Forum Replies Created
-
AuthorPosts
-
A firewall like mine can stop many of the most common attacks from adversely affecting your site, but no firewall can stop your site from getting hacked, there are just too many ways for hackers to get into your server that a firewall cannot control. If you are using any firewalls and all you site got hacked then it sounds like it was either a root level attack on your server or else your account or control panel on the server was hacked. You need to talk to your hosting provider to secure the server and your account.
If you need my help with anything here then you should contact me directly via email (do not share any personal info on this public forum):
eli AT gotmls DOT net
Just closing this topic since all threats mentioned here have been added to my definition updates. Please start a new topic if you have a similar issue and need more help.
I have not heard of this issue before. Perhaps there is some plugin that has modified your upload parameters causing them to look more like some kind of attack. You can start by disabling all the Firewall Rules on my Anti-Malware plugin to confirm that it is my Firewall that is blocking your uploads. Then you can turn them back on one at a time to see which rule is causing this issue for you.
You could also try disabling all other plugins to see which one is conflicting with my plugin’s Firewall rules.
Both plugins block so intrusion attempts and both plugins can remove any malware we know about. It doesn’t hurt to have both installed at once and the more protection you have the safer your site will be
Thank you for posting this new variant. I just wanted to follow up and let you know that this was added to my definition updates so that it can be removed automatically.
The Nonce Tokens are automatically generated and stored as a transient record in your wp-options table every time you load the page. If you got this message once it was probably a fluke or you let the page sit for a day before starting the scan and the token really did time out. But if you load the Anti-Malware Settings page and then start the scan right away and it a it gives you this error message every time then it means that there is something wrong with your database that is preventing the Nonce Tokens from being stored at all, and this also means that other settings stored in the wp-options table cannot be saved either.
Try to create a new record in that table, if it fails then check the error_log for any details that might explain why it doesn’t work. It might be that the Primary Key is not set to AUTO-INCREMENT or that the AUTO-INCREMENT value is it set lower that the highest value in the option_id column.
This error might have been logged when you tried to run the Quick Scan if there were lots of files in the scan path or it was finding lots of threats a the the scan was taking a long time and so was thus unable to finish before your server timed out and killed the process. You might try running the Complete Scan instead of the Quick Scans. Also, you could cross-reference the times in your access_log and error_log files and compare those to see what you were doing on the site at the time of the error.
As the error suggests there is no php process that is allowed to run for more than 60 seconds so that error is not connected with your inability to login for an hour.
My plugin also does not ban you from login in for the span of a hour or any other length of time. I suspect that you have some other security plugin on your site that is causing these other issues.
The Firewall options in my plugin never return a 403 Forbidden message but only use a 301 Redirect to block bad traffic, so that issue you were having must have been caused by something other than my plugin.
I just installed the Core Files for WP 5.5 into my Definition Updates. Please make sure that the Automatic Update feature is enabled and click Save to download the latest definitions.
I am very sorry for the trouble you had with this plugin. I have examined the file in question and found that, while the method they are using to include this JavaScript code is improper and may not be save, it is also not malicious and I can see how my existing definitions of this threat would leave the wp-fullcalendar.php file broken with a syntax error. So I have corrected this and released a definition update that will ensure that this file will not be broken by any future scan/fix runs.
I am also concerned that the recovery link didn’t work for you. This is supposed to be a fail-safe that should ensure that any problem like this would be easy to revert and undo, even if it were to cause the site to crash. Can you tell me anything more about this? I can see that your server has some kind of firewall that appears to be blocking my plugin from employing the fix with a message: refused to connect.
ERR_BLOCKED_BY_RESPONSEI have never seen this before and so I’m curious about what server would be blocking my plugins response that would have allowed you to fix this issue. Is there anything that you can share with me that might help me understand why this feature is blocked?
I totally understand that you are not impressed by the awful experience that you had and I hope that you except my apology and my reassurance that I have taken steps to ensure that this will not happen again. I also with that you would have contacted me sooner, before you spent all that time fixing the files that got screwed up, because I would like to think that I could have helped you revert the changes without too much trouble and then maybe I also would have discovered why the recovery link was blocked on your server.
Please let me know if you have any more information for me or if there is anything else I can help you with, but I will understand if your lost confidence in me and my plugin is irreversible. And I thank you anyway for the information that you have already shared, a s it has help to ensure that other will not have this problem with the wp-fullcalendar plugin.
Here is a list of caching plugins available for WordPress:
https://wordpress.org/plugins/search/cache/
All of these, by the nature of what they do, can make it difficult to remove all the malware on your site, as there purpose is to create copies of your site’s generated output (including any output generated by malware) and display that save code (even if it have malware in it).
Additionally, some of these plugin may interfere with the scan process by intercepting the generated output from the scan results, thereby potentially slowing the scan or sometimes even altering the results before they are displayed.
Therefore, it is generally advised to disable all caching and delete all cache files before scanning for malware on any site.
If your server has any caching software installed or if you use any caching plugin on your site then you should clear those cache files too. Maybe even disable any server-side caching while you are working on this issue. cache files can preserve the appearance of malicious threats on your site even after you have removed the malicious code.
It sounds like this is an issue with the Brute-Force Login Protection which is enabled on the Firewall Settings page in your wp-admin. If you disable that option does it fix this problem?
Can you give me the Error Number from redirect landing page so that I can give you more information about what might be causing this issue for you?
I’m not sure why some of your posts are not showing anything on this forum but I got your plugin lists and there are a lot of Ad Plugins that I guess you use to generate ad revenue on your site. My first guess is would be that one of those is responsible for adding that propu[.]sh script into your footer. I would suggest that you try deactivating those plugins and then clear your cache and see if that malicious JavaScript still shows up in the HTML of your footer section.
Thanks for sending me you footer.php file. Unfortunately this malicious JavaScript was not generated from within that file.
After seeing that file it is clear that this malicious code is being generated by another file using the wp_footer hook. This could be a rogue plugin file or a hacked WP Core file or maybe even some new filter/action added to the functions.php file.
Can you send me a list of your plugin (a screenshot of the Installed Plugins page in your wp-admin will do), and a list of all the folders in your /wp-content/plugins/ directory too?
-
AuthorPosts
