FAQ
-
Why should I register?
-
If you register on GOTMLS.NET you will have access to download definitions of New Threats and added features like automatic removal of "Known Threats" and patches for specific security issues like old versions of timthumb and brute-force attacks on wp-login.php. Otherwise, this plugin only scans for "Potential Threats" on your site, it would then be up to you to identify the good from the bad and remove them accordingly.
-
How do I patch the Revolution Slider vulnerability?
-
Easy, if you have installed and activated my this Anti-Malware plugin on your site then it will automatically block attempts to exploit the Revolution Slider vulnerability.
-
How do I patch the wp-login vulnerability?
-
The WordPress Login page is susceptible to a brute-force attack (just like any other login page). These types of attacks are becoming more prevalent these days and can sometimes cause your server to become slow or unresponsive, even if the attacks do not succeed in gaining access to your site. This plugin can apply a patch that will block access to the WordPress Login page whenever this type of attack is detected. Just click the Install Patch button under Brute-force Protection on the Anti-Malware Setting page. For more information on this subject read my blog.
-
Why can't I automatically remove the "Potential Threats" in yellow?
-
Many of these files may use eval and other powerful PHP function for perfectly legitimate reasons and removing that code from the files would likely cripple or even break your site so I have only enabled the Auto remove feature for "Know Threats".
-
How do I know if any of the "Potential Threats" are dangerous?
-
Click on the linked filename to examine it, then click each numbered link above the file content box to highlight the suspicious code. If you cannot tell whether or not the code is malicious just leave it alone or ask someone else to look at it for you. If you find that it is malicious please send me a copy of the file so that I can add it to my definition update as a "Know Threat", then it can be automatically removed.
-
What if the scan gets stuck part way through?
-
First just leave it for a while. If there are a lot of files on your server it could take quite a while and could sometimes appear to not be moving along at all even if it really is working. If it still seems stuck after a while then try running the scan again, be sure you try both the Complete Scan and the Quick scan.
-
How did I get hacked in the first place?
-
First, don't take the attack personally. Lots of hackers routinely run automated script that crawl the internet looking for easy targets. Your site probably got hacked because you are unknowingly an easy target. This might be because you are running an older version of WordPress or have installed a Plugin or Theme with a backdoor or known security vulnerability. However, the most common type of infection I see is cross-contamination. This can happen when your site is on a shared server with other exploitable sites that got infected. In most shared hosting environments it's possible for hackers to use an one infected site to infect other sites on the same server, sometimes even if the sites are on different accounts.
-
What can I do to prevent it from happening again?
-
There is no sure way to protect your site from every kind of hack attempt. That said, don't be an easy target. Some basic steps should include: hardening your password, keeping all your sites up-to-date, and run regular scans with Anti-Malware software like GOTMLS.NET
-
Why does sucuri.net or the Google Safe Browsing Diagnostic page still say my site is infected after I have removed the malicious code?
-
sucuri.net caches their scan results and will not refresh the scan until you click the small link near the bottom of the page that says "Force a Re-scan" to clear the cache. Google also caches your infected pages and usually takes some time before crawling your site again, but you can speed up that process by Requesting a Review in the Malware or Security section of Google Webmaster Tools. It is a good idea to have a Webmaster Tools account for your site anyway as it can provide lots of other helpful information about your site.
-
How can I report security bugs?
-
You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. Report a security vulnerability.
Hi, after just a few seconds running the scan it gets freezy, what should I do about it? Thank you!
Maybe try a different browser. If the Complete Scan is running slow in all browsers then check the Inspector or Error Console in your browser to see if there are any JavaScript errors on the scan results page, maybe the virus is outputting HTML into the dynamic JavaScript and it's breaking the page. You can also try running some of the Quick Scans
Eli,
I am looking at getting rid of this code in revslider folder – which I did not install. …/public_html/wp-content/plugins/revslider/temp/update_extract/fullmagic.php Is this safe or should I remove it?
Thanks for sending me those files. I just added that new threat in the fullmagic.php file to my definition updates so that it can now be automatically fixed.
Since you didn't install revslider on your site I would suggest you remove that whole folder as it is not needed on your site and it may be the reason your site got infected in the first place.
After installing the plugin, I constantly receive file changes messages from a plugin saying that certain files in your plugin have changed. I just want to be sure if this is what your plugin would normally do updates files by itself. Secondly, whenever I go to wp-admin, I received a msg showing this is redirected from a site protected by your plugin. It is not so comforting to see a message when I actually wanted to see the dashboard of wordpress.
It sounds like the session feature on your server is not working consistently. I assume that those "file Change warnings" that you are receiving are related to the temporary php log files that my plugin creates to track brute force login attacks when the session fails. These files would in the "_SESSION" folder inside gotmls/safe-load/
If your login attempts are also being blocked this is another indication of your server failing to maintain a valid session. You can disable the Brute-Force login protection or you can ask your host to investigate why your server is not maintaining persistent sessions. Let me know if I can be of any further assistance in this matter.
