Forum Replies Created
-
AuthorPosts
-
Can you please send me a ZIP file of the plugin in question?
You can email it directly to me as an attachment or you can upload it to a file sharing site and send me a link if it is too big to email.
I can then take a look at the code and tell you if it is malicious or if it is a False Positive.
I’m not sure what file you would even want to scan that would be that large and it could cause performance issues on your server to scan a bunch of large files even if your server was technically capable of doing it.
That said, I have just release a new version of the plugin that allows for an over-ride of the max-file-size by passing the “oversize” value in the URL of the setting page. Well, I can see how that might be hard to understand so I will give you an example to follow:
If you are on the Anti-Malware Settings page then the URL in your browser might look something like this:
domain-name/wp-admin/admin.php?page=GOTMLS-settingsJust add &oversize=72000000 to the end of that URL, like this:
domain-name/wp-admin/admin.php?page=GOTMLS-settings&oversize=72000000Important note: While this will effectively change the internal limit on my plugin for the maximum file size it will scan to around 72MB, it does not guarantee that your server has been configured to allow PHP processes (like my plugin) access to enough memory to process files that large, so you may need to also increase the memory_limit in the php.ini file on your server. You may need to ask your hosting provider how to do that if you are not sure. I would suggest a memory_limit of at least 4 times the size of the file you want to scan.
Also not: This change may also drastically reduce the speed of the scan but it will only be effective as long as you keep that custom oversize value in the URL of your browser. If you come back to the Scan Settings page from the admin menu link then it will be back to the default value.
I just wanted to post a followup here for anyone who was seeing this error on their Site Health page. In the latest release of my plugin I have fixed the Brute Force Login Protection so that the session_start call does not conflict with the REST API or any other sessions created after my own session check is complete.
Just to clarify one point on Richard’s post, session start has not been deprecated in PHP 8.1 or any other version of PHP currently available and I don’t expect it ever will be, but there are many reasons why sessions might fail on a server that does not have a properly configured temp space and the right permissions to create session cookies on the server. Therefore, I have engineered a backup technique for saving session info to temp files when the session_start fails to initialize a persistent session. Please try the new version and let me know if you have any other issues with this patch.
Thanks for sending me this new malicious code. I have added this new variant to my definition updates so that it can now be found and fixed with my Anti-Malware plugin.
Please let me know if you find any more or if you continue to have repeated infections.
May 28, 2024 at 12:44 pm in reply to: My WordPress site infected somehow. index.php always rewrited and have base64_d #127461Thanks for sending me those screenshots. I could see that there was an actively running PHP process which was responsible for reinfecting that index.php file. It looks like your site is clean now that you killed that process and ran the Complete Scan again.
It would be good if you could tell where that infection came from since the rogue process was started by the root thread on your server and not triggered by a remote script on your website. If your whole server has been compromised then you may see this issue come up again in the future. You might want to consider moving your site to a more secure server to prevent this hack from coming back.
May 28, 2024 at 5:59 am in reply to: My WordPress site infected somehow. index.php always rewrited and have base64_d #127441Have you run the Complete Scan on your whole site using my plugin?
Where there any Known Threats found besides these index.php files?
Can you please send me on of these index.php files as an attachment in an direct email to me?
The best way to find the source of this infection is to cross-reference the activity in your access_log files at the exact time of the last infection. You can also send me excerpts from your logs highlighting the appropriate times if you are not sure what they point to.
Of course. You can always reply directly to my email:
eli AT gotmls DOT netYes, just make sure that the “Database Injections” is checked under the “What to look for:” heading on the Anti-Malware Settings page.
If the scan does not find anything but you still feel that you have an infection in your DB then please send me a screenshot of what you are seeing so that I can confirm the infection and update the definitions if necessary.
There are a few different reasons that a file might be skipped and is is common to have many skipped files in every scan.
Usually it is because the file are a binary type (like ZIP, EXE, or image files) which cannot be directly executed on the server, sometime it is because they are empty files, so they cannot contain executable code.
If you hover over the file names in the list of skipped files it will tell you why they were skipped.
Yes, You can login to gotmls.net with the email that you just used to register that new site and then transfer that registration to your other email account.
You can also click on the key in the upper-right side of the Anti-Malware Setting page in your own wp-admin and that will open the pre-filled registration form so that you can change the email address and re-register your site to the correct email account.
It is not uncommon for hosting providers to complain about users who run my plugin often. The fact is that it takes a lot of the server’s resources to run CPU intensive scans of every file on your server. Most of the big-name shared hosting providers out there make a huge profit by hosting lots of small websites on a single server and hoping that they get very little traffic. If any of there customers wants to use a notable amount of CPU ticks on a regular basis it can affect the overall load on the server and start to threaten that profit margin.
I don’t see any screenshot, can you please send me that via attachment to a direct email?
If you are seeing a “critical error” then there must be some important technical details in your error_log file. If you can send me that log file too then I can probably help with that as well.
When we get the scan working as it should then you shouldn’t need to run it all the time and they will probably not notice any significant impact in the future.
The session_start function is used in the optional Brute-Force Login Protection. If you have activated this protection on the Firewall Options page (found under the Anti-Malware menu in your wp-admin) then it will execute the session_start function from an include file that was added to the top line in your wp-config.php file, even if you deactivate the plugin. Deleting the plugin, or removing this line in your wp-config.php file will disable the Brute-Force Login Protection, but you can probably just ignore this warning if you want to keep the extra protection. I have yet to my session_start actually interfere with and REST API calls.
Please let me know if you have any more questions on any of this, or if you would like to report an actual conflict with your REST API usage and my session code please send me the details and I’ll look into it further.
It looks like this hack placed a malicious file in your mu-plugins folder. The file 4Edqv8.php should probably be deleted but you may want to save a backup of this file in case it could help uncover other parts of this infection.
If you would be willing to download that home/bemighty/webapps/ESTELITAS/wp-content/mu-plugins/4Edqv8.php file and send it to my email as an attachment I could tell you more. Then you could delete it and your site may start working again, if not then check the error_log file again in case there are other similar errors in other files.
You must have access to the wp-admin on your site in order to run my plugin. There are many situations where the wp-admin is accessible even when the main pages on the site are down. Regardless, it is usually a simple matter to restore the functionality of your site after a crash like this one, you will just need to find the error_log files on your server to determine what is causing this critical error. The recent entries in the error_log file should point to a line of code in a file on your server that is the cause of all this, and then can usually be as simple as removing that line or correcting the bit that is causing the error. Then you can install my plugin and scan the site to fix any other infections found on the site.
Let me know if you need more help interpreting the errors in that log file, or if you come to any new hurtles that I might be able to assist you with.
I’m confused about who is reporting what to you.
You say “GOTMLS reports a JS injection on my home page and another page” but perhaps you mean that someone else is reporting a JS injection?
When you scan (with what?) does it says its all clear?
Can you contact me directly with the website details and some screenshots or examples of the conflicting reports you are seeing?
-
AuthorPosts
