Why should I register?
If you register on GOTMLS.NET you will have access to new definitions of New Threats and added features like automatic removal and patches for specific security threats and vulnerabilities like old versions of timthumb and brute-force attacks on wp-login.php. Otherwise, this plugin only scans for "Potential Threats" on your site, it would then be up to you to identify the good from the bad and remove them accordingly.
Why can't I automatically remove the "Potential Threats" in yellow?
Many of these files may use eval and other powerful PHP function for perfectly legitimate reasons and removing that code from the files would likely cripple or even break your site so I have only enabled the Auto remove feature for "Know Threats".
How do I know if any of the "Potential Threats" are dangerous?
Click on the linked filename, then click each numbered link above the file content box to highlight the suspect code. If you cannot tell whether or not the code is malicious just leave it alone or ask someone else to look at it for you. If you find that it is malicious please send me a copy of the file so that I can add it to the definitions file as a "Know Threats", then it can be automatically removed. If you want me to examine your files please consider making a donation.
What if the scan gets stuck part way through?
First just leave it for a while. If there are a lot of files on your server it could take quite a while and could sometimes appear to not be moving along at all even if it really is working. If, after a while, it still seems really stuck then try the Complete Scan or try running the scan again. If it stops in the exact same place then you may want to try to figure out what file in that folder is causing it to hang or avoid scanning that folder all together. If you figure it out let me know what it was and I will try and make the program find it's own way around that problem.
How did I get hacked in the first place?
This was most likely a random attack on your file-system by a hacker's robot/virus (automated script). This is usually because you are running an older version of WordPress or have installed a Plugin or Theme with vulnerabilities, or because your site is on a shared server with other exploitable sites that got infected. In some cases it's possible that your hosting provider got hacked at a root level and all their clients on that machine got infected.
What can I do to prevent it from happening again?
There is no sure-fire way to protect your site from any kind of hack attempt. That said, some of the basic steps should include: hardening your password, keeping all your sites up-to-date, and regular scans with Anti-Malware software like GOTMLS.NET
Malware Protection
Hello! Your plugin tracked down some nasty code in a WP-Login.php file, but sucuri.net still says my root site is infected with javascript, (http://sucuri.net/malware/entry/MW:SPAM:SEO). Malware Is there any way to check my root with your plugin (my wordpress in installed in a directory). Many thanks
I have expanded the search range on your registration to included the root domain. You’ll need to download a definition update for the change to take effect. You can click the green checkbox in the Definition Updates section to the right of the Scan Setting if you need to force a Definition Update.
Please let me know if it still does not find the threat you are looking for.
Astounding! Many thanks. Going to try that out now. You may just be the fastest draw in the West. *salutes*
Hmmm. I ran it and searched my entire site, but the malware remains unfound and sucuri.net still says my site is infected. Would a database infection alone show up on sucuri? I’m absolutely lost
I’ve seen this javascript before, “dnnViewState()” combined with various iframes. The problem is finding out where it is generated from. It could just be in your DB, at the bottom of a post or in a text widget, but it is more likely encrypted in some PHP file somewhere. I can look for it for you if you want to give me WP Admin access to your site.
I replied to the email comment I received with info. Thanks again
Thanks for the login info.
I refreshed the securi scan and there were then different results do I’m looking into that now. I am still look but so far I think your theme has been tampered with. If you still have the install files for that “newsimple” theme you should reinstall it. Switch to another theme so you can completely delete the newsimple theme before you reinstall it.
Hello,
When I try and activate this plugin I get the below error:
Fatal error: Call to a member function query() on a non-object in /home/UsernameRemoved/public_html/DomainRemoved/wp-content/plugins/gotmls/images/index.php on line 524
Do you know why this is happening?
Any help is much appreciated. If you have any questions, please do not hesitate to let me know.
Regards,
-= Jerry Campbell =-
You can rem that line out by putting two slashes in front of it or completely remove it. It was meant to clean up settings from an older version when you are upgrading.
Thanks for letting me know about this error. I will fix it and release another plugin update soon.
Hello Eli,
I was hit with a mal-ware warning from Google when Chrome or Firefox views the site. Ive downloaded your plug-in, updated, and found a few potential threats in my W3 cache.
Next, I deleted the cache, ensured the files in question were gone and had google reexamine the site. Still, they tell me malware exists.
I would be happy to look at it if you want to send me a login to your site.
What details does Google provide about the infection?
Thanks for the login. I changed the settings to scan the public_html directory and ran a Complete Scan on the whole site. It found and fixed a malicious javascript injection in your theme’s footer file.
You should request a review of your site in Goolge’s Webmaster Tools now. Let me know if there is anything else.
I have a number of sites, I want to use the plug in and register and donate is there anyway to do this besides each site, I will run out of Emails and or accounts, I can use the contact email but my name is the same. I can’t make a donation until Friday, but I am not sure even the hacking has stopped, and I don’t know where else to look for problems. I wanted to contact you direct so I could send an agreeable amount based on the sites. Is this still being worked on?