I did a complete scan, which found potential threats. However, I could not see any button to fix these. Note that I had not registered at that point. Does the fix button only appear if registered?
Secondly, I have moved away from the results page but can't see how to get back to it again, assuming I can still fix without running another scan.
Thanks in advance.
You need to register to download the latest definition update. Then my plugin can identify the Known Threat and remove then for you. The scan results are not cached or saved, rightly so, because those last result will be useless and irrelevant once you have downloaded the latest definition updates. You will need to scan again to get accurate results.
Hello!
Thank you for a great plugin!
I just have a little issue : lately, I'm getting this error on top of the plugin's page :
Warning: unlink(/home/www/fd13bebdc9340599bf4ef9260d16d29e/web/wp-content/uploads/quarantine/.htaccess) [function.unlink]: Permission denied in /home/www/fd13bebdc9340599bf4ef9260d16d29e/web/wp-content/plugins/gotmls/index.php on line 666
Also, if I try to enable the brute force protection, I get a lot of these kind of errors:
fd13bebdc9340599bf4ef9260d16d29e/web/wp-content/uploads/quarantine/EBBAA.L2hvbWUvd3d3L2ZkMTNiZWJkYzkzNDA1OTliZjRlZjkyNjBkMTZkMjllL3dlYi93cC1jb250ZW50L3RoZW1lcy9nbGFuY2UvaW5jL3RpbXRodW1iLnBocA3.GOTMLS) [function.unlink]: Permission denied in /home/www/fd13bebdc9340599bf4ef9260d16d29e/web/wp-content/plugins/gotmls/index.php on line 660
What can I do to fix this?
Thanks in advance for your help!
Florian
You are seeing these error because you had an older version of my plugin that had quarantined infections in a folder on your site called wp-content/uploads/quarantine and the new version of my plugin has imported the Quarantine into the database and has no use for this directory any more. You server is not allowing my plugin to delete these unnecessary files so you are getting these errors. Please delete the quarantine folder (and all of it's contents), then you will not see any of those errors any more.
Hi Eli,
Thanks for the gr8 plugin.
Installed the plugin on two sites but have got the following msg
You do not have sufficient permissions to access this page.
I have full admin rights and al files have 755 rights.
Please advise,
Thanks
I just release a plugin update to fix this error you were getting. Please download version 4.15.44 and let me know if that fixes it for you.
Hi Eli,
The issue seems fixed with the new version of the plugin you put out.
Many thanks
Thanks for the great software (i've donated). I've got wordfense installed but I find myself running your scan everyday and it finds new hacks each time. Can you recommend anything that I need to add to once and for all get rid of the php infestation which manages to manifest in new ways each day?
It sounds like you've still got some kind of exploitable vulnerability on your server that is letting you get repeatedly reinfected. You can compare the most recent infection time with the activity in your access_log files to se if it's a script vulnerability on your site. If you can't find it there then you may just need to move your site to a more secure hosting environment. If you find a new malicious script on your site let me know, otherwise, I do offer Super Secure Hosting for $12/month per site if you are interested.
thankyou. where does your plugin show the infection time?
If you have already cleaned the infected files then you can find the original infection time in the Quarantine.
Dear Eli,
i've insalled your plugin and like it very much. Thank you a lot for you job!
I now get five read/write errors. If i try to open the files in the window the pop-up says "This site is temporarily down for maintenance. Please try again later."
My server is Apache. I've already checked the permissions on these files. They are set the same as the files in the same folder. I can also open these files without problems.
But im not a programmer, I can't check them directly.
Can you help? Could I send you the files?
Thank you in advance.
Thanks for sending me a login for your site. I was able to figure out that a bug in your PHP interpreter was causing one of the Regular Expressions in my definitions to fail. I have release a new definition update that resolves this issue and your site can once again run the Complete Scan without any errors.
Found your plugin today and installed it. I am told that my site problem is probably a hack.
Ran the plugin and got two back-door threats, which were to unused theme files. I deleted the two themes.
I now get two read/write errors in files that don't open in the window interface provided in your program. I've looked at them (one is about 8000 lines) but have no clue…
Can you help?
Sure, send me those two files and I can check them for you. It may be a permission problem of it might just be that they are too big for your server to scan.
Could "Anti-Malware from GOTMLS.NET" be set for regular automatic site scan with fixing infected files?
A method for scheduling scans in on my do-to-list but it's not simple matter. I am working on a few different solutions and I hope to have something to satisfy this need ready for BETA testing by the end of the year.
My site hosting service (I can give you the mame offline if needed) is insisting that I still have infected WP admin files after GOTMLS ran a scan and provided a clean scan. (It did find some infected files and cleaned them.!) GOTMLS does show a list of "Potentials" but that list of files does not match the files they insist are still infected. Is there a way to submit these "infected" wordPress files to GOTMLSfor review? The infected files are all in the /wp-admin/ folder. I'm running version WP 4.3.
