GOTMLS plugin does not find existing malware. Help!

Home Forums Support Forum GOTMLS plugin does not find existing malware. Help!

Tagged: 

This topic contains 3 replies, has 2 voices, and was last updated by  Anti-Malware Admin 8 years, 3 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • January 5, 2016 at 9:45 am #1358

    Michael Peterson
    Member

    I have a [hacked] wordpress blog that, according to securi.net, is infected with a piece of malware named MW:BLK:2 (I used securi.net before I found, downloaded, and used GOTMLS – yes, I donated. I, too, am (was, actually) a s/w developer).

    GOTMLS does not detect MW:BLK:2.

    FYI, its behavior is as follows:

    Someone (or thing), other than me, is able to make posts despite my changing passwords daily. In addition, I have disabled post by email. Since the blog has only one user (me, the admin), I’m at a loss as to what to do.

    Are you familiar with MW:BLK:2? I assume that you are not since it’s not detected in the plugin’s scan.

    Alas, securi.net does provide the file name containing this code. Is there anything I can do to make this known to your plugin?

    Thanks, in advance,

    January 6, 2016 at 12:23 am #1360

    Anti-Malware Admin
    Key Master

    So first of all Sucuri calls this “MW:BLK:2″ but that’s only Sucuri’s generic designation for link to a blacklisted site. My plugin (nor anyone else’s for that matter) will ever refer to any given threat with the as Sucuri does with their MW:ABC:123 type names for things.

    What the are picking up on is a link to a javascript file in your header, and the only problem with that is that it is loading that file from the remote site stg.odnoklassniki.ru which Sucuri says is blacklisted. Here is the code they are finding in your header:

    <script type='text/javascript' src='http://stg.odnoklassniki.ru/share/odkl_share.js?ver=4.4'></script>

    To be fair I am not sure this is actually malicious code. It looks like some kind of share button and the only people who have blacklisted this Russian domain is Sucuri themselves. Just look at all the other security websites that say that domain is clean:

    Domain blacklisted by Sucuri Malware Labs: stg.odnoklassniki.ru
    Domain clean by Google Safe Browsing: stg.odnoklassniki.ru
    Domain clean by Norton Safe Web: stg.odnoklassniki.ru
    Domain clean on Phish tank: stg.odnoklassniki.ru
    Domain clean on the Opera browser: stg.odnoklassniki.ru
    Domain clean by SiteAdvisor: stg.odnoklassniki.ru
    Domain clean on SpamHaus DBL: stg.odnoklassniki.ru
    Domain clean by Bitdefender: stg.odnoklassniki.ru
    Domain clean on Yandex (via Sophos): stg.odnoklassniki.ru
    Domain clean by ESET: stg.odnoklassniki.ru

    January 6, 2016 at 5:43 am #1361

    Michael Peterson
    Member

    Thank you for looking into this. How do I gain editing access to the Header file?

    Thanks,

     

    January 6, 2016 at 11:34 am #1362

    Anti-Malware Admin
    Key Master

    Click “Edit” under the Appearance menu in your wp-admin, then find the header link to the right.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Comments are closed.