You can register all the sites using the same email address so that it puts them all under the same account on GOTMLS.NET
Then make just one donation within your budget and appropriate to the number of sites you are registering on that account.
Thanks for stopping by, and let me know if you need any help.
Hello, I love your plugin it has saved my butt several times. But I will get Read/Write errors often after running the scan. How do I correct these Read/Write errors, what should they be? Is there anyway I can get you to lend me a hand with this?
Thank you soooo much for any help you can provide!
The read/write errors are usually because the permissions on a file is such that the web-server process (usually Apache) does not have access to the file. Every server can be setup to run in many different way so there is no one-right-way to set the permissions. A good way to check the file in question is to compare it’s permissions to other files on the server, maybe this file is set to 600 and the others are 644, or the user/group is root/root and the others are you/www-data. A good FTP client like Filezilla can help you check and set permissions on you files.
There may be other reasons why some files on your server cannot be read, so if this does not help you I would be happy to take a look at it for you. If you want more help you can send login credentials to: eli at gotmls dot net
You might want to make potential threats, removable, and also sendable to you, so you can analyze them as known threats.
I will never make potential threat removable because then everyone would remove them, and most of them are ok. If I had more time (i.e. if this were a fully funded project that I could devote 100% of my time to) then I would have a better system for dealing with that grey area between bad and unknown. Right now, if you were to remove all the potential threats it would most likely brake your site and I doubt any of them are actually malicious. So, why are they even there then? Because sometimes new threat arise that are not yet know to me. This then becomes a good place to start looking. I try to help everyone who contacts me for support and the most efficient way for me to do that at this time is for them to give my access to their WP Admin. I am working toward a self-sufficient plugin that requires less help from the programmer (me) and more results for the do-it-your-selfers (you all).
If you want more features and better definitions please donate to support my work on this plugin. Thanks!
Hi there!
Great script, I would love to have it as a go-to in my arsenal of malware scans but I am having one problem.
When I go to update the definitions I am redirected to the homepage of the site and no updates are happening. Is there somewhere I can manually add the new definitions via FTP or something?
Cheers!
There is a manual update that I could help you with if needed, however the symptoms you describe exactly match the effect of that wordpress firewall plugin. If I am right that you are also using that firewall plugin then please disable it temporarily, then perform the update, then re-enable it again.
If that does not work I am more than happy to help you install the update manually.
I’ve registered on your site (and donated) but now can’t log into my wordpress account and I wasn’t able to download the definitions (the register key items were in green). Can you help please?
Thanks
I was able to login and clear up most of those infections when you gave me your WP Admin login but there were still more that did not match my definitions at the time. I have since updated the definition with those Known Threats but when I try to login to your site it says “The username or password you entered is incorrect”. Did you change the password?
Have you gotten the update cleaned up your site or do you still need my help?
I have also tried emailing you and got no response. I take the time to reply to everyone who contacts me for help, and I consider each request to be an open case until I hear otherwise, so if you don’t need my help anymore please let me know.
Hi Eli -
Happy New Year. Firstly, thank you for your plug-in and this site. It’s scary for a WordPress amateur to wake up to an email announcing that your site has been flagged by Google.
I did a complete Scan on my WordPress site. (6) files have been quarantined, there are a handful of potential threats (which appear to be from legit plugins that I’ve had for awhile) and there were 170 skipped folders.
I’m not sure what to do from here?
Thank you so much.
Steven
Thanks for sending me your credentials. I have found and removed the last infection that had been missed. I will be adding this new definition to my updated so that it will help others to find the same threat. I’ll keep an eye on your site for a day or two to make sure nothing comes back if that’s ok with you.
Dear Eli! I have problems with my site. This ordeal began yesterday in the evening. My site redirects users to a virusaffected site. As the company where we have the server received complaints it closed our site partially. I dont know what to do. They tell me to find scripts that is infected and delete them to change all passwords and update wordpress.. As I was looking for a plugin that could help me to find these scripts I found yours. To be honest I have never used your plugin before so I dont know what to do next. Your plugin says that i have 24 potential threats. Please help me just some how? =) This attack came out of a blue and I was not ready for that.. I didnt know to expect it.
I’m happy to help you with this. Without getting into your WP Admin I can only give you general advice based on the info you provide. If you are willing to give the WP Admin access I can check it out for you and let you know.
I am not getting that ‘fix it all’, button? Any ideas?
James, …
Did you download the Definition Update?
Are there any “Known Threats”?
NO, there are not any known threats. But I know the beast is still there!
The Repair button only shows up if there are “Known Threats” found.
I don’t see any iframe redirect right now on the from of your site but it sounds like you have a back-door or some security vulnerability that is allowing repeated infections.