Can you please email me directly with the infected files that are not found by my plugin so I can add them to my definition updates?
Can I change the email from which I registered? for some reason it was already filled and I didn't notice this until it was too late
Yes, just login to gotmls.net with the account you already registered with. Then you can either un-register or just transfer your registration directly to another account.
Hi, I would like to use this plugin but I cannot access my wp-admin page because that has been blocked by my host as well.
Ask your host to unblock your site, at least to you, so that you can get it all cleaned up. If you host is completely unhelpful and uncooperative then you should move your site to a better host.
Google says that my site may have been hacked. I've been running up-to-date malware scans and it appears clean (except for a few 'probably fine' issues).
When i request a review of security issues in the Search Console, they tell me they haven't detected any issues on the site content. Yet, in Fetch as Google, it looks like some pages have been taken over. ARGH!. i feel like i'm in an endless loop of frustration and clicking through the Google instructions keeps coming back to the same place.
Do you have any additional utils for getting rid of malicious code?
thanks again for the program.
b
Google is not that good at providing the most up-to-date and accurate information on your site. Often time their warning relate to cached results of pages that have already been clean.
Having said that, Fetch as GoogleBot is a good tool and if it is showing malicious content on one of your pages then it is probably still on there. The problem you face is one of the most frustrating to pin down. Well written SEO Spam infections are the hardest to detect and clean because they are designed to only show up for the search engines and will usually not show up in a regular browser. There is an Add-On for Firefox called User Agent Switcher that I find very helpful. You can make Firefox pretend to be the GoogleBot or another search engine and see what your site looks like then (it works most of the time, but not all the time).
If you can find the malicious output in your HTML source code then you can try to track it back to the PHP source from there. Look at the tags on either side of the malicious code to figure out which template contains the trigger for the injection (it's usually in the theme's header or footer). You can also compare your theme files with the original installation to see what files were modified.
Of course the infection could be in a plugin or a WP Core file too. You can use the Core File Check in my plugin to make sure your Core Files have not been modified.
Let me know if you need more help.
Thanks!. I understand just enough of this to be dangerous. I'll give it a try and let you know.
b
Hi,
My website got detected with Malware. I got to know from sitelock.com as I have a basic account that tag to my hosting account.
So since now my website has this malware, how should I install this plugin in the wordpress?
Or should I not install it?
Could you give me some advice?
Thanks a lot.
If you can get into your WP Admin then you should install my Anti-Malware plugin, Activate it, and download the definition update. Then you can run a Complete Scan and clean of any Known Threats that are found.
Hey there admin,
I really want to thank you for your plugin. Got all the threats removed. Did a malware scan on sitelock, result came back with a "GOOD".
I'm so glad that I have used your plugin. Awesome.
Not sure if the malware will come back or not. If it does, I will need your help again.
Again, thank you for your amazing plugin. I will donate to upgrade to have my core files to check.
Thanks.
Hi again,
I thinking of reinstall my wordpress. If I reinstall, do I need to register again when I install the plugin? What happen if I made the donation upgrade?
Reason of reinstalling is because I found a post, probably created by the malware. Not sure how it got written and published onto my wordpress.
The only thing I can think of login into the back end so I have changed my password.
But I also worry that hacker may use some sort of SQL injection to create the post and I afraid that this would also mean my wordpress database credential got compromise.
So let me know if I need to register again.
Thank you.
I you re-install you should not need to re-register, just check for new definition updates and it will find you registration. Even if you re-install your WordPress database credentials will likely stay the same, You need to use whatever database tools are provided by your host to manually change the DB_PASSWORD and then update your wp-config.php file.
I was trying to log in to my wp admin and got "REDIRECTED" to this and cant access my site – what gives and how do we get this fixed????
3269263
You have been redirected here from … [private domain] … which is protected against brute-force attacks by GOTMLS.NET
This error number refers to NO_SESSION_ERROR, It is likely that you tried to login after letting your browser sit on the login screen for long enough that the active Session had expired. I you refresh the login page and then try to login again it should work.
If you just want to remove this login protection you can remove the code at the top of your wp-config.php file, it should look something like this:
if ( file_exists('/public_html/wp-content/plugins/gotmls/safe-load/wp-login.php')) require_once('/public_html/wp-content/plugins/gotmls/safe-load/wp-login.php'); // Load Brute-Force Protection by GOTMLS.NET before the WordPress bootstrap.
…but make sure you leave <?php at begining of the top line.
If you are still having trouble or need any more help with this please email me directly.
Hi,
I am having a similar problem as this. Except when I click sign in, a pop up box says "This form will be sent in a way that is not secure. Are you sure you want to send it?" …. I click send …. and then a 404 error occurs.
That has nothing to do with my plugin Rachel. Your site uses SSL but the login form is posting to a malformed and non-secure page that does not exist on your site. I think some other login security plugin you have installed is braking it, probably because it is not compatible with HTTPS.
