WordPress.org

Ready to get started?Download WordPress

Forums

Anti-Malware (Get Off Malicious Scripts)
[resolved] Anti Malware listed as malicious! (4 posts)

  1. ColinCook
    Member
    Posted 11 months ago #

    Hi all - just tried to update the definitions on this plug-in but it just took me to a page on my website.

    I then get an e-mail from 'Wordpress Firewall' with the following:

    WordPress Firewall has detected and blocked a potential attack!
    Web Page: http://www.colincook.co.uk/wp-admin/admin.php?page=GOTMLS-settings
    Warning: URL may contain dangerous content!
    Offending IP: 188.223.31.204 [ Get IP location ]
    Offending Parameter: UPDATE_definitions_array = LSs9PT09Ky13cF9sb2dpbi0rPT09Ky1icnV0ZSBmb3JjZSBwb3NzaWJsZSBvbiB3cC1sb2dpbi5waHAtKz09Ky1ENE9BQi0rPSstLy4qP3JlcXVpcmVcKFsgXHRdKmRpcm5hbWVcKF9fRklMRV9fXClbIFx0XSpcLlsgXHRdKlsiJ11cL3dwXC1sb2FkXC5waHBbIiddWyBcdF0qXCk7KD8hXC9cLzIwMTMtMDQtMjQgRE8gTk9UIFJFTU9WRSBUSElTIFJFUVVJUkVEIExJTkUpW15cbl0qKFtcclxuIFx0XSpcJF9TRVNTSU9OXFtbXjtdKzspKi9pcy0rPT09PSstd2hpdGVsaXN0LSs9PT0rLS93cC1hZG1pbi9pbmNsdWRlcy9jbGFzcy1wY2x6aXAucGhwLSs9PSstRDVBODMtKz0rLTAxMzYzNzI4Yzg0M2ZmOTNlOTZiNjk4M2NlMzhlYmE2LSs9PT0rLS93cC1hZG1pbi9wcmVzcy10aGlzLnBocC0rPT0rLUQ1QTgwLSs9Ky01N2FmNDk4MThiYmI5NDlkYzBhYzYzODY3Mzg2NTViYi0rPT09Ky0vd3AtYWRtaW4vanMvcmV2aXNpb25zLWpzLnBocC0rPT0rLUQ1QTg1LSs9Ky1mOWI1OThjMzQyN2EyZjc1N2U5MTY4MGM1ZGQwMWY0Ny0rPT09PSstaHRhY2Nlc3MtKz09PSstUmV3cml0ZVJ1bGUgbW9iaWxlIDMwMi0rPT0rLUQ0NUU5LSs9Ky0vUmV3cml0ZUVuZ2luZSBvbi4rP1Jld3JpdGVSdWxlIFxeW1woXT9cLlwqW1wpXT9cJCBodHRwOlwvXC8obW9iaWxlLS4rP3wuKz9jb3VudChlcik_XC5waHB8Lis_XD9oPVswLTldKykgXFsoTFwsKT9SKD1bMC05XXszfSk_KFwsTCk_XF0vc2ktKz09PSstVGFnZWQgUmV3cml0ZUNvbmQgSFRUUF9SRUZFUkVSIFJld3JpdGVSdWxlIEhUVFAtKz09Ky1EM0o2dy0rPSstL1wjW2EtekEtWjAtOV0rXCMuKz9SZXdyaXRlRW5naW5lIG9uW1xyXG4gXHRdK1Jld3JpdGVDb25kIFwlXHtIVFRQX1JFRkVSRVJcfS4rP1Jld3JpdGVSdWxlIFxeXChcLlwqXClcJCBodHRwOlwvXC8uKz8gXFsoTFwsKT9SPVswLTldezN9KFwsTCk_XF0uKz9cI1wvW2EtekEtWjAtOV0rXCMvc2ktKz09PT0rLWtub3duLSs9PT0rLWFycmF5IGV2YWwtKz09Ky1ENUZLTi0rPSstL1wkW19cLVw-XC5hLXowLTldK1s9IFx0XSthcnJheShfbWFwKSpbIFx0XSpcKChbIFx0LCciXCRdKy4rP1snIiBcdCxdKikrXCkuK2V2YWxbIFx0XSpcKC4rXClbIFx0O10qL2ktKz09PSstSmF2YVNjcmlwdCBmdW5jdGlvbiB4Vmlld1N0YXRlLSs9PSstRDRUSWctKz0rLS88c2NyaXB0IGxhbmd1YWdlPVsnIl1KYXZhU2NyaXB0WyciXT5bXHJcbiBcdF0qZnVuY3Rpb24gW2EtejAtOV0rVmlld1N0YXRlXChcKSguKz9bXHJcbiBcdF0qKSs8XC9zY3JpcHQ-L2ktKz09PSstYWRkLWRpdi1jb250ZW50IFZpYWdyYSBDaWFsaXMtKz09Ky1ENDZIYi0rPSstLzxcIS0tc3RhcnQtYWRkLWRpdi1jb250ZW50WzAtOV0qLS0-LitWaWFncmEuK0NpYWxpcy4rPFwhLS1lbmQtYWRkLWRpdi1jb250ZW50WzAtOV0qLS0-L2ktKz09PSstaWZyYW1lIGluIGhlYWQtKz09Ky1ENTNIUC0rPSstL1w8aWZyYW1lIC4rXDxcL2lmcmFtZVw-W1xyXG4gXHRdKig_PVw8XC9oKHRtbHxlYWQpXD4pL2ktKz09PSstVGFnZ2VkIHNjcmlwdCB0cnkgZG9jdW1lbnQuYm9keSBldmFsLSs9PSstRDNKN0UtKz0rLS88XCEtLVswLTlhLWZdKy0tPjxzY3JpcHQgLis_dHJ5XHtkb2N1bWVudFwuYm9keS4rP2V2YWwuKz88XC9zY3JpcHQ-PFwhLS1cL1swLTlhLWZdKy0tPi9pLSs9PT0rLVRhZ2dlZCB0cnkgZG9jdW1lbnQuYm9keSBldmFsLSs9PSstRDNKN04tKz0rLS9cL1wqWzAtOWEtZl0rXCpcL1tcclxuIFx0XSsuKz90cnlce2RvY3VtZW50XC5ib2R5Lis_ZXZhbC4rP1tcclxuIFx0XStcL1wqXC9bMC05YS1mXStcKlwvL2ktKz09PSstZXZhbCB2YXJpYWJsZS1mdW5jdGlvbiBsb25nLW5iLXN0cmluZy0rPT0rLUQ0OExzLSs9Ky0vZXZhbFwoXCRbYS16QS1aMC05XFtcXSciXStcKFsnIl1bYS16QS1aMC05XC9cX1wtXCtcPV17MjAwfVthLXpBLVowLTlcL1xfXC1cK1w9XSs_WyciXCk7XSsvaS0rPT09Ky1mdW5jdGlvbiBvYl9nZXRfbGV2ZWwgb2Jfc3RhcnQgYWRkX2FjdGlvbi0rPT0rLUQzTEE0LSs9Ky0vaWYgXChcIWZ1bmN0aW9uXF9leGlzdHNcKC4rP1wpIFx7W1xyXG4gXHRdK2Z1bmN0aW9uIC4rP1wpIFx7W1xyXG4gXHRdK2lmIFwoXCFvYlxfZ2V0XF9sZXZlbFwoXClcKSBvYlxfc3RhcnRcKC4rP1wpO1tcclxuIFx0XStcfVtcclxuIFx0XSsoLitbXHJcbiBcdF0rKSsoYWRkX2FjdGlvblwoLis_XCk7W1xyXG4gXHRdKykrXH0vaS0rPT09Ky1oZWFkIHNjcmlwdCBkb2N1bWVudC53cml0ZS0rPT0rLUQzUEQ1LSs9Ky0vKD88PVw8XC9oZWFkXD4pXDxzY3JpcHQuKz9kb2N1bWVudFwud3JpdGVcKC4rP1w8XC9zY3JpcHRcPi9zaS0rPT09Ky1zY3JpcHQgaHR0cCBJUC0rPT0rLUQzUkVGLSs9Ky0vXDxzY3JpcHQgc3JjXD0iaHR0cFw6XC8oW1wvfFwuXVswLTldKyl7NH0uKz9cPlw8XC9zY3JpcHRcPi9pLSs9PT0rLXNjcmlwdCBlbmNvZGUgZXZhbC0rPT0rLUQ0NTdxLSs9Ky0vPHNjcmlwdC4rPygoWzAtOUEtWl17MjAwfS4rP2V2YWwpfChldmFsLis_WzAtOSBcdFwsXXszMDB9KSkuKz88XC9zY3JpcHQ-L2ktKz09PSstVGFnZ2VkIGJhc2U2NF9kZWNvZGUgZmlsZV9nZXRfY29udGVudHMgcG9zaXRpb24gaWZyYW1lLSs9PSstRDQ1RHgtKz0rLS9cI1thLXpBLVowLTldK1wjW1xyXG4gXHRdKi4rP2Jhc2U2NF9kZWNvZGUuKz9bXHJcbiBcdF0qLis_ZmlsZV9nZXRfY29udGVudHMuKz9bXHJcbiBcdF0qLis_cG9zaXRpb24uKz9bXHJcbiBcdF0qLis_XDxcL2lmcmFtZVw-Lis_W1xyXG4gXHRdKlwjXC9bYS16QS1aMC05XStcIy9pLSs9PT0rLXNjcmlwdCBhamF4IFBPQy0rPT0rLUQ0OTlqLSs9Ky0vPHNjcmlwdCAuKz9hamF4LnBocFsnIl0-WyciXVBPQ1snIl08XC9zY3JpcHQ-Ly0rPT09Ky10YXJnZXRzIGFycmF5IEpBUGx1Z2luRG9uZS0rPT0rLUQ0OUFKLSs9Ky0vKFwvXC9maWxlc1tcdCBcclxuXSspKlwkdGFyZ2V0c1sgPVx0XSthcnJheVwoLis_ZWNob1sgIiddK0pBUGx1Z2luRG9uZVsgIic7XSsvc2ktKz09PSstaW5jbHVkZSBmYXZpY29uLSs9PSstRDRBN1EtKz0rLS9bXHJcbl0rW1x0IDtdKmluY2x1ZGUuK2Zhdmljb25cLmljb1snIlwpO10rL2ktKz09PSstYWRkX2ZpbHRlciBjcmVkLSs9PSstRDRKN1ctKz0rLS9hZGRfZmlsdGVyXCgndGVtcGxhdGVfaW5jbHVkZScsJ2dldF9jcmVkJywxXCk7W1x0IFxyXG5dK2FkZF9maWx0ZXJcKCdzaHV0ZG93bicsJ2NyZWQnLDBcKTsvaS0rPT09Ky1wcmVnX3JlcGxhY2Ugc3RycmV2IGUtKz09Ky1ENE9GZC0rPSstL1wkW2EtekEtWjAtOVxfXStbXD0gXHRdK1snIl1lXC9cKlwuXC9bJyJdO1tcclxuIFx0XStwcmVnX3JlcGxhY2VcKFsgXHRdKnN0cnJldlwoLipcKTsvLSs9PT0rLWZ1bmN0aW9uX2V4aXN0cyBnZXQgZmlsZSBmdW5jdGlvbiBjdXJsX2luaXQgZmlsZV9nZXRfY29udGVudHMgZm9wZW4gY3VybF9leGVjLSs9PSstRDRVNmgtKz0rLS8oXCRmaWxlX1thLXowLTldKylbXHQgPV0rWyciXS4rP1snIl07W1xyXG5cIFx0XSooXCRbYS16XF8wLTldK1tcdCA9XSsuKz87W1xyXG5cIFx0XSopKmlmW1x0IF0qXChbXHQgXSpcIWZ1bmN0aW9uX2V4aXN0c1woW1x0IF0qWyciXShbYS16XF8wLTldKmdldFthLXpcXzAtOV0qKVsnIl1bXHQgXSpcKVtcdCBdKlwpW1x0IF0qXHtbXHJcblwgXHRdKmZ1bmN0aW9uW1x0IF0rXDMuKz9jdXJsX2luaXQuKz9maWxlX2dldF9jb250ZW50cy4rP2ZvcGVuLis_Y3VybF9leGVjLis_XDNcKFtcdCBdKlwxW1x0IF0qXCk7W1xyXG5cIFx0XSpbXH1dKi9pcy0rPT09Ky1lcnJvcl9yZXBvcnRpbmcgaW5jbHVkZSB3cC1hcHBzLSs9PSstRDU5SkktKz0rLS9lcnJvcl9yZXBvcnRpbmdcKFteXCldK1wpW1w7XHJcbiBcdF0raW5jbHVkZVteXDtdK1wvd3AtYXBwc1wucGhwWyInIDtdKy8tKz09PSstcmVxdWlyZSBjZ2ktbG9jYWwgcGhwIGNvbW1lbnQgYWxvbmUtKz09Ky1ENTlOMS0rPSstLzxcPyhwaHApKltcclxuIFx0XStbXEBdKihyZXF1aXJlfGluY2x1ZGUpKF9vbmNlKSpbXCggXHRdK1snIl1jZ2ktbG9jYWxcLy4rP1wucGhwWyciXTtbXHJcbiBcdF0rXCMuKltcclxuIFx0XStcPz4vaS0rPT09Ky1vYl9zdGFydCBnemluZmxhdGUgb2JfZ2V0X2NvbnRlbnRzIG9iX2VuZF9jbGVhbiBldmFsLSs9PSstRDVFQkYtKz0rLS88XD8ocGhwKT9bIFx0XHJcbl0rb2Jfc3RhcnRcKC4rXCRbYS16XF8wLTldK1s9IFx0XStnemluZmxhdGVcKG9iX2dldF9jb250ZW50c1woXClcKVs7IFx0XHJcbl0rb2JfZW5kX2NsZWFuXChcKVs7IFx0XHJcbl0rZXZhbFwoXCRbYS16XF8wLTldK1tcKTsgXHRcclxuXStcPz4vaXMtKz09PT0rLWJhY2tkb29yLSs9PT0rLWNsZWFyc3RhdGNhY2hlIGhlcmUgZGllLSs9PSstRDVFQTUtKz0rLS88XD8ocGhwKT9bIFx0XHJcbl0rKGlmXChpc3NldFwoXCRfR0VUXFtbJyJdWzAtOWEtekEtWl0rWyciXVxdXClcKVsgXHRcclxuXSpce1sgXHRcclxuXSspP2NsZWFyc3RhdGNhY2hlLitoZXJlO1sgXHRcclxuXStkaWU7W1x9IFx0XHJcbl0rXD8-L3MtKz09PSstYXV0aF9wYXNzIEZpbGVzTWFuIHNhZmVfbW9kZSBldmFsLSs9PSstRDQ5QjItKz0rLS9cPFw_KD89LipcJGF1dGhfcGFzcykoPz0uKkZpbGVzTWFuKSg_PS4qc2FmZV9tb2RlKSg_PS4qZXZhbFwoKS4rKFw_XD4pKi9zLSs9PT0rLWV2YWwgYmFzZTY0X2RlY29kZS0rPT0rLUQ1Q0pNLSs9Ky0vPFw_KHBocCkqW1xyXG4gXHRdKyhcJFthLXpcXzAtOV0rWz0gXHRdK1snIl0uK1s7XHJcbiBcdF0rKSpldmFsXCguKj9iYXNlNjRfZGVjb2RlXCguK1tcclxuIFx0XStcPz4vaS0rPT09Ky1zZXNzaW9uX3N0YXJ0IGVycm9yX3JlcG9ydGluZyBzZXRfdGltZV9saW1pdCBmb290ZXItKz09Ky1ENEpNaC0rPSstL1w8XD9waHBbXHJcbiBcdF0rc2Vzc2lvbl9zdGFydFwoXCk7W1xyXG4gXHRdK2Vycm9yX3JlcG9ydGluZ1woMFwpO1tcclxuIFx0XStzZXRfdGltZV9saW1pdFwoLis_PFw_IGVjaG8gXCRmb290ZXI7XD8-L2lzLSs9PT0rLWZ1bmN0aW9uIEJTU1YgZXZhbC0rPT0rLUQ0TkNDLSs9Ky0vKFwvXCouKj9cKlwvW1xyXG4gXHRdKikqZnVuY3Rpb24gQlNTVlwoLitldmFsXChCU1NWXCguKz9bXCldK1s7XSovaXMtKz09PSstRmlsZXNNYW4gcHJlZ19yZXBsYWNlIC4tKz09Ky1ENE9Gci0rPSstLy4qWyInIF1GKFsiJ11cLlsiJ10pKmkoWyInXVwuWyInXSkqbChbIiddXC5bIiddKSplKFsiJ11cLlsiJ10pKnMoWyInXVwuWyInXSkqTShbIiddXC5bIiddKSphKFsiJ11cLlsiJ10pKm5bIicgXTsuKj9wcmVnX3JlcGxhY2VcKC4rP1siJ11cLlsiJ11bXCldK1s7XSovaS0rPT09Ky1mdW5jdGlvbiBBcnJheSBwcmludCBleGl0LSs9PSstRDRQQW4tKz0rLS9mdW5jdGlvblsgXHRdK1tcXzAtOWEtel0rWyBcdF0qXChbIFx0XSpcJFtcXzAtOWEtel0rWyBcdF0qXClbIFx0XSpce1tcclxuIFx0XSpcJFtcXzAtOWEtel0rWz0gXHRdK0FycmF5XCguKyhwcmludHxlY2hvKSBcJFtcXzAtOWEtel0rWzsgXHRdK2V4aXRbOyBcdF0rXH0vaS0rPT09Ky1tZDV0YWdnZWQgZXZhbCB2YXJpYWJsZSBmdW5jdGlvbnMtKz09Ky1ENTlLOC0rPSstfDxcP3BocFtcclxuIFx0XSsvL1thLWYwLTldezMyfVtcclxuIFx0XSsoXCRbXF9hLXowLTldK1tcclxuXD0gXHRdKygvLy4rW1xyXG4gXHRdKykqWyciXVtcPVxfYS16XC0wLTlcXC9dK1snIl1bXHJcbjsgXHRdKygvLy4rW1xyXG4gXHRdKykqKStldmFsXChbXjtdK1tcclxuOyBcdF0rKFw_PikqfGktKz09PSstaWYgaXNzZXQgUkVRVUVTVCBldmFsIFJFUVVFU1QtKz09Ky1ENTlLcC0rPSstL2lmW1xyXG5cKCBcdF0raXNzZXRbXHJcblwoIFx0XStcJF8oUkVRVUVTfEdFfFBPUylUW1xbXHtdWyciXS4rP1snIl1bXF1cfV1bXHJcblwpIFx0XStbXHJcblx7IFx0XSpldmFsW1xyXG5cKCBcdF0rXCRfKFJFUVVFU3xHRXxQT1MpVFtcW1x7XVsnIl0uK1snIl1bXF1cfV1bXHJcblwpIFx0XStbXHJcbjsgXHRdKltcfV0_WztdPy8tKz09PSstR0xPQkFMUyAwIGV2YWwtKz09Ky1ENTlNSy0rPSstLyhcJChHTE9CQUxTXFtbJyJdKSpbMG9PXStbJyJcXVw9XC4gXHRdK1teO10rO1tcclxuIFx0XSopK2V2YWxcKC4rW1wpXStbO10qLy0rPT09Ky1lcnJvcl9yZXBvcnRpbmcgcGFzc3dvcmQgZXhpdCBtZS0rPT0rLUQ1QkJrLSs9Ky0vPFw_KHBocCk_W1xyXG4gXHRdKmVycm9yX3JlcG9ydGluZ1woMFwpO1tcclxuIFx0XSpcL1wvSWYgdGhlcmUgaXMgYW4gZXJyb3IsIHdlJ2xsIHNob3cgaXQsIGtcP1tcclxuIFx0XSpcJHBhc3N3b3JkWz0gXHRdKy4rIDotXClbXHJcbiBcdF0qZXhpdFwoXCk7W1xyXG4gXHRdKlw_PlwuXCRtZVwuL2lzLSs9PT0rLXBocCBTdGFydGluZyBjYWxscyBjOTlzaGV4aXQtKz09Ky1ENURINy0rPSstLzxcPyhwaHApKltcclxuIFx0XStcL1wvU3RhcnRpbmcgY2FsbHMuK2NoZGlyXChcJGxhc3RkaXJcKVs7XHJcbiBcdF0rW2EtejAtOV0rZXhpdFwoXClbO1xyXG4gXHRdKihcPz4pKi9pcw3

