Anti-Malware Admin

Forum Replies Created

Viewing 15 posts - 76 through 90 (of 664 total)
  • Author
    Posts

  • Anti-Malware Admin
    Key Master

    I see your registration and your donation on my end, just as you do when you view that list of registered sites. This is most likely a caching issue so please try and clear all your cache and deactivate any caching plugins then refresh your wp-admin page to see your donation reflected there. If you still don’t see it then check your Browser’s Console for Javascript Errors and send me a screenshot of the whole page so that I can help you figure out why it is not showing up.

    you can also just email me directly for account related issues.

    in reply to: An attempt to clean up the site failed #98560

    Anti-Malware Admin
    Key Master

    Yes, with a lot of code changes it would be possible to re-purpose my plugin to be more proficient at scanning larger file-systems containing multiple site under conditions where the shared hosting platform permits the PHP process to access all the sites on the account. However, that would require exploiting the biggest vulnerability of cheap shared hosting accounts to access and change the files of one site from the PHP execution of another site. While this is all too common and easy to do in many cases, it is also the main reason that all your sites can be infected with a malicious PHP scripts that makes it way into one weak site.

    Now, wouldn’t it be better all around if each of your sites had more protective permissions so that these malware infection wouldn’t be able to infect every site on your server from just one breach?

    My conclusion is that if the hosting providers implemented a reasonable security scheme then my plugin would then not even be able to access those other sites and could then not scan or clean them, and that would actually make your system even safer.

    in reply to: An attempt to clean up the site failed #98452

    Anti-Malware Admin
    Key Master

    It could be possible with some code changes but I have found that it can also cause more trouble than it is worth. It is far better to just put my plugin on all your sites and make special considerations for those sites that are not WordPress.

    Just to give you an idea of the problems you may run into when scanning many sites at once, here is a short list of just some of the most common issues:

    1. PHP has a very small memory_limit so the scan process many not be able to index all the files on so many sites all at once.

    2. Even if it is able to build the initial index and start the scan it will likely still take a great amount of time to scan many sites in a linear way, as opposed to installing multiple copies on each site and running multiple scans at the same time.

    3. Timeout and lag-time in large scans can cause scan errors that will make the scan process restart some steps and that could take even longer and render less accurate results.

    4. Some directories above the site root are protected or may have different permissions which can also cause read errors and this will bog down the scan even more.

    5. If there are any sites that are not WordPress then there is a much greater chance of False Positives, which could lead to incorrect modifications in proprietary code that is not malicious, and then could cause site errors.

    6. Some browsers may even crash or lockup before the scan is complete due to the sheer volume of data returned by the scan that the browser has to process.

    These are the main issues that I am familiar with and could recite off the top of my head but I know there are more reasons to avoid combining all the sites into one scan. I know it is an attractive idea to have all your sites scanned at once, but trust me when I say, it is just not practical to expect a PHP page running inside a WordPress plugin to handle that much work efficiently or accurately. There are command-line tools and server-side anti-virus programs that can scan all your folders, they are just not as good as my plugin at identifying and removing malicious code from WordPress files.

    in reply to: An attempt to clean up the site failed #98391

    Anti-Malware Admin
    Key Master

    The best way to reach me is directly through email. You can reply directly to any of these email notification from my forum. I also pinged you on Skype if you would rather find me there, I’m not usually on Skype but I’ll hang out there for a little while if you want to accept my invitation.

    in reply to: An attempt to clean up the site failed #98350

    Anti-Malware Admin
    Key Master

    I understand your disappointment, and I am sorry that you have had this trouble and that my plugin has not helped you solve it, but I am going to help you solve this and/or figure out how you can use my plugin to effectively solve this problem.

    Those screenshots were very informative. I can see that the Fix is successful but I cannot see the quarantine in the little window below the fix results. I hear that these same files are found to be infected when you run the scan again so I need to see the Quarantine log to determine it the reinfection happens immediately or if there is a delay. Can you please send me a screenshot of the Quarantine page with multiple infections of those same two files repeated after multiple attempts to fix them?

    I suspect that you might have cron job running which is setup to keep those files infected (in which case it will have to be stopped with a crontab command on the server), or else there may be an active PHP or PERL process running in an infinite loop so that it never stops replacing those files with the corrupt version (this separate process would also have to be stopped by a kill command on the server). In either case this is not the kind of problem that any plugin can manage without you login into the server’s command prompt. Do you have SSH access to this server or just a control panel login?

    If I can see your Quarantine then I can make a better assessment of which one of these scenarios you are dealing with, and thus help you find the right commands to stop this rogue server process.

    in reply to: An attempt to clean up the site failed #98323

    Anti-Malware Admin
    Key Master

    Thank you for contacting me about this issue. I would very much like to find a solution the the issue you are having with the scan so I will need more information about this “comedy just”…

    First, you have registered multiple sites on this account, which of your sites are having this issue?