Ok, so that button doesn’t come up without there being specific issue. I get that…
I have tried for the last 14 days to eradicate this damn thing and it will not go away.
I am getting black listed. I have delete all of my plugins and tried to do a re-install and it will not complete that without crashing.
I have tried 3 other packages. And I am still getting nowhere.
I have limited funds and was only able to donate 10 bucks to the cause. You seemed to have a lot of support for fixing issues. I only hope you can fix mine.
James, …
This is what is continualy being written into almost all of my *.js scripts.
***
document.write(”);
***
It use to say something else. In fact it was saying something different over the last ten days. Every once in a while it would say a different web site along with an excutable cgi script call..
And I, over the last 2 weeks have periodically overwriting the infected *.js files with an unzipped copy of wordpress 3.4.2 on my local machine.
I needed something to compare to on a file by file basis anyway.
It takes only a littel while and no matter what I do. It re-writes all the *.js files again and only God knows what else is going on.
Removing these infection in this way does not get at the source of the infection. I think there is a php script somewhere on your server that is causing, or at least allowing, these files to get reinfected.
I you send me WP Admin credentials to your site I’ll take a look.
Dear Eli,
I have a stupid question (as announced): I ran 3 complete scans today and found I have 1 read/write error. What does that mean and what should I do? Thanks for helping a blonde
There are no stupid questions, only stupid answers. So, here is my stupid answer
Read/Write Errors can be caused by a variety problems ranging from permissions to file size or irregular content. I know this does not shed any light on the problem you’re having but without looking at your files and running some tests I can’t really tell you what the problem is in your particular case.
If you want to give me WP Admin access to you site I could look into it for you.
I ran a quick or complete scan on a new WP install, just to be sure. I got “1 read/write error” but clicking the link does nothing and the Scan Details area below just shows a no entry symbol and filled pink rectangle.
I think there might be an .htaccess or permissions problem somewhere on the server, but I don’t know where to check. Can you advise?
The read error means that my plugin could not access that file. You should check the permissions on that file or download it via FTP and send it to me so and I’ll check the file for infections. If you want me to debug to resolve the read error I would need access to your WP Admin.
As to the .htaccess issue, is your WordPress installed in the root of the site or a sub-directory?
Thanks for the help so far.
When you say that I should check the permissions on “that file”, how do I found out which one it is? There is no information in the details window. As far as I’m aware, the plugins folder permissions are set to 755. Is that ok?
To answer your other question, WordPress is installed in a sub-directory but my host insists there is no restriction on writing to any folder.
755 should be ok. Maybe your server doesn’t allocate enough memory to the PHP process to open that file. I am willing to check it out for you if you want to give me access to your site.
I’ve just updated the plugin and downloaded the new definitions (still on WP 3.4.2). I ran the complete scan on 5 of my accounts (all on the same dedicated server) and every one of them is getting stuck at 99% done, with one folder remaining. It’s a different folder in each case. I’m also getting read/write errors on some of the accounts.
It would be soooo much more useful if the progress bar showed which folder got stuck and which file/folder caused the read/write error. I really don’t know where to start looking and I have many more accounts to test. Any further advice would be much appreciated.
I updated the plugin and fixed that bug that caused it to stop at 99%. Thanks for reporting this issue to me. As for the read/write errors, if you click on it you will see a list of the individual files and their errors.
Fantastic, thanks. This is a big improvement.
Please help me! My site which is less than 2 weeks old has been hacked and the majority of my pages come up with a ‘this site has been hacked page’
I’m a novice but have been reading and attempting every hint I find but no luck. Have installed and run your malware and although it removed something, the problem remains. What else can I do??
Your site looks petty clean now. The only thing I see is that the 404 Error page is still hacked. I would be happy to look at the scan results and get rid of that 404 message if you want to give me admin access to your site. You can email credentials directly to wordpress at ieonly dot com.
Thanks for your trust in letting me into your site (it makes it a lot easier to help). I updated the definitions and removed a couple more threats. There is still a bunch of the hacker’s HTML on these two pages:
public_html/wp-content/themes/freestyle/index.php
public_html/wp-content/themes/freestyle/page.php
They are not malicious scripts, just defaced HTML. because they are in the freestyle theme directory I don’t want to mess with them in case I break the site. You can fix this easier anyway in one of two ways:
1. If these files come with the original download of the freestyle theme then just replace them from the originals.
2. If the file is not in the freestyle theme you originally downloaded then delete that file.
Please let me know if that did not fix all the problems. I would be more than happy to look at it again after you fix the theme.
I can’t login. my site admin got redirected
Can you give me the username and password for you admin so I can try?
Thanks for the login info. I got it cleaned, you just needed to download the latest definition file by click the button on the right hand side. I did this for you so your definition file is now updated. I also scanned the root of the public_html directory and fixed the .htaccess file there that was causing your malicious redirect.
Next step: you can request a review of your site using Google Webmaster Tools.