These sites can then be patched or upgraded to remove the original exploit that let in this threat, and then they too can be cleaned. The most important security measure is to keep each site installed in separate directories under separate user accounts so that one compromised site cannot infect all the others.
You can hover over each file in either of those lists to see the reason for them being on that list.
For the skipped files it is either because the file size is 0 Bytes (which means it contains no code that could be scanned) or the file type is on the list of file extensions to be skipped (such as CSS, language files, images, fonts, and other binary files that cannot be executed by CGI engines like PHP on the server).
As for the Read/Scan Errors, these are more varied and you should look at each one to see if you can determine why the scan process could not read those files. Sometimes it is cause by improper permissions on the file other restrictions on the server. You could try increasing the memory_limit value set by the php.ini file on your server to make sure your PHP Processes have access to enough memory to read copy and scan all the file’s content (this may also dramatically increase the overall speed of the scan in some cases). Ultimately, the answers for what is causing any error on your site should be found in the error_log files on your server (ask your hosting provider where you can view these logs).
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Cant register the keyThe reg form on gotmls.net and the pre-filled reg form on the Anti-Malware Settings page in your wp-admin bot have a Last Name field. Where are you seeing this Your Full Name field?
Please send a screenshot directly to my email for account support:
eli AT gotmls DOT net