I have just installed the plugin and registered. The plugin still seems to be only scanning for potential threats – the other options still have the red circle saying must be registered to get them. How do i activate these. I'm pretty sure I I have Malware becasue my site is behaving very eratically
Apologies, ignore this I just ran the definition updates.
hey there,
I have downloaded your software and it found 7 files or so that are infected. How do i clean them. this is not my cup of tea. most of them don't look like threats but one of them has a ton of unusual code.
Please help,
Cheers,
Bud
My guess is that these 7 files are only "Potential Threats" and they are probably not malicious (as it says on the results page you see). If that is the case then my plugin will not offer to fix them and you should not do anything with them either. You can send me the one file that has a ton of unusual code in it if you want me to take a look at it and I will let you know what I think. If there were any files infected with Know Threats or Back-doors then my plugin would offer to fix them.
Hi
Looking for help i have registered my site, but when i click update definitions it takes me to a page that says Forbidden. I have since tried to re register the site using the same key but the system says the site is already registered. I must be doing something wrong somewhere! Please help.
D
This "Forbidden" error that you are getting is probably from a firewall or some other security plugin that you have installed that is trying to block my definition updates. Please experiment with disabling other security measures temporarily to see if you can download the updates and let me know what it was that was preventing the update. If you cannot figure it out on your own you can send me your WP Admin login and I will figure it out for you.
I am same problem. i disable alls plugins and continue same problem!
Something on your server is redirecting call away from your admin-ajax.php URL and preventing the loading of any PHP files in your plugins directory. Another security plugin may have added code to your .htaccess file that will still be in effect even if you have deactivated or even deleted that plugin.
Can you please send me the contents of you .htaccess file and a screenshot of the error you are getting so that I can see the URL that you are getting this error on?
You can email this information directly:
eli AT gotmls DOT net
Please help me,
My hosting suspended my account 3 times because of brutefore attack and some kind of process of it.
I installed this tool and patched wp-login and updated/rescan twice all. It was found something in users.php and cleaned it.
However, my site again get suspended under same brute force issue. Shouldnt this prevent it?
I dont know what to do and how to fix it
I try to talk with eurovps to give me one more chance, and I have to download backup, because am not sure if they will give me any more chances.
My plugin should protect your site from most Brute-Force attack but nothing can stop the hackers from trying, even if their attempts are futile. If your host cannot counter the attack and they are putting it on you, and not helping, and suspending your account, then maybe you should switch to a better and more secure host.
I run a Super Secure Hosting server for people who are getting hacked and need a safe place for their site. I could move your site to my server and help you get rid of these hackers if you are open to switching your hosting over. Let me know if you are interested, and how many sites you would need to host with me.
Maybe a stupid but how do I add a gravatar to my profile? I also do not see all the websites where I installed the app. Do I need to go and make sure the same email was registered for each site? I think they are all using the same one.
If you have registered each site using the same email address then you should see then all here: http://gotmls.net/members/
You can add a gravatar for yourself at gravatar.com
Nice plugin! Very thank you! But, sometimes it does not work. I see Only: Loading, Please Wait … http://prntscr.com/65ud20 Sometimes it starts, sometimes not. What could be the problem?
From the screenshot it looks like there may be a JavaScript error on the page that is preventing the scan from starting. Try an element inspector or JavaScript debugger or check the error console.
After tonight update my site always redirect to this
You have been redirected here from a site that is protected against brute-force attacks by GOTMLS.NET
I had to disable this plugin and now all works fine.
Sorry for that buggy version 4.14.56, I was missing a "/" in one of my conditions and that messed everything up in that last release.
I have fixed this issue my newest release, please download this new version 4.14.58 ASAP and let me know if that fixes it for you.
Thanks for reporting this bug. Please let me know if there is anything else.
Eli – I have a couple of multi-site installations that are targeted frequently. Any concerns regarding using your plug-in on Multi-site?
I have not used my plugin that much on multi-site but it should work fine. I have even writen some special menu code specifically for multi-site permissions.
Please give it a try and let me know if you have any feedback that might help me improve it.
Hello,
If I donate and register, can I use it several websites?
You can register and use my plugin on as many sites as you want, and donate as much as you can afford to
The Definition Updates and Plugin Updates have just been spinning where I can't update the definitions or see what the plugin installation key is so I can update them. Is there something going on, or is there any other way you can help?
Thanks for a AWESOME PLUGIN!!!
This issue is fixed in my new release. Please update to version 4.14.54 and let me know if that fixes it for you.
Hi Eli, first of all thanks and congratulations for a great a extremely useful service! You can count with another donation on the way.
I have a VPS shared hosting account on HostGator with over 20 domains (10+ of them are WordPress). I have installed your plugin at one of them. All domains are addon domains of the main root directory.
