Eli

Thanks for those error logs. There are tons of error from the slim-seo plugin in there but the only error that related to my plugin is this one at 28-Feb-2023 19:13:27 UTC:

PHP Fatal error: Allowed memory size of 268435456 bytes exhausted

This suggests that the php.ini file on your server has a memory_limit set to 256M and the Quarantine probably need a more memory than that in order to display and rescan each of the files listed in the quarantine.

There is a chance that this error was unrelated to Quarantine at all if it happened at a completely different time, though that is the only error triggered by me plugin. The could be an error from another conflicting plugin that is preventing the quarantine form loading but it would not name my plugin in the log file so the only way to find that is to correlate the timestamps in the log files with the exact times that you tried to render the Quarantine page.

Or you could turn on debugging by adding these lines to your wp-config.php file:
define( 'WP_DEBUG', true );

define( 'WP_DEBUG_LOG', true );

define( 'WP_DEBUG_DISPLAY', false );

define( 'WP_DISABLE_FATAL_ERROR_HANDLER', true );

As for the other issue, with the external scripts that are infected, you can’t do anything about the script itself if it is hosted on another domain which you do not have access to, but you can remove all references to that external script form your site and my plugin should do that for you. And form the 73 items in your Quarantine it sounds like my plugin has already removed a lot of these for you. If these infections are coming back though, you might still have a vulnerability on your site that is being exploited to inject these external references, and that will need to be found and patched. Fist try deactivating and deleting any themes and plugin that you don’t need. If the injections still return after that, then you will need to compare the times of these infections with the activity recorded in your raw access_log files to determine what vulnerable URLs are responsible for this injection and try to link those URLs back to the insecure code that is allowing this exploit.

It looks like you have thus far used my plugin to remove 73 infections from your site. Detailed records of these prior infections are stored in the Anti-Malware quarantine, but rest assured that there is nothing further that you would need to do there, those records do not correspond to active threat that require further action but rather former infection that have already been cleaned.

It is also clear however that you are unable to load the Quarantine page on your site. While this is not functionally impairing your efforts to clean the site it is still highly important to me that we figure out what is causing this issue so that I can implement any changes that may be needed to correct the specific issue you have encountered. To follow up on Question #2 I will need more info from you to properly troubleshoot the error you have found. Your admin email should have received an email from your site that outline the specific error that was triggered when the Quarantine page was loaded. If you cannot find that error in your email then there should also be an error_log file on the server that records all the PHP error on the site. If you can find the actual error message then please send it directly to me so that I can look into this further for you. It may contain sensitive information that you might not want to post on this public forum so you can email me directly with any details that could help me identify the issue at: eli AT gotmls DOT net

It is a common enough technique that malware injection refer to an external script hosted on another domain, as you have found with the reference to the new2sportnews script. However, the domain in questions in not ultimately responsible for this infection and thus, should not be solely blamed for the malware you found. In fact, in many cases the this same malware may try to place these infected scripts on your own site and then refer to your domain when it injects these malicious links into the code on other sites that are targeted by this same attack, thereby making your site the source of the malware that others find in there code. That is just the nature of these types of infection. Therefore, my Anti-Malware plugin searches your database and the source code on your server looking for malicious patterns like these regardless of the specific domain used to pull up the external scripts. So, you may not ever see the <meta http-equiv=”content-type” content=”text/html; charset=utf-8″></meta>new2sportnews domain mentioned by my plugin when it identifies these threats, even when that is the source that these scripts are currently being loaded from. I hope that answers Question #1.

Thanks for that.

To be honest I am very concerned too. I have never come across this before on any of my test sites that are all running the very latest version of WordPress. After your mention of having this issue on a completely new install of WordPress though, I decided to test that and sure enough, when I installed a newly downloaded copy of WordPress on a new site with a completely blank database this new _transient_feed_d117b5738fbd35bd8c0391cda1f2b5d9 record appeared at the end of the wp_options table with the same content. Frankly I am not sure why WordPress would load any <meta http-equiv=”content-type” content=”text/html; charset=utf-8″></meta>transient_feed record into a new database at all, but this one especially since it is over 600KB and full of articles that are not even in the wp_post, and one of which even has the work viagra in it!

I will continue to dig deeper until I find out how and why this record was included with the latest release and also see if I can persuade anyone who is authorized to change it that it doesn’t need to or shouldn’t be there.

🙁 … Yes…

I don’t like to have it typed out like that just to avoid the spam bot scrapers picking it up, but yeah, that will reach me.

Hi Alberto,

I just found a comment on my blog which had been sent to my spam folder, so it appears that you did try to contact me yesterday. Sorry for missing that communication.

In the comment you posted you mentioned that my plugin was flagging PHP files like fuentes.php and this is not a core file or any legitimate plugin file that I am aware of. You also said that your site keeps appearing that it is compromised with a red screen and the following message “The site ahead contains malware”.

So, I have to say that this does not seem to be a likely candidate for a False Positive. Can you please tell me what would make you think that this report from my plugin is actually a false positive if you are getting outside reports of this infection and clearly have non-standard PHP files on your server?

Please send any new threats directly to my email as attachments and I will add them to my definition update:

eli AT gotmls DOT net

No, that is a false positive. I have excluded this pattern from my definitions.

Please download the latest definition update and let me know if you still have problems with this.