Anti-Malware Admin

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 694 total)
  • Author
    Posts

  • Anti-Malware Admin
    Key Master

    Thanks for this new one. I have just added that one to my latest definition updates too.


    Anti-Malware Admin
    Key Master

    Thanks for posting the contents of those files that contained new threats. I added the one from your first post to my definition updates yesterday so that it came be automatically removed with my plugin and I am working on this last one now so that it too can be found and automatically fixed.

    Rogue admin users are hard to detect automatically because there is no universal way to tell the difference between those whom you would have added as an admin user on purpose and those whom you did not want to be added. But my plugin should have been able to find and fix the malicious code that added that user and also the code that was concealing it. If that code was also not detected and you can find it in a newly added plugin file or a theme file like the functions.php file then please also send me that code so that I can update those definitions as well.

    Malicious code is always changing and evolving to avoid detection. That’s why I am always releasing new definition update to keep up with the new threat variations. We need to see any new variants to that they can be identified and defined for future scans. So far, what you are doing combat this threat is good but you will need to add one critical step to your cleanup process in order to track down the source of the infection to find and fix the root cause. For every infected file you find you will need to stat the file as it is on the server before you delete it or make any changes to the file. You need to get the exact times that the file was last modified or changed before your own changes to that file overwrite the timestamps of the malicious changes. Then you can use those exact server timestamps and cross-reference the activity in your access_log files to figure out what exploit was used to plant those files or to inject that malicious code into those files. Follow that trail back as far as you can and you should be able to find the first breach and patch that exploit to prevent further attacks.

    Please let me know if you get stuck and need any further assistance, and please also send me any new threat you find so that my plugin can help you remove them, and any other copies of those threats, from your server.

    in reply to: Malware not found – maybe add it to definitions? #158500

    Anti-Malware Admin
    Key Master

    Thanks for sending me these malicious code snippets. I have added all 3 of these new code variants to my definition updates. Please let me know if you find any more.

    in reply to: Doubt About Indexing Special Characters #157621

    Anti-Malware Admin
    Key Master

    I see your homepage in your sitemap and there is nothing in your robots.txt file to prevent indexing that page, so I’m would guess that Google just has not refreshed their own cached index of that URL yet. I also still see one listing in the Google search results for your site that shows the Chinese characters you were talking about, but that links to a 404 on your site, so it should also fall out of the search index in time (whenever Google gets around to rechecking the cache they have of that page and see that it is now a 404).
    It looks to me like you have done everything right and the site look clean now, so it is just a matter of getting Google to finish updating their indexes of your site. There should be a way for you to request a review of those pages in your Google Console (Webmaster Tools) account. You can try the manual process of “Fetch as Googlebot” to verify that the Chinese character page does actually render a 404 for the Googlebot when you test that URL, and you can also test the root URL to make sure that Google can fetch your homepage without errors. That will at least confirm that this is just a waiting game.

    in reply to: LiteSpeed\Core::send_headers_force #155766

    Anti-Malware Admin
    Key Master

    This warning is just to let you know that an output buffer handler by your LiteSpeed caching plugin is being invoked on my plugin setting page and therefore could be affecting the results of the scan or the overall scan time. This is not necessarily something that you need to do anything about but it is generally not a good idea to be running any caching while the scan is taking place. It is up to you if you want to temporarily deactivate the caching plugin and delete all the cache files before running the Complete Scan and then restart the caching after the scan is done.

    in reply to: Wordfence report JS/parser.13743 #155341

    Anti-Malware Admin
    Key Master

    Some of those code snippets are clearly truncated or missing something from the beginning of the script. It may be true that not all the script in the affected files is malicious but it would help me greatly to see the whole contents of those infected files (including any non-malicious code that might have been in the file before it was appended with these malicious lines of code) so that I can determine the pattern in the affected scripts and make sure that all the offending code can be removed without damaging the syntax of the original code.

    Could you please look for a backup on your server that might contain the whole of the infected files and send those to me directly via email attachments?

    in reply to: False Positives #155061

    Anti-Malware Admin
    Key Master

    Thanks for reporting this! I have confirmed this False Positive and corrected the last definition update with a new definition just released (version P6FEO). After downloading the new definitions please run the scan again and confirm that it no longer finds and flags these files as Known Threats.

    Sorry for the inconvenience and thanks again for reporting this issue!

    in reply to: GOTMLS is blocking access to subscirber details #152891

    Anti-Malware Admin
    Key Master

    You can disable the protection for user enumeration on the Firewall Options page in your wp-admin.

    in reply to: blacklist #150907

    Anti-Malware Admin
    Key Master

    Ok, I see that the offending script is still present. I have just released a new definition update that should find it this time. Please download the latest definitions version P3RF4 and if it still does not find anything can you please send me a full screenshot of the scan results page with the scan setting showing?

    in reply to: blacklist #150861

    Anti-Malware Admin
    Key Master

    I just added this new threat to my definition updates. Please download the latest definitions and run the Complete scan again.

    Please let me know if it find this threat in your database or not. If not I would like to take another look at it.

    in reply to: Installing other security plugins #150573

    Anti-Malware Admin
    Key Master

    You didn’t say what other malware plugin you are currently using so I cannot say for sure that there is no conflict, but my plugin is designed to work with all other security plugin so the only conflict that there might be is one that I don’t know about. You should feel free to try it out and let me know if you find any conflicts. The Brute-Force Login Protection in my plugin is an optional premium feature so you don’t have to use it, but I feel it is superior to all others in a few ways. Ultimately it’s up to you which one you use but multiple layers of security is usually preferable to fewer and conflicts are rare.

    Please feel free to follow up and let me know what you use and how it work for you.

    in reply to: Full scan stuck at 0%, 0 folders checked. #149940

    Anti-Malware Admin
    Key Master

    Can you please try the Complete Scan again but this time have the Network and Console tabs open in your browsers Inspector so that we can see if there are any errors preventing the scan from continuing after a minute or two?

    Also, you should enable the automatic update feature to get the Core File definitions too if you have not already done that. It will not fix this issue but it may speed up the scan a bit once we get that going.

    in reply to: redirect from posts by author #149938

    Anti-Malware Admin
    Key Master

    Yes, with the plugin deactivated it cannot enforce the User Enumeration rule. It was probably a caching issue on your end that caused the redirects to continue.

    in reply to: redirect from posts by author #149793

    Anti-Malware Admin
    Key Master

    First: Never trust an AI to give accurate information. This is not in any way evidence of a persistent malware infection. This is simply a feature of my Firewall which protects against URLs with User Enumeration, like the “posts by author” link you are trying to get working.

    If you delete my plugin then it will no longer protect against this potential threat, but if just disable that one feature on the Firewall Options page in your wp-admin then you can user links with author IDs and also still have all the other protections that my plugin has to offer.

    Please let me know if you need more help or have any further questions.

    in reply to: Can't get back in my site #149163

    Anti-Malware Admin
    Key Master

    All notifications on my site come from my email address so you can just reply directly to any of the emails you got from my site so far and they will go directly to me.

Viewing 15 posts - 1 through 15 (of 694 total)