Forum Replies Created
-
AuthorPosts
-
The definition Update is being blocked on your site by a firewall plugin that is setup to redirect you to your home page if you try and post any Hexadecimal values. Just deactivate the firewall plugin to do the update or add your IP address to the white-list in the firewall setting.
As for the output buffer handler, you may have something called Photocrati_Resource_Manager installed that may interfere with the scan process. My scan may still work fine but if it seems frozen or gets stuck while scanning see if you can deactivate Photocrati_Resource_Manager and try the scan again.
Please let me know if I can be of any further assistance.
It was turning on the plugin editor that fixed it. My plugin now requires you to have permission to edit files in order to use it (because it can edit files). I could add an alternate admin privilege to use as a credential for using this plugin, any ideas?
Thanks for the login. I can get in and it seems like I am an admin but I cannot edit my plugin. The plugin editor is not accessible. Is this a multisite install?
If so, could I be made a Network admin to edit my plugin or maybe you can give me FTP access to the gotmls folder in plugins?
So, you have deleted the plugin and installed it again, right?
I assume there were no errors when installing, so that you now have it installed but you are still not seeing it on the menu, right?
Would you be willing grant me access to your WP Admin so that I can fix this for you? It would really help me to see it in your admin. You can email your login directly to me: eli AT gotmls DOT net
It sounds like the update may have failed. WordPress may have gotten stick and left the plugin only half installed.
I would suggest completely deleting the gotmls folder in the plugins directory and then installing from scratch.
My plugin does not delete anything from the database. Once the malicious PHP code is removed that entry in the wp_options table has no effect. You can (and probably should) delete it just to clean up.
As far as the source of this infection, It is most likely a shared hosting vulnerability.
I have recently created a very secure hosting environment to answer this need. After testing this new server for a few months I have created a site and opened registrations to the public. It’s not going to be as cheap as the bulky shared hosting providers out there like GoDaddy and HostGator but it is way more secure.
You can signup here if interested or contact me directly if you want more info.
Aloha, Eli
No, My plugin does not add anything to the htaccess files.
Thanks for your donation to my plugin.
Ivica,
Thanks for sending me access to your site. I don’t know where this code came from but it is not a complete threat. The harmful code that usually follows that line at the top of your wp-config.php file is just not there. I removed that line of code from the file and I could not find any other sign of malicious content.Aloha, Eli
Hi Ivica,
Thanks for that code snippet but I’ll need more info to add this to my definition update.This looks like only part of the threat with the dangerous part having already been removed. Can you look in Quarantine to see it there is a completely infected version of your wp-config.php file?
If you have the whole infected file can you email it to me (you can remove your database credentials from the file before sending it to me).
Aloha, Eli
Grady,
It sounds like you are on the right track. Your site may already be cleaner than you think. The seemingly random occurrences of this hack may be simply due to caching on either the browser or the web-server side. If you have any caching plugins you should deactivate them.Also, check Google Webmaster Tools to see if it shows any infected URLs in the health section. You can also fetch a page from your site as the Google Bot to see if it still contains any malicious code.
Aloha, Eli
I fixed that message: “Unable to find your plugin version!”. It was just because my website did not have the right version number for the last release I just uploaded. Thanks for bringing that to my attention.
Those three potential threats are probably safe. They are most likely popping up because the contain the eval function which can be used to display execute malicious code but not so much in JS files.
Please let me know if I can be of further assistance.
Aloha, Eli
David,
I’m concerned about what would cause you to not be able to login to your admin especially if removing my plugin fixed it. Would you be willing to give me an admin login to your site? I would like to track down the source of this issue and fix it. I would also check to make sure there is no more malware.You can email login credentials directly to me: eli at gotmls dot net
Aloha, Eli
Ida,
Thanks for providing access to your site. I did some tweaking to my plugin on your site and got it to find and remove that last bit of malicious code in your theme. I think your site is all clean now. Can you try reposting any corrupted entries to Facebook and make sure the new postings do not contain these viagra ads.You will also need to get Google to re-index your site. This may take some time but it will help to go to Webmaster Tools and submit a new sitemap and request a review in the Health section if there is any malware listed there.
If you sill have signs of a current or recurring infection please let me know and I can check your site again.
Aloha, Eli
Your site looks clean now from the outside. Check the Health section of Google Webmaster Tools to see if the search engine cache is clean and request a review if it is not.
This sounds like a conditional ad injection but these pharma hacks vary quite a bit. Can you provide me with WP Admin access to your site?
You can email your login credentials directly to me so I can look for the infection.
Aloha, Eli
-
AuthorPosts
