Forum Replies Created
-
AuthorPosts
-
I wouldn’t trust a plugin to log this kind of activity. You need to view the raw access_log files on the server. You may need to ask your hosting provider where to find those files if you cannot find them in your hosting control panel.
So this Core File is being repeatedly modified by some unknown hack, and after it is modified there is a syntax error that crashes your site until you manually fix it, is that right?
First and foremost when tracking down the source of an intrusion is to gather all the evidence you can before fixing anything that was tampered with. You need to stat the file the was hacked before you fix it so that you can tell exactly what time the hacker modified/changed that file (make sure to get both, the modified time, and the changed time). Once you have fixed this hacked file you have effectively wiped out any trace of the original modifications by the hacker. It’s like washing and putting away a knife at the scene of a crime, sure the kitchen is cleaner now but you can’t get any fingerprints or DNA samples from the weapon.
If you use the Automatic Fix feature in my plugin then a backup of the infected script is stored in the Anti-Malware Quarantine with the original infection timestamps preserved for future review. If you modify or delete these infected files manually then that info is lost.
Once you know the exact time of the infection then you can search your raw access_log files for any activity on your sites at the exact time of that latest infection. This may lead you to other malicious scripts (possibly even on another site on your server if you are on a shared hosting plan). Those newly discovered files will also need to be handled with the same care to get the stat info from them and look up those times in the logs, etc., etc.
If you come across any new malicious files that are not being identified as a Known Threat by my plugin then please email those files to me before you fix them so that I can add them to my definition updates. reading and understanding the malicious code inside those files can also help track down the source of the infection.
The error_log are stored in different places depending on the hosting configuration. You will need to ask you hosting provider where those logs can be found. However, it may be a moot point as I have just release a new plugin update that should fix that error no matter where is was coming from.
As for the blue/blue folders, the wp-admin/css/colors/blue folder itself should be there and it should have CSS files in it, but there should not be another blue folder inside that wp-admin/css/colors/blue/ directory. The second lever blue folder is probably only a symlink to the first one, so that second one is all that should be deleted.
I have just released a new plugin update (version 4.21.95) that should solve this issue for you. Please try the new update and let me know if you still have any issues.
There is one thing that troubles me about that error you received about the skipped folders in your last post, where it said “Undefined Index:dir” at the end. could you look in the error_log files on your server to get the details of that particular Warning?
That first folder that could not be scanned should not even exist:
…/httpdocs/wp-admin/css/colors/blue/blue
There should not be another blue folder inside wp-admin/css/colors/blue/
My guess is that it was skipped because it is a recursive symlink to the parent folder so it would be a needless infinite deep dir to go exploring that path. So You can look on your server to see what is in there but I would advise that you just delete it.Also, a lot of the files you are listing should not even be scanned in the first place. I assume that you have modified the default list of extensions in the “Skip files with the following extensions” field on the settings page. This is not recommended, as those file types are skipped for a reason. There is no need to scan large binary files that cannot be executed on the server anyway. It is true that you could hide some PHP code in some of those files but it could not be executed without an include statement run from within a PHP file, that why my plugin will look for those malicious include statements.
So my plugin generally does a good job of finding the threat without wasting time and server resources searching non-executable code in large binary files, and you will find that the scans are much faster if you restore the default settings there.
If you hover your mouse over each of those skipped files then it will give you an individual explanation. I expect that most of those are skipped because they are empty (no need to scan an empty file), but some may also be skipped because of the file type.
Please let me know if you this solution satisfies your curiosity, or if there are still some file on that list that concern you then please send me those details.
There is a recovery link on the results page when the files are fixed and your site is tested, otherwise You can restore this code by going to the Anti-Malware Quarantine page in your wp-admin and selecting those files with the checkbox on the left, and then click the “Restore selected files from quarantine records” button.
Please also send me a copy of those files so that I can review the code in them and correct the detection if the definitions need to be update.P.S. I see that your site is working now, so maybe you have already solved this issue, but I would still like to see the files that might have been misidentified or fixed incorrectly.
The Quarantine is an archive or backup of the file contents from before they were fixed or cleaned by my plugin. If the plugin made a mistake and removed some code that was not malicious then you can restore this code by going to the Anti-Malware Quarantine page in your wp-admin and selecting those files on this with the checkbox on the left, and then click the “Restore selected files from quarantine records” button. But you also need to tell me about it and send those files to me so that I can review the contents of those files and correct the detection if the definitions are truly misidentifying that code.
July 18, 2023 at 4:12 pm in reply to: Getting a blank screen when I click run complete scan or save settings #103418A blank white screen usually indicate either a 500 Error or else something has blocked the form POST, maybe because of some other security setting or overzealous firewall.
Check the Console tab in your browser’s Inspector for any Errors or Warnings that might explain the blank screen. Also look in the error_log files on your server to see if any PHP errors were logged when loading those pages.
July 12, 2023 at 11:00 am in reply to: 500 Internal Server Error – response to run a complete scan #102942This specific error message is not what the others here were experiencing.
The error that you have pasted here clearly indicates that a required file is missing. Specifically, the index.php file in the gotmls/images/ directory is missing, and PHP has thrown this Fatal Error because this file is required by my plugin.
So, somehow that gotmls/images/index.php file has gotten deleted, and you will need to replace that file to get your site working again. To save time you may find it easier to just delete the entire gotmls directory from within your plugins folder, and then reinstall the whole gotmls plugin to restore all missing files, thus fixing this error.
No, my plugin does not require jquery at all.
I am curious as to what would have prompted you to ask such a question though. Would you mind letting me know why you are asking?
June 26, 2023 at 3:39 pm in reply to: 500 Internal Server Error – response to run a complete scan #101494There are no know issues like this so you would need to contact me directly so that I can help you to figure out what is causing this particular error on your individual site. It is likely different in each case so you would need to send me a screenshot of the error page you get with the full URL showing and the error_log file from your server for the time-frame corresponding to the error that you received.
I believe that this lb_postrender_handler is a malicious ob_handler that was injected into the code on your site through a eval’d code that is most likely included within a hidden .MO file. The include(‘.hidden_xyz.mo’); is usually inserted into one of your core files, but it could have any name and it could be in any core file. The best way to find it is with the core file definitions included with the automatic update that you get with a premium donation. But I can also help you further if that is not an option for you. You can email me your site details directly if you need more help.
eli AT gotmls DOT net
Thanks for posting the code in this new threat. I have just added this new variant to my latest definition updates.
-
AuthorPosts