Is it possible to set up the complete scan feature to run through my whole root directory, covering all the addon domains from this shared hosting account or I would need to install the plugin individually in each of the WP Admin panels?
I hope this higher level of scam can be set up, since it would help a lot.
Thanks in advance for your time.
Rogerio Barreto
If you install my plugin in the root site then it can scan all the sub-directories, including those that contain other sites. You can scan and remove threats from any file under the root path, but some of the protection my plugin offers will on be effective on the site it is installed on, so it would be best o install my plugin on each of your sites.
Hi,
Thank you for your plugin, it is very useful.
Our website got compromised yesterday evening with a malicious code your plugin doesn't seems to find.
This malware insert a tag wherever it can find a tag across the files on the server (I found traces of the malicious code in various directory, either be public or not).
The malicious code is injected before the tag. It doesn't matter if it's a comment ( /* Be sure to place blablabla before */) or not.
The script tag will call a js file, located at this adress:
http://122.155.168.105/ads/inpage/pub/collect.js
One sign a website is compromised is that it will take way longer than usual to load.
-Christian
PS: our website is running on WordPress, but I don't know if this malware can be found in other CMS.
I just added this new threat to my Definition Update this morning. If you download the latest definitions then my plugin should be able to find and remove this threat from every infected file on your site.
Please let me know if you find anything that my plugin is still missing after you download the new Definition Updates.
Hi there.. Can this plugin be used in conjunction with your plugin "All In One WP Security & Firewall"??
I certainly can. However, you should know that plugins that call themselves "Firewalls" sometimes block Posting large amounts of data or encrypted data to your site. In some cases this can prevent you from downloading my Definition Updates or even using the WordPress built-in Plugin/Theme Editor.
Good morning Sir,
Let's start with saying your tool is precious and your help is godsent.
I got my plugins injected with malicious code (currently over 4k known threats detected, as I'm running the complete scan). I fear something went wrong when tried to automatically fix the previously found php files after the quick scan.
What should the box say, apart from "… Loading, Please Wait …", because this is the only thing I got so far.
My website is in your hands. As well as all my appreciation.
Greetings,
Andrea
If it's found that many Known Threat on your site then you should give the "… Loading" screen a few minutes at least. If it really never seems to get anywhere when fixing that many at a time then you should try restarting the scan, and this time watch it closely and click the "Automatically fix…" button for every 50-100 threats it finds (you can have it cleaning as it's find more at the same time). That way it only has to do smaller batches at a time.
If that does not work and you cannot get it to clean any of the threats found then you can send me your WP Admin login and I'll take a look at it myself.
Bit of a problem – you need an "abort scan" button. My site is stuck in what appears to be an endless loop of scanning and won't stop.
It's not outputting any list or content as it usually does. This happened right after an update of definitions and starting a new "QuickScan."
I'm not sure how to stop the process since it's running on my server, but we're talking going on 10 minutes and no response.
Most definitely needs a STOP SCAN button.
Jessica Chandler
Actually there is not way for me to add an abort button to the Quick Scan because it attempts to run the whole scan under one PHP instance (this is the reason it is so quick and the reason it fails under a heavy server load). Try closing the browser and give it 30 seconds rest before loading the admin pages again. Then try using the Complete Scan. The Quick Scan is really only ideal for a limited set of circumstances. This is why I created the Complete Scan which does have a Pause button and can handle larger scans by breaking up the job over multiple PHP processes.
I am actually considering re-purposing the Quick Scan option to do a selective scan of the most commonly infected areas. The would avoid the current confusion most people seem to have with when to use the Quick Scan option and limit the resource consumption issues like what you may be experiencing now.
I hope this helps and I would be glad to offer more assistance.
Dear Eli,
my site nezavislost.biz was listed by google as the site containing malware. I have scanned it using different antimalware software (including your Anti_malware plugin) showing always clean status. However, google insists I have malware on my page, even provided links, in which they see malware scripts. However, I am not able to identify any and I am at the end with my actions….. Can you help here please? Peter
I'm not sure why your site is coming up clean on all scan when Google says you are infected. Have you requested a review in your Google Webmaster Tools yet and did they respond with pages that were still infected?
If so, you may have a few threat that have not yet been identified by me or any of the other scanners. If you want to give me your WP Admin login I will look for it and when I find it I can add it to my definition updates so that it can be automatically found and removed.
hello there,
It seems my wp-login.php file got messed up after taking it to quarantine. When i try to login it downloads the file..is it possible that your plugin caused that or it is hackers that did this. I was under brute force attack yesterday and today, but after quarantining the wp-login, i show i couldn't log in! Pls help!!
That is strange. The very first time I went to the /wp-login.php URL it did indeed download the PHP file, and I could see that it had not yet been modified by my plugin. Then I tried other /wp-admin/ URLs and was successfully redirected to your /wp-login.php page to login. Now I cannot get it to download the file any more, it only loads the page now (as it is supposed to do), even in another browser.
