WordPress.org

Ready to get started?Download WordPress

Forums

Anti-Malware (Get Off Malicious Scripts)
[resolved] [Plugin: Get Off Malicious Scripts (Anti-Malware)] Is this plugin grabbing information from my site? (19 posts)

  1. juggledad
    Member
    Posted 2 years ago #

    I installed this plugin on a site and got an installation key. I then add a fresh copy to another site on the same machine and when I activated it - low and behold, it already had the installation key FROM THE OTHER SITE.

    Where is the installation key being stored?

    Is this plugin storing information about my sites on your computer?? What are you using it for???

    And why is a lot of the code being used by the plugin hidden in the index.php file that is in the 'images' folder? I get nervous about things like this

    http://wordpress.org/extend/plugins/gotmls/

  2. Eli
    Member
    Plugin Author

    Posted 2 years ago #

    Whoa there buddy...

    First of all I am not hiding any code anywhere. This is an open source plugin written specifically to help other find "hidden" malicious code on their sites. I would appreciate it if you didn't start slandering my plugin before you know what it does. The index.php file in the images directory performs many important tasks:

    1. It downloads new definition files for you.
    2. It checks your admin page after an automatic fix
    3. It can undu an automatic fix if that fix broke you admin
    4. Help prevent others from seeing a list of file in that directory

    Now, I will try and answer all your other questions by explaining the registration process. First, when you go to the setting page for Anti-Malware in your wp-admin, if you have not yet registered, you will see a registration for on the right-sidebar. This form is pre-populated with information from your WP DB to make it easy for you to register but it is all changeable prior to submission. The Installation Key is auto-generated using info unique to each site you it should be different on each site. When you submit this form to my site I am then collection that data, creating a user for you on gotmls.net, and then yes, I am storing your registration information. I then match your key when my plugin checks for definition updates to make sure you are a registered user.

    That's it, so if you have any other questions or concerns please let me know.

    Aloha, Eli

  3. juggledad
    Member
    Posted 2 years ago #

    Ok, I have two sites A and B. I added the plugin to A and got a installation key.

    I now go to B and add the plugin and activate it - oh look, there is the installation key from site A.

    So where is the installation key stored? Is it stored on my site? in the DB? in a file?

  4. Eli
    Member
    Plugin Author

    Posted 2 years ago #

    Can you please email me some details?

    What are the two domains and the keys for each one.

    DO NOT POST THAT INFO HERE.

    email this info to: registrations at gotmls dot net

  5. juggledad
    Member
    Posted 2 years ago #

    I'll be happy to, but you still haven't answered my basic question.
    where is the installation key stored?

  6. Eli
    Member
    Plugin Author

    Posted 2 years ago #

    In the first post I said "When you submit this form to my site I am then collection that data, creating a user for you on gotmls.net, and then yes, I am storing your registration information".
    To summarize, I am storing your key on gotmls.net with your use registration. I can give you a lot more information that may help you if you give me your registration detail but I don't want any personal info posted here so please email me or leave a comment on gotmls.net/members/

  7. juggledad
    Member
    Posted 2 years ago #

    You may be a very nice person trying to give back to the community, but I see some issues, