I had thought that this issue was already resolved. As I said in my first reply: if this is still a problem you can send me the exact code that is flagged so that I can fix it (again).
Thanks for posting this code. I have updated the definition of this threat so that it removes all of the malicious injection and does not leave behind any broken syntax.
I see that it is fixed now. Can you tell me what file was broken?
If you can send me the original content for that file then I can update the definitions so that it will not break that file again.
Sorry I didn’t see this post until just now, I somehow missed the notification.
This .htaccess code that you posted is not detected as a threat in the newest version of my definition updates, so maybe I fixed it already or else there is a subtle variation from this code that you posted and the code that you have in your .htaccess files.
Let me know if this is still a problem and you can send me the exact code that is flagged so that I can fix it.
This is not a threat but rather a vulnerability called User Enumeration, which would permit anyone to discover your usernames using an unrestricted URL such as:
/?author=2
That is why it is one of the Firewall options that is enabled by default. If you wish for any un-authenticated visitor to be able to easily view this information about any user in your database by passing a common number like 1, 2, or 3 then you can simply disable the User Enumeration protection on my Anti-Malware plugin’s Firewall Options pages in your wp-admin.
Please feel free to let me know if you have any further questions about any of this.
Thank you for this info. I have looked into this and added some new threats to my definition updates since your post. I would like to know more about you specific hack to be sure that my plugin can now fix this vulnerability. Can you please email me any files that you might still have that were infected or any older versions of mailpoet that were compromised on your server?
Thanks for noticing, I hope to have some more really nice features coming soon 
Just re-register your new key for the HTTPS site under the same email address and it will continue working the same for you.
Check the permissions on your /tmp/ directory (or wherever your server stores session files, and also make sure that the partition is not full or write-protected.
Verify that mod_rewrite is installed and working and that Apache is able to run the code in the .htaccess files.
You can also look in your error_log files to see if it might tell you what the problem is.
You may need to ask you hosting provider for help with some of this if you don’t know where to look for these things. Maybe they can test your server’s ability to maintain a persistent session and just tell you what is causing this problem.
It looks like fatal_error_handler was originally used in concrete vendor software called Symfony that is available on GetHub, but it may have been re-purposed for one of your plugin or some other malicious code on your site.
I don’t know anything about AceIDE or sirzooro but they both also have forks on GetHub. Do you know what all the plugins on your site are there for, and can you validate that their source is legitimate?
No, because reinstalling the plugin does not affect the registration. All you need to do is to click on the green checkbox in the upper-right corner of the Anti-Malware Settings page in the wp-admin of that site. Then change the email address on the registration form and re-submit the registration under your email.
Your donation for that one site will show up on all of the sites that you have registered to that same email address
The small bit of serialized code that my plugin originally put in that file does have an expiration date built into it but all that malicious code that was added to the top of that file has it’s own rules to live by and it needs to be removed before it has a chance to replicate itself into other files. As with all malicious injections, it is important to remove the malicious code as quickly as possible before it can spread to more of the files on your server. Quick containment and isolations is the key to getting clean and staying safe from further infection and future re-infection.
Since all the files in that _SESSION folder are temporary and not critical to the core functionality of your site you can delete the whole folder just to be safe. And session files that are needed to validate future login attampts will be recreated by my plugin anyway, and those will all be clean (at least until you get hit by another wave of infections).
That is supposed to be a simple session log for login attempts on your site. All that other code added to the beginning of the file is a malicious injection that was inserted into that file at some later time. You should definitely let my scanner fix that file, or you can delete the file completely.
Sorry for not posting a reply earlier, the notification of your post was sent to spam 
Anyway, I hope that Steven’s response was helpful and you were able to fix this issue.
Also, I just checked you site to see if it was working and I didn’t get that error but only because it would appear that Hostgator has suspended your account. I’m guessing that this is because you have had further incursions from hackers, so I wanted to offer you a solution to your current hosting issue and future security issues by moving your site to my own Super Secure Hosting. I can get your site back up and running and you won’t ever have to worry about getting hacked again.
You can sign-up here if you are interested or email me if you have more questions:
https://supersecurehosting.com/signup/