This strange behavior could be caused by a bad entry in your .htaccess file. Do you have any other plugins that may have modified your .htaccess file?
Perhaps you can find something there that is causing this and can then fix it, if not you can send me you FTP login and I will check it out for you.
hi dont worry about it , it was not your plug in..
Hi,
I'm trying to find the gotmls plugin key to register on your website. When I go to the gotmls settings or quick scan on my wp plugins page I get the following message: You do not have sufficient permissions to access this page. I am a wp novice, but I wanted to try your plugin because I think the website is infected, as I discovered that any links to it from our facebook page are redirected to aeklsaoqp.ddns.me.uk with a message that says the server cannot be found.
thank you,
Chris
I am sorry for this permission error you are getting. I have recently changed the menu permissions to make my plugin more compatible with multisite, but I have come to realize that not everyone uses the same administrator permissions. Your issue is most likely caused by having the Plugin Editor disabled, or by not having permission to edit files. Once your Administrator account has the right permissions you should see the Anti-Malware menu and you will be able to use the easy one-click registration on the settings page.
If you are not sure how to check and fix these permission issues and you are willing to give me access to your WP Admin then I will fix it for you. You can email login info directly to me: eli AT gotmls DOT net
I was hit with a mal-ware warning from Google tonight, ive downloaded your plug-in, donated and updated, and found a few potential threats which i have fixed.
Ive scanned the site again and its found no threats. But still a bit paranoid theres something suspect in the know threats, ive looked in a couple but i wouldnt know where to start identifying any potential risks. Would it be cheeky to ask for a quick site once over from you if you can find anything else wrong?
No problem. I am a bit busy, but if you can send me a WP Admin login I will chack it out for you.
I would also like to search my whole root directory please since my wordpress is installed in directory
Thanks in advance!
I have updated the scan range on your registration to include the root site. Download the latest Definition Update and you should be able to scan one level higher in the directory hierarchy.
Thanks a lot El!
One more question: i got 3-4 sites that are static html ones (no cms of any kind) in another hosting. How can i use this excellent plugin in order to scan/protect them?
I will eventually get my plugin to work outside of the WordPress infrastructure but until then you would need to have them on the same hosting account as a WordPress site to scan then with my plugin. They would probably be safer on a server with no PHP on it though.
Hello! Your plugin tracked down some nasty code in a WP-Login.php file, but sucuri.net still says my root site is infected with javascript, (http://sucuri.net/malware/entry/MW:SPAM:SEO). Malware Is there any way to check my root with your plugin (my wordpress in installed in a directory). Many thanks
I have expanded the search range on your registration to included the root domain. You'll need to download a definition update for the change to take effect. You can click the green checkbox in the Definition Updates section to the right of the Scan Setting if you need to force a Definition Update.
Please let me know if it still does not find the threat you are looking for.
Astounding! Many thanks. Going to try that out now. You may just be the fastest draw in the West. *salutes*
Hmmm. I ran it and searched my entire site, but the malware remains unfound and sucuri.net still says my site is infected. Would a database infection alone show up on sucuri? I'm absolutely lost
I've seen this javascript before, "dnnViewState()" combined with various iframes. The problem is finding out where it is generated from. It could just be in your DB, at the bottom of a post or in a text widget, but it is more likely encrypted in some PHP file somewhere. I can look for it for you if you want to give me WP Admin access to your site.
I replied to the email comment I received with info. Thanks again
Thanks for the login info.
I refreshed the securi scan and there were then different results do I'm looking into that now. I am still look but so far I think your theme has been tampered with. If you still have the install files for that "newsimple" theme you should reinstall it. Switch to another theme so you can completely delete the newsimple theme before you reinstall it.
Hello,
When I try and activate this plugin I get the below error:
Fatal error: Call to a member function query() on a non-object in /home/UsernameRemoved/public_html/DomainRemoved/wp-content/plugins/gotmls/images/index.php on line 524
Do you know why this is happening?
Any help is much appreciated. If you have any questions, please do not hesitate to let me know.
Regards,
-= Jerry Campbell =-
You can rem that line out by putting two slashes in front of it or completely remove it. It was meant to clean up settings from an older version when you are upgrading.
Thanks for letting me know about this error. I will fix it and release another plugin update soon.
Hello Eli,
I was hit with a mal-ware warning from Google when Chrome or Firefox views the site. Ive downloaded your plug-in, updated, and found a few potential threats in my W3 cache.
Next, I deleted the cache, ensured the files in question were gone and had google reexamine the site. Still, they tell me malware exists.
I would be happy to look at it if you want to send me a login to your site.
What details does Google provide about the infection?
Thanks for the login. I changed the settings to scan the public_html directory and ran a Complete Scan on the whole site. It found and fixed a malicious javascript injection in your theme's footer file.
You should request a review of your site in Goolge's Webmaster Tools now. Let me know if there is anything else.