    When you say that it “cleans it and stops its work”, can you include if it gives all the indications that it has worked? Did you see all the following indicators:
    1. Did it pop up a box to say “2 files fixed, 0 failed”?
    2. Did it say “Success!” at the end of each file listed in the “Fixing …” results window?
    3. Did it finish with Big green bar that end with the words” it worked”
    4. Did it show a window below the green bar that starts with a green checkbox and the words “Tested your site. It appears we didn’t break anything ;-) ”, and then show a list of all the quarantined files?
    5. If you got that far or if you can got back to the Anti-Malware Quarantine page in your wp-admin for me, then please let me know: are the items listed in the quarantine highlighted in Yellow or are they in Red?

    A screenshot of any of these results would be very helpful, but if you can answer those 5 questions above then I will have a clear understanding of how far the scan and fix process got and can then help you troubleshoot.

    Alternatively, if you would prefer to send me your wp-admin login for this site then I would be happy to troubleshoot the issue directly.

    in reply to: Got stuck #96910

    Anti-Malware Admin
    Key Master

    This is a very general problem which can have many different kinds of solutions depending on the actual cause. Nothing about any of these reports indicate what the root cause might be so I can only give general advice.

    Check your error_log files on the server to see if the actual PHP errors are being logged. These logs might tell you where the problem is coming from and could give you hints on how to fix it.

    Out of memory: Try increasing your memory_limit values in the php.ini file on your server.

    Failed to open or read errors: Check the owner and group permissions on the file or directory mentioned. Clear all file cache and disable caching plugins while running the scan.

    SQL query error: Check the table names and repair the table if needed.

    If you need more help to determine the actual cause of this issue on your site then please contact me directly for individual support.

    in reply to: Malware Keeps coming back! #95749

    Anti-Malware Admin
    Key Master

    Unfortunately this situation is all too common and there are a great many reasons why you might be plagued by recurring infection. The main problem is that they were able to exploit your server in the first place, and they could be using that same vulnerability for each subsequent attack. The second issue is that once they get in they are then able to infect every site on your account (and possibly even other accounts too).

    So why is this even possible? In one word: Hostgator, All these giant Shared Hosting provider want to do is cram as many users as they can onto as few servers as possible to make their service as cheap as it can be. They don’t really care about security because they don’t see it as they problem, they have specifically made that your problem.

    I am openly critical of these massive shared hosting platforms because I also run my own Super Secure Hosting servers and it’s not hard to take the proper security measures but I can’t compete with their pricing and that’s why they have all the customers.

    The hard truth about your situation is that if you have more than just a couple sites it’s going to be really hard to pin down where this threat is coming from you will need to do extensive digging in your log files to find the exploit and that’s assuming that the the vulnerability being exploited is even on one of your own sites. The best thing for you to do now is to try moving some of these sites to other servers and try to figure out which of those sites are spreading this infection and which ones are secure on their own and just getting cross-contaminated by the compromised site(s).

    in reply to: Apache #95743

    Anti-Malware Admin
    Key Master

    The feature to Block XMLRPC Access uses an entry in your .htaccess files to prevent Apache from accessing the WordPress XMLRPC URL. If you are usign nginx or some other web-server (other than Apache) then this .htaccess restriction will have no effect.

    If you are using Apache but my plugin cannot detect it for some reason (maybe you have limited the information your server provides about what software you are running) then it should still work for you. You can still click on the “Block XMLRPC Access” button even if you see that warning but it just may not have the desired effect unless you really are using Apache ;-)

    in reply to: Cannot run scan since update #90988

    Anti-Malware Admin
    Key Master

    A quick internet search for “lb_postrender_handler” shows that this OB Handler was most likely injected into your sites with malicious code. My plugin just detects any and all uses of named OB Handlers because of the potential for any of them to adversely affect the output on your admin pages, specifically the results of the scan. Therefore, this warning can sometime point to an issue that needs to be dealt with immediately. In this case it sounds like it is an infection that is now spreading to al your other sites, so you definitely want to pin down where it is coming from.

    If you have truly deactivated all other plugins then my next guess would be that this malicious code has been added to your theme, although it is also possible that the code was injected into a WordPress core file.

    Then next step would be to reinstall a fresh copy of the theme that you are currently using and the then reinstall the WordPress core files.

    Just to confirm that this is your only course of action, I want to make sure that you have already run the Complete in my Anti-Malware plugin and that nothing was found, is that correct?

    in reply to: Empty index.php file inserted #89614

    Anti-Malware Admin
    Key Master

    Thank you for sending me an example of these index.php files you found throughout your site. As I mentioned in my direct reply, these new index.php files have nothing to do with my plugin. My Anti-Malware plugin does not create index.php files in every directory, but some other security plugins might do this to prevent directory browsing.

    There is no malicious code in that file you sent me so it is not likely to be part of a known threat.

    in reply to: htaccess files keep getting inserted #86016

    Anti-Malware Admin
    Key Master

    This is, unfortunately, a fairly typical situation you are describing. If you are hosting many sites on a shared hosting account with any of the major mass-hosting providers then one small break on any one site can lead to a massive widespread infection on all your sites. The main issue is that there is absolutely not internal security protecting all your sites from crossover contamination. Once you have a self-replicating threat on your account it simply copies itself to to every directory that it has access to (which is essentially all the folders on all your sites). At which point, the all the infected sites collaborate in rapidly re-spreading this threat into any place where you might be temporarily successful at removing it.

    Therefore, the only way to remove this type of threat is a well-timed all-encompassing mas-removal of every infection on every site at the same time, thus removing any chance it might have to reduplicate. My plugin can be useful in removing these threats from a whole site very quickly but you sill have to make sure that each site is cleaned at the same time so that they cannot reinfect each other. If even one of these active scripts is missed then you will soon find yourself right back where you started.

    Ideally, you would have a hosting environment that could “chroot” (isolate and make a virtually separate filesystem for) each site so that they cannot infect each other. This would make it easy to clean each site and keep them from getting reinfected. Then you could quickly ascertain which or your sites was responsible for this breach and work towards patching the original exploit. But this screamingly obvious solution goes against the ease of access that you and your hosting provider have grown accustomed to, and it would cripple you current control panel access. Think of like this, your control panel is nothing more than a set of PHP scripts that give you full control over all the sites on your account; any malicious planted on your site has the exact same access and therefore the same control over all your site.

    I know this is not the simple solution you were probably hoping for, but I wanted to paint a picture of the true nature of the unfortunate position you find yourself in so that you can start to understand the complexity of the many tactics that you might employ to combat this problem. With the understanding that this infection is exacerbated by the lax security of your hosting provider and multiplied by the sheer number of sites that you have on this account, I see two main approaches for you to take:

    a. Move all, or most, or at least some of your sites to another (hopefully more secure) hosting provider in order to compartmentalize your infection so that it is easier to treat in smaller doses.

    b. Devote a lot of energy and effort into a full-scale coordinated attack against every threat on your system at once, being aggressively vigilant and relentless on every front until you have squashed your opponent completely.

    With each of these approaches there are many different branches which can more or less effective depending on the nuances of your specific variant. The import thing to remember in your specific circumstance is that there are at least three objectives:

    1. The most obvious damage to your sites are these .htaccess files, which are crippling each site and clearly need to be removed in order to restore normal functionality.

    2. More important are the PHP scripts that are injected into various hiding places with your sites normal code, which are responsible for creating all those .htaccess files and also replicating themselves into other parts of your site and probably your other sites as well. All these must be removed together to ensure that none are left to make more clones all over again.

    3. Most importantly, you need to find the security vulnerability or exploit that allowed the original threat to be planted on your account in the first place. Unfortunately, this is also the hardest part of the process and also might only be able to be found by a skilled professional and/or maybe only after repeated breaches and further re-infections which might reveal a pattern or leave a trail back to the open door.

    I realize this might have created more questions that it has answered for you so please feel free to write back if you need more clarity or help with any specific problems you encounter.

    in reply to: Redirect Malware not detected #84725

    Anti-Malware Admin
    Key Master

    There is lots of malware that has this affect and it can come in many different forms. In many cases the source code for the malware is removed but the symptoms persist because the malicious scripts were cached.

    If you have deleted all cache files, and disabled caching at all levels (browser, server, plugins, and browser), and you are still having this issue then please email me directly with the site details so that I can take a look.

    in reply to: He deleted the files and the site does not work #84606

    Anti-Malware Admin
    Key Master

    My plugin doesn’t delete files, it just removes the malicious code from the infected files and every change is automatically backed up in the Anti-Malware Quarantine. There is a link on the results page that will revert your changes in case something goes wrong and you can also review and revert any changes made from the Quarantine page in your wp-admin. Please contact me directly if you need more help but if you have deleted any files yourself (manually, not through my plugin) and you don’t have a backup then there is nothing I can do to help you with that, you may need to re-install WordPress if that is the case.

    in reply to: Locked myself out #83567

    Anti-Malware Admin
    Key Master

    There should be a way to unblock your IP but you would need to ask the developers of the plugin that has actually locked you out. My plugin does not use 403 errors to block IPs, so it must be some other security plugin you have installed that is doing this to you.

    Try logging in from another IP, maybe use your phone (on your mobile data, not wifi), then you can deactivate that other plugin that is causing this issue.

Viewing 15 posts - 76 through 90 (of 664 total)