Anti-Malware Admin

Forum Replies Created

Viewing 15 posts - 106 through 120 (of 686 total)
  • Author
    Posts
  • in reply to: Apache #95743

    Anti-Malware Admin
    Key Master

    The feature to Block XMLRPC Access uses an entry in your .htaccess files to prevent Apache from accessing the WordPress XMLRPC URL. If you are usign nginx or some other web-server (other than Apache) then this .htaccess restriction will have no effect.

    If you are using Apache but my plugin cannot detect it for some reason (maybe you have limited the information your server provides about what software you are running) then it should still work for you. You can still click on the “Block XMLRPC Access” button even if you see that warning but it just may not have the desired effect unless you really are using Apache ;-)

    in reply to: Cannot run scan since update #90988

    Anti-Malware Admin
    Key Master

    A quick internet search for “lb_postrender_handler” shows that this OB Handler was most likely injected into your sites with malicious code. My plugin just detects any and all uses of named OB Handlers because of the potential for any of them to adversely affect the output on your admin pages, specifically the results of the scan. Therefore, this warning can sometime point to an issue that needs to be dealt with immediately. In this case it sounds like it is an infection that is now spreading to al your other sites, so you definitely want to pin down where it is coming from.

    If you have truly deactivated all other plugins then my next guess would be that this malicious code has been added to your theme, although it is also possible that the code was injected into a WordPress core file.

    Then next step would be to reinstall a fresh copy of the theme that you are currently using and the then reinstall the WordPress core files.

    Just to confirm that this is your only course of action, I want to make sure that you have already run the Complete in my Anti-Malware plugin and that nothing was found, is that correct?

    in reply to: Empty index.php file inserted #89614

    Anti-Malware Admin
    Key Master

    Thank you for sending me an example of these index.php files you found throughout your site. As I mentioned in my direct reply, these new index.php files have nothing to do with my plugin. My Anti-Malware plugin does not create index.php files in every directory, but some other security plugins might do this to prevent directory browsing.

    There is no malicious code in that file you sent me so it is not likely to be part of a known threat.

    in reply to: htaccess files keep getting inserted #86016

    Anti-Malware Admin
    Key Master

    This is, unfortunately, a fairly typical situation you are describing. If you are hosting many sites on a shared hosting account with any of the major mass-hosting providers then one small break on any one site can lead to a massive widespread infection on all your sites. The main issue is that there is absolutely not internal security protecting all your sites from crossover contamination. Once you have a self-replicating threat on your account it simply copies itself to to every directory that it has access to (which is essentially all the folders on all your sites). At which point, the all the infected sites collaborate in rapidly re-spreading this threat into any place where you might be temporarily successful at removing it.

    Therefore, the only way to remove this type of threat is a well-timed all-encompassing mas-removal of every infection on every site at the same time, thus removing any chance it might have to reduplicate. My plugin can be useful in removing these threats from a whole site very quickly but you sill have to make sure that each site is cleaned at the same time so that they cannot reinfect each other. If even one of these active scripts is missed then you will soon find yourself right back where you started.

    Ideally, you would have a hosting environment that could “chroot” (isolate and make a virtually separate filesystem for) each site so that they cannot infect each other. This would make it easy to clean each site and keep them from getting reinfected. Then you could quickly ascertain which or your sites was responsible for this breach and work towards patching the original exploit. But this screamingly obvious solution goes against the ease of access that you and your hosting provider have grown accustomed to, and it would cripple you current control panel access. Think of like this, your control panel is nothing more than a set of PHP scripts that give you full control over all the sites on your account; any malicious planted on your site has the exact same access and therefore the same control over all your site.

    I know this is not the simple solution you were probably hoping for, but I wanted to paint a picture of the true nature of the unfortunate position you find yourself in so that you can start to understand the complexity of the many tactics that you might employ to combat this problem. With the understanding that this infection is exacerbated by the lax security of your hosting provider and multiplied by the sheer number of sites that you have on this account, I see two main approaches for you to take:

    a. Move all, or most, or at least some of your sites to another (hopefully more secure) hosting provider in order to compartmentalize your infection so that it is easier to treat in smaller doses.

    b. Devote a lot of energy and effort into a full-scale coordinated attack against every threat on your system at once, being aggressively vigilant and relentless on every front until you have squashed your opponent completely.

    With each of these approaches there are many different branches which can more or less effective depending on the nuances of your specific variant. The import thing to remember in your specific circumstance is that there are at least three objectives:

    1. The most obvious damage to your sites are these .htaccess files, which are crippling each site and clearly need to be removed in order to restore normal functionality.

    2. More important are the PHP scripts that are injected into various hiding places with your sites normal code, which are responsible for creating all those .htaccess files and also replicating themselves into other parts of your site and probably your other sites as well. All these must be removed together to ensure that none are left to make more clones all over again.

