Forum Replies Created
-
AuthorPosts
-
If you have moved the site to a new server and it is still getting hacked on regular intervals then you most definitely have a backdoor script or a Zero Day vulnerability on the site that is letting in this hacker.
You can find the script responsible by reviewing the access_log files on your server. You just need to look at what URL was requested at the exact time of the last infection. You can get the infection time on the Anti-Malware Quarantine page. Please note, the quarantine and infection times are stored in GMT/UTC so there may be some conversion required if your server logs are in the local time of the server.
Please let me know what you find or if you need more help. You can email me directly with your log files and a screenshot of your Quarantine if you cannot find the relevant entries. If you do find a new threat that is allowing this hack then please send me that file as well so that I can add it to my definition updates.
September 11, 2024 at 4:24 pm in reply to: Known javascript malware: malware.injection?96.12 #135980I have just been updating my definition database with a lot of new threats today and I think the one you have on your home page was in that batch.
Can you please download the latest definition updates (version O9BGI or later) and run the Complete Scan again to see if this remaining threat is now identified and fixed by my plugin?
Your website is loading fine for me now. Did you already figure out what was wrong?
Please let me know what you did to fix it, or if you are still having trouble please send me a screenshot so that I can see what page you are having an issue with.
August 23, 2024 at 3:24 am in reply to: Complete scan status seems to be OK, but still have malware in my site #134550That’s great! I’m glad that you were able to find the cause of that redirect, but what is more concerning is how that WPCode plugin got on there. Did you install it or do you know how it got on your site?
August 22, 2024 at 2:13 pm in reply to: Complete scan status seems to be OK, but still have malware in my site #134485I don’t see the redirect from my end, even on my mobile. Can you provide the exact steps to recreate this redirect?
Please also check these steps on another device to make sure it’s not just a caching issue on your device.
If you have already resolved this issue then please let me know how you fixed it.
This is not your error_log file at all, this is just an SQL Export file with some records from your database.
After looking at your website I can see that the following comment is present in every single out page on your site, including all the admin-ajax.php generated JavaScript pages like the one that my own plugin uses for the brute-force login protection:
If you can find the rogue file on your server that contains this comment text then you can remove that comment to fix all the dynamic JavaScript on your site that is currently breaking, including my login protection.
If you cannot find it and you would like to give me access to your site then I can look for it too. Please email me directly if you want to pass on any sensitive data.
eli AT gotmls DOT net
That is very unusual. We will need to know what the error is in order to fix it. Can you please check the error_log files on the server to see what the last few errors are?
Most of the files that are skipped will be binary file types like images that do not contain executable code so they are not a threat. You can hover over the files listed to see the reason why each one was skipped.
I have just added this new threat to my definition updates. Please download the latest definition update and try the Complete Scan again.
Let me know if that works for you or if you need more help.
I can see the redirection on your website, but it seems not to be detected by any of your malware plugin, not even mine, correct?
If this is not found in your core files after you latest scan then it must be a new threat which is yet undiscovered by any of us Anti-Malware specialists.
I would like the opportunity to find this new threat if you are willing to grant me access to your site. Please Contact me directly via email with any credentials you are willing to share.
You don’t need to donate for my plugin to clean any Known Threats that are found. Are you saying that no Know Threats are found when you run the complete scan in my plugin?
All these results from Quttera are a bit ridiculous, and most of them are clearly False Positives, but if you want to know more about the details of those results you should be asking them not me. There is not enough relevant information in Those results for me to make any real determination about those files without seeing the whole contents of each file.
I can’t speak for Wordfence or Sucuri either, but if you want to share the results of the Complete Scan using my plugin then perhaps I can give you more suggestions.
Thank you for posting this reply. I did not see your email until this post prompted me to check my spam folder. Now that I look at your website I can find no trace of this threat that you have asked about. Have you perhaps already found and removed it? Can you tell me where it was found and how you were able to remove it? Also, if you still have a backup of the infected content is there any way that you could share it with me so that I could still get this added to my definition updates?
Unfortunately the current scan engine can only be invoked and render results with an active browser session. I am working on a new scan engine that will be able to store results and would then be able to be scheduled but there are quite a few steps to take before that change will be possible. I will surely let you know when I have a Beta version available for testing.
I would like to add this definition right away, however I will need to see more than just a snippet of the code if I am to do anything meaningful with it. Can you please point me to the full source code in question?
I link to the infected page will do, if it is still showing the infected script, or else please send me the entire text from the source code of the page so that I can see how and where it is embeded and ensure that I can identify ALL of the malicious code and not leave behind any broken or partial code that might otherwise cause a syntax error on the site when only partially removed.
You can email me directly if you do not to devulge any personal information on this forum.
If you copied infected files from one website into the directory structure to another site then you may have copied the source of the infection, or the back-door/vulnerability that caused the infection, onto this new site.
There is no Software/Firewall that can protect your website from an infection that is placed there by a system admin.
To help you sort out this issue and find the active cause of this infection I would need to see the files on the infected site(s). Can you send me a link to the websites that are currently not working and maybe include the error_log files from the server?
You can email me directly with any private or otherwise sensitive data: eli AT gotmls DOT net
-
AuthorPosts
