Forum Replies Created
-
AuthorPosts
-
I am reluctant to classify those readme files as malware because there is not actually and malicious code in them. They are in fact just text files with, as you say, a ransom note and contact details from the hacker. As these details may vary in content and could also provide forensic evidence or leads for the victims and/or law enforcement to follow up on, I feel it would not be my place to arbitrarily and automatically delete this potentially useful info. These files are also very similar to the log/trace evidence that is characteristically left behind by many AI Agents after live actions have been taken on behalf of a user that is delegating tasks to Agents, and it would seem important to not accidentally remove such records from a user’s site in case they needed to audit they agents actions. In fact, I would not doubt that an AI agent might have been used in some part of the hack that you suffered. Also, if you are not wanting to make use of any of this evidence and simply need to clean up all these scattered README.md files, it would be far simpler and faster to use the find command with the –delete option to get rid of all those files. 😉
Thank you for posting this new rogue plugin code to me. I have added the pattern of this new threat to my definition updates so that it can now be found and automatically fixed with my plugin scan. Please let me know if you find any more like this.
I’m not sure why these fake pages should affect the authenticity of your website because they are not using your domain. Can you please provide some evidence as to the negative effects that these pages are having on your domain reputation?
I removed the link in that text for security reasons. Please send me any malicious files (complete and unedited) directly via email so I can see the full original threat in those files as well as any potentially benign content that might have been added to disguise the threat or may have been there before the malicious content was injected.
If I understand you correctly, you want me to add the text contents of these readme files to my malware definition list so that they can be easily cleaned up with my plugin, is that right?
These look like calling cards or ransom notes, not malicious code. Is it not easier to use the “find –delete” command on these files once the treat has been removed.
More importantly, is the threat itself found and automatically fixed by my plugin?
You can always use the “Forgot Password” link on the login form: https://gotmls.net/wp-login.php
Or, if you are already logged in you can use the standard profile URL in the wp-admin:
/wp-admin/profile.phpWhere has this code been injected?
Can you send me a link to the infected pages so that I can see how this script is embedded?
If you are logged into the site you can go to your profile in the wp-admin, or if you are not logged into the site you can use the forgot password link to reset your password.
Are you asking how to remove the Google Tag Manager plugin or are you referring to some GTM code that is showing up on your site and you are not sure where it came from?
Can you please send me a link to the page you are asking about so that I can see what you mean?
December 11, 2025 at 1:32 pm in reply to: /plugins/pods/deprecated/deprecated.php false positive? #164686I have whitelisted this usage only because it is still used in this fairly active pods plugin, even though it was found in /plugins/pods/deprecated/deprecated.php which shows that even the developers know that this code is deprecated and should be removed. This code probably isn’t even safe any more because the file it includes has not existed in any WordPress distribution since 3.8.9 which is over 10 years old now. So if this code was executed on any WordPress site that has updated within the last ten years then it would cause a fatal error for trying to include a file that doesn’t exist. But it’s not malicious so I have decided to whitelist it for now.
I may even change my mind and re-include this code later because it is unsafe and if you were to use my plugin to fix this file and remove that include line then it would only serve to prevent your site from crashing on this error if your json_encode function were somehow blocked or removed from your PHP libraries.
That is unusual and very troubling. Can you please look in your error_log files to see what is causing this issue?
You are welcome to send me your log file if you are not sure what to look for.
Thanks for reporting this but I do absolutely need more information if I am to fix this issue. Namely, I need to know which plugin files are being wrongly identified as a threat. Can you please send me those files so that I can examine the code in them and fix the definition that is flagging this code?
You can email the files directly to me or send me a link to where I can download these plugins myself.
Thank you for reporting this issue. I have confirmed that this is a False Positive and I have released a new definition update that fixes this issue so that the safe usage of the path building formula will be omitted from future scans. Please download the latest definition updates and confirm that this plugin file is no longer detected as a Known Threat.
There are no conflicts with my plugin and any other security plugin that I am aware of.
In general, there are some feature that might be duplicated within various security plugins but they each work a little differently and so one might work better in certain circumstances than the the next, it all depends on the type of attack and the kind of mitigation employed for that attack. For example, the Brute-Force Protection in my plugin is invoked prior to the WordPress bootstrap, so my plugin will redirect brute-force attacks before WordPress (and most other plugins) are loaded and this will reduce the load on your server which could prevent a DDoS attack from bringing down the site, but it might also prevent other security plugins from logging the attack (because they are not yet loaded or connected to your database before the attack is deflected). I wouldn’t call this a direct conflict but it could affect the statistics recorded by those other plugins.
I have had instances in the past were other security plugins have either hijacked one of my hooks into the WordPress code library or even changed one of my own lines of code, which had caused a substantial failure of my plugin to preform essential tasks, but I was always able to work out those conflicts and find a suitable solution for all involved.
If you even find any issues with my plugin working in conflict with another plugin then please report it to my right away and I will find a solution for you.
September 12, 2025 at 3:00 pm in reply to: New malicious files and infection that the program cannot detect #159842Thanks for this new one. I have just added that one to my latest definition updates too.
-
AuthorPosts