I have a number of sites, I want to use the plug in and register and donate is there anyway to do this besides each site, I will run out of Emails and or accounts, I can use the contact email but my name is the same. I can't make a donation until Friday, but I am not sure even the hacking has stopped, and I don't know where else to look for problems. I wanted to contact you direct so I could send an agreeable amount based on the sites. Is this still being worked on?
You can register all the sites using the same email address so that it puts them all under the same account on GOTMLS.NET
Then make just one donation within your budget and appropriate to the number of sites you are registering on that account.
Thanks for stopping by, and let me know if you need any help.
Hello, I love your plugin it has saved my butt several times. But I will get Read/Write errors often after running the scan. How do I correct these Read/Write errors, what should they be? Is there anyway I can get you to lend me a hand with this?
Thank you soooo much for any help you can provide!
The read/write errors are usually because the permissions on a file is such that the web-server process (usually Apache) does not have access to the file. Every server can be setup to run in many different way so there is no one-right-way to set the permissions. A good way to check the file in question is to compare it's permissions to other files on the server, maybe this file is set to 600 and the others are 644, or the user/group is root/root and the others are you/www-data. A good FTP client like Filezilla can help you check and set permissions on you files.
There may be other reasons why some files on your server cannot be read, so if this does not help you I would be happy to take a look at it for you. If you want more help you can send login credentials to: eli at gotmls dot net
You might want to make potential threats, removable, and also sendable to you, so you can analyze them as known threats.
I will never make potential threat removable because then everyone would remove them, and most of them are ok. If I had more time (i.e. if this were a fully funded project that I could devote 100% of my time to) then I would have a better system for dealing with that grey area between bad and unknown. Right now, if you were to remove all the potential threats it would most likely brake your site and I doubt any of them are actually malicious. So, why are they even there then? Because sometimes new threat arise that are not yet know to me. This then becomes a good place to start looking. I try to help everyone who contacts me for support and the most efficient way for me to do that at this time is for them to give my access to their WP Admin. I am working toward a self-sufficient plugin that requires less help from the programmer (me) and more results for the do-it-your-selfers (you all).
If you want more features and better definitions please donate to support my work on this plugin. Thanks!
Hi there!
Great script, I would love to have it as a go-to in my arsenal of malware scans but I am having one problem.
When I go to update the definitions I am redirected to the homepage of the site and no updates are happening. Is there somewhere I can manually add the new definitions via FTP or something?
Cheers!
There is a manual update that I could help you with if needed, however the symptoms you describe exactly match the effect of that wordpress firewall plugin. If I am right that you are also using that firewall plugin then please disable it temporarily, then perform the update, then re-enable it again.
If that does not work I am more than happy to help you install the update manually.
I've registered on your site (and donated) but now can't log into my wordpress account and I wasn't able to download the definitions (the register key items were in green). Can you help please?
Thanks
I was able to login and clear up most of those infections when you gave me your WP Admin login but there were still more that did not match my definitions at the time. I have since updated the definition with those Known Threats but when I try to login to your site it says "The username or password you entered is incorrect". Did you change the password?
Have you gotten the update cleaned up your site or do you still need my help?
I have also tried emailing you and got no response. I take the time to reply to everyone who contacts me for help, and I consider each request to be an open case until I hear otherwise, so if you don't need my help anymore please let me know.
Hi Eli -
Happy New Year. Firstly, thank you for your plug-in and this site. It's scary for a WordPress amateur to wake up to an email announcing that your site has been flagged by Google.
I did a complete Scan on my WordPress site. (6) files have been quarantined, there are a handful of potential threats (which appear to be from legit plugins that I've had for awhile) and there were 170 skipped folders.
I'm not sure what to do from here?
Thank you so much.
Steven
Thanks for sending me your credentials. I have found and removed the last infection that had been missed. I will be adding this new definition to my updated so that it will help others to find the same threat. I'll keep an eye on your site for a day or two to make sure nothing comes back if that's ok with you.
Dear Eli! I have problems with my site. This ordeal began yesterday in the evening. My site redirects users to a virusaffected site. As the company where we have the server received complaints it closed our site partially. I dont know what to do. They tell me to find scripts that is infected and delete them to change all passwords and update wordpress.. As I was looking for a plugin that could help me to find these scripts I found yours. To be honest I have never used your plugin before so I dont know what to do next. Your plugin says that i have 24 potential threats. Please help me just some how? =) This attack came out of a blue and I was not ready for that.. I didnt know to expect it.
I'm happy to help you with this. Without getting into your WP Admin I can only give you general advice based on the info you provide. If you are willing to give the WP Admin access I can check it out for you and let you know.
I am not getting that 'fix it all', button? Any ideas?
James, …
Did you download the Definition Update?
Are there any "Known Threats"?
NO, there are not any known threats. But I know the beast is still there!
The Repair button only shows up if there are "Known Threats" found.
I don't see any iframe redirect right now on the from of your site but it sounds like you have a back-door or some security vulnerability that is allowing repeated infections.
Ok, so that button doesn't come up without there being specific issue. I get that…
I have tried for the last 14 days to eradicate this damn thing and it will not go away.
I am getting black listed. I have delete all of my plugins and tried to do a re-install and it will not complete that without crashing.
I have tried 3 other packages. And I am still getting nowhere.
I have limited funds and was only able to donate 10 bucks to the cause. You seemed to have a lot of support for fixing issues. I only hope you can fix mine.
James, …
This is what is continualy being written into almost all of my *.js scripts.
***
document.write(");
***
It use to say something else. In fact it was saying something different over the last ten days. Every once in a while it would say a different web site along with an excutable cgi script call..
And I, over the last 2 weeks have periodically overwriting the infected *.js files with an unzipped copy of wordpress 3.4.2 on my local machine.
I needed something to compare to on a file by file basis anyway.
It takes only a littel while and no matter what I do. It re-writes all the *.js files again and only God knows what else is going on.
Removing these infection in this way does not get at the source of the infection. I think there is a php script somewhere on your server that is causing, or at least allowing, these files to get reinfected.
I you send me WP Admin credentials to your site I'll take a look.
Dear Eli,
I have a stupid question (as announced): I ran 3 complete scans today and found I have 1 read/write error. What does that mean and what should I do? Thanks for helping a blonde
There are no stupid questions, only stupid answers. So, here is my stupid answer
Read/Write Errors can be caused by a variety problems ranging from permissions to file size or irregular content. I know this does not shed any light on the problem you're having but without looking at your files and running some tests I can't really tell you what the problem is in your particular case.
If you want to give me WP Admin access to you site I could look into it for you.
I ran a quick or complete scan on a new WP install, just to be sure. I got "1 read/write error" but clicking the link does nothing and the Scan Details area below just shows a no entry symbol and filled pink rectangle.
I think there might be an .htaccess or permissions problem somewhere on the server, but I don't know where to check. Can you advise?
The read error means that my plugin could not access that file. You should check the permissions on that file or download it via FTP and send it to me so and I'll check the file for infections. If you want me to debug to resolve the read error I would need access to your WP Admin.
As to the .htaccess issue, is your WordPress installed in the root of the site or a sub-directory?
Thanks for the help so far.
When you say that I should check the permissions on "that file", how do I found out which one it is? There is no information in the details window. As far as I'm aware, the plugins folder permissions are set to 755. Is that ok?
To answer your other question, WordPress is installed in a sub-directory but my host insists there is no restriction on writing to any folder.
755 should be ok. Maybe your server doesn't allocate enough memory to the PHP process to open that file. I am willing to check it out for you if you want to give me access to your site.
I've just updated the plugin and downloaded the new definitions (still on WP 3.4.2). I ran the complete scan on 5 of my accounts (all on the same dedicated server) and every one of them is getting stuck at 99% done, with one folder remaining. It's a different folder in each case. I'm also getting read/write errors on some of the accounts.
It would be soooo much more useful if the progress bar showed which folder got stuck and which file/folder caused the read/write error. I really don't know where to start looking and I have many more accounts to test. Any further advice would be much appreciated.
I updated the plugin and fixed that bug that caused it to stop at 99%. Thanks for reporting this issue to me. As for the read/write errors, if you click on it you will see a list of the individual files and their errors.
Fantastic, thanks. This is a big improvement.
Please help me! My site which is less than 2 weeks old has been hacked and the majority of my pages come up with a 'this site has been hacked page'
I'm a novice but have been reading and attempting every hint I find but no luck. Have installed and run your malware and although it removed something, the problem remains. What else can I do??
Your site looks petty clean now. The only thing I see is that the 404 Error page is still hacked. I would be happy to look at the scan results and get rid of that 404 message if you want to give me admin access to your site. You can email credentials directly to wordpress at ieonly dot com.
Thanks for your trust in letting me into your site (it makes it a lot easier to help). I updated the definitions and removed a couple more threats. There is still a bunch of the hacker's HTML on these two pages:
public_html/wp-content/themes/freestyle/index.php
public_html/wp-content/themes/freestyle/page.php
They are not malicious scripts, just defaced HTML. because they are in the freestyle theme directory I don't want to mess with them in case I break the site. You can fix this easier anyway in one of two ways:
1. If these files come with the original download of the freestyle theme then just replace them from the originals.
2. If the file is not in the freestyle theme you originally downloaded then delete that file.
Please let me know if that did not fix all the problems. I would be more than happy to look at it again after you fix the theme.
I can't login. my site admin got redirected
Can you give me the username and password for you admin so I can try?
Thanks for the login info. I got it cleaned, you just needed to download the latest definition file by click the button on the right hand side. I did this for you so your definition file is now updated. I also scanned the root of the public_html directory and fixed the .htaccess file there that was causing your malicious redirect.
Next step: you can request a review of your site using Google Webmaster Tools.