    This may be a "WordPress-Specific SQL Injection Attack."

    Click here for more information on this type of attack.

    If you suspect this may be a false alarm because of something you recently did, try to confirm by repeating those actions. If so, whitelist it via the "whitelist this variable" link below. This will prevent future false alarms.

    Click here to whitelist this variable.
    Click here to turn off these emails.
    Repeated warnings for similar attacks are currently sent via email, click here to suppress them.

    Clicking to whitelist takes me to a page saying I dont have sufficient permissions (it's my site!)

    Can anyone help?

    http://wordpress.org/extend/plugins/gotmls/

  2. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    This is a false positive from WordPress Firewall.

    They are detecting that you are attempting to post a string that contains "0x" followed by any two hex digits. This match is a ridiculous as my updates are now so large that they just happen to contain such a string.

    The simple solution is to whitelist your IP address (188.223.31.204) in the WordPress Firewall settings.

    Thank you for reporting this and please let me know if you need anything else.

    Aloha, Eli

  3. ColinCook
    Member
    Posted 11 months ago #

    Hi Eli and thanks for the prompt help, its really appreciated!

    How do I whitelist the IP address (WP says I don’t have permission even though I am the only administrator) and what happens when my IP changes or I use a connection from a different computer/network?

    The IP being referred to isn’t the IP of my site but of the computer/network I am using.

    I guessed it was a false positive but by default there doesn’t seem to be a way around it or to install the updates manually?

    Thanks again for your help.

    Colin

  4. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    I can provide a manual update file if needed put it changes all the time and you will need to get the updates whenever they are available.

    Whitelisting your IP is one workaround but your right, it will only work for you as long as you keep that IP (yes, it is your own IP not your servers IP that needs to be whitelisted).

    Another workaround is to turn off that filter in the WordPress Firewall that says "Block WordPress specific terms". Then you can do the updates from any IP. You can always tun this feature back on after the update if you feel it is necessary.

    You may also be able to use the page whitelist feature at the bottom of the settings page but I've never tried it. I think you would have to use * for the Page and UPDATE_definitions_array for the Form Variable but I don't know that this will work.

    Please let me know if this works for you.

    Aloha, Eli

Reply

You must log in to post.

About this Plugin

About this Topic