Forum Replies Created
-
AuthorPosts
-
November 30, 2022 at 1:47 pm in reply to: Reply To: Auto creation of malicious admin account not detected by plugin #85202
Thanks so much for sending me this file. I have added this new variant of this malicious script injection into my latest definition update so that it can now be automatically removed using my plugin. Please download the latest definitions and let me know if you find any more.
If you want to email me directly with an admin login then I can take a look but the key to finding the source of this issue is in the access_log files. Without the the info from the access_log files it’s like hunting blind. If you want me to look at it for you then please also send me the latest access_log file for this site (ask your hosting provider where to find that file if you are not sure).
Yes, it’s been a while, and yes, I’m still working on it. It been a roller-coaster ride for me in my personal life over the last couple years and it’s been all I could do to keep up with the updates of all the new threats, but I am making time for this new feature now and it really should be soon that I have something available. Thanks for your continued interest. I will let you know when I am ready to start beta testing the new auto scan feature
You need to fix whatever vulnerability has been allowing this exploit. If it’s a crossover attack from another infected site on the same shared hosting server then you should probably move you site to more secure host.
Change all your passwords. Look for any rogue admin accounts in your users. Check the access_log files on your server to see what activity there was at the exact time of the last infection.
The official method would be to login to https://gotmls.net/members/ with that email address you first used and then transfer that registration to the new email address… but there is also a “secret” shortcut in your wp-admin that will bring up the pre-filled registration form again, just click on your registration key, then you can enter preferred email address a submit the form again to re-register under that new email.
This is usually caused by a script blocker or JavaScript error on the browser side. Please check the Console tab in your browser’s Inspector on that page to see if it tells you what is causing this. Also make sure that you clear the cache and disable any caching plugin on your site in case this is just a cached response.
Thanks for all the malware files. I have added all these to my definition updates. Let download the latest definitions and let me know if you find any more
Thank your for informing me of this false positive. I don’t know what software they are using to make this determination but it is obviously wrong. I submitted a support ticket with MakersHost when you posted this support topic and have still not heard back from them, is that normal in your experience?
Based on the screenshot you provided I was able to make a guess that their detection might be because I am using the error_reporting function in my code for debugging server errors. I have just release a new plugin update without that debugging code to see if that resolves the issue. Could you please download the new version 4.21.84 of my plugin and see if it is still detected by your host?
Whatever vulnerability must have been on the server to allowed this infection in the first place might still be present. You will need to find the security hole and patch it. If these sites are on a shared hosting platform they could easily be infecting each other.
You need to review the log files on your server which correspond to the activity at the exact time of the infections. You can get all the infection times from the Anti-malware Quarantine page in your wp-admin. The activity in your log files at those times should lean you to the vulnerability that needs to be patched.
September 1, 2022 at 5:18 am in reply to: I´m pritty sure it is a shadCode !!! but the scanner didn´t find them #76181I have added these new variants to my definition updates. Thanks for sending me the full code. Please download the latest definitions and let me know if you find any more
It is not normal for a healthy site but it is a well know problem on infected site. It is not uncommon for certain infections to inject .htaccess files into every directory on your site, and those files should be cleaned using the automatic fix option on the scan results page in my plugin.
Sorry I missed this post, are you still having this issue?
The only clue I can see from your video is that there are a lot of Admin Notices warning about output buffer handlers. I would suggest that you start there because it cannot be good for your admin pages (especially my plugin’s scan page) to be running through a custom output buffer handler. If you deactivate all the plugins causing those warnings and the scan still does not start then you will need to look in your error_log file to see what is causing this (your video was not long enough to see if the page would eventually load with some error message).Please let me know if you need any more help with this issue. Also note that a direct email to me will usually get you a faster response
This does not seem to be related to my plugin. I cannot recreate the issue. Can you confirm that the Author section of the Edit Post screen is there if your deactivate my plugin?
Most of them are probably skipped because they are binary files that do not contain code that could be executed on your server (like images and compressed files). Some may also be empty file and are skipped because they cannot contain malicious code if they contain no code at all
You should be able to click on the skipped files count and then hover over the files on that list to display the reason.
You can also change the comma separated list of file extensions that are skipped but that would only slow down the scan process with no better results.
March 13, 2022 at 9:59 am in reply to: Your Installation Key is not registered Plugin Up to Date #63380In general I would say that this kind of issue is most commonly caused by some sort of Javascript error or CSP restrictions on your end. I can’t be certain without more information from you but you can check the Console in your browser to see what error is causing it to fail the reg-check.
Also, you you contact me directly via email then I can help you with any account specific questions, without posting personal details on the forum
-
AuthorPosts