    3. Most importantly, you need to find the security vulnerability or exploit that allowed the original threat to be planted on your account in the first place. Unfortunately, this is also the hardest part of the process and also might only be able to be found by a skilled professional and/or maybe only after repeated breaches and further re-infections which might reveal a pattern or leave a trail back to the open door.

    I realize this might have created more questions that it has answered for you so please feel free to write back if you need more clarity or help with any specific problems you encounter.

    in reply to: Redirect Malware not detected #84725

    Anti-Malware Admin
    Key Master

    There is lots of malware that has this affect and it can come in many different forms. In many cases the source code for the malware is removed but the symptoms persist because the malicious scripts were cached.

    If you have deleted all cache files, and disabled caching at all levels (browser, server, plugins, and browser), and you are still having this issue then please email me directly with the site details so that I can take a look.

    in reply to: He deleted the files and the site does not work #84606

    Anti-Malware Admin
    Key Master

    My plugin doesn’t delete files, it just removes the malicious code from the infected files and every change is automatically backed up in the Anti-Malware Quarantine. There is a link on the results page that will revert your changes in case something goes wrong and you can also review and revert any changes made from the Quarantine page in your wp-admin. Please contact me directly if you need more help but if you have deleted any files yourself (manually, not through my plugin) and you don’t have a backup then there is nothing I can do to help you with that, you may need to re-install WordPress if that is the case.

    in reply to: Locked myself out #83567

    Anti-Malware Admin
    Key Master

    There should be a way to unblock your IP but you would need to ask the developers of the plugin that has actually locked you out. My plugin does not use 403 errors to block IPs, so it must be some other security plugin you have installed that is doing this to you.

    Try logging in from another IP, maybe use your phone (on your mobile data, not wifi), then you can deactivate that other plugin that is causing this issue.


    Anti-Malware Admin
    Key Master

    Thanks so much for sending me this file. I have added this new variant of this malicious script injection into my latest definition update so that it can now be automatically removed using my plugin. Please download the latest definitions and let me know if you find any more.

    in reply to: .class-wp-cache.php #80709

    Anti-Malware Admin
    Key Master

    If you want to email me directly with an admin login then I can take a look but the key to finding the source of this issue is in the access_log files. Without the the info from the access_log files it’s like hunting blind. If you want me to look at it for you then please also send me the latest access_log file for this site (ask your hosting provider where to find that file if you are not sure).

    in reply to: Any news on the autoscan / schedule feature? #80613

    Anti-Malware Admin
    Key Master

    Yes, it’s been a while, and yes, I’m still working on it. It been a roller-coaster ride for me in my personal life over the last couple years and it’s been all I could do to keep up with the updates of all the new threats, but I am making time for this new feature now and it really should be soon that I have something available. Thanks for your continued interest. I will let you know when I am ready to start beta testing the new auto scan feature ;-)

    in reply to: .class-wp-cache.php #80611

    Anti-Malware Admin
    Key Master

    You need to fix whatever vulnerability has been allowing this exploit. If it’s a crossover attack from another infected site on the same shared hosting server then you should probably move you site to more secure host.

    Change all your passwords. Look for any rogue admin accounts in your users. Check the access_log files on your server to see what activity there was at the exact time of the last infection.

    in reply to: How to change registration email. #78561

    Anti-Malware Admin
    Key Master

    The official method would be to login to https://gotmls.net/members/ with that email address you first used and then transfer that registration to the new email address… but there is also a “secret” shortcut in your wp-admin that will bring up the pre-filled registration form again, just click on your registration key, then you can enter preferred email address a submit the form again to re-register under that new email.

    in reply to: Your Installation Key is not registered! #77319

    Anti-Malware Admin
    Key Master

    This is usually caused by a script blocker or JavaScript error on the browser side. Please check the Console tab in your browser’s Inspector on that page to see if it tells you what is causing this. Also make sure that you clear the cache and disable any caching plugin on your site in case this is just a cached response.

    in reply to: File Uploader not found #76088

    Anti-Malware Admin
    Key Master

    Thanks for all the malware files. I have added all these to my definition updates. Let download the latest definitions and let me know if you find any more ;-)

    in reply to: 20i malware scanner flags GOTMLS #75099

    Anti-Malware Admin
    Key Master

    Thank your for informing me of this false positive. I don’t know what software they are using to make this determination but it is obviously wrong. I submitted a support ticket with MakersHost when you posted this support topic and have still not heard back from them, is that normal in your experience?

    Based on the screenshot you provided I was able to make a guess that their detection might be because I am using the error_reporting function in my code for debugging server errors. I have just release a new plugin update without that debugging code to see if that resolves the issue. Could you please download the new version 4.21.84 of my plugin and see if it is still detected by your host?

Viewing 15 posts - 106 through 120 (of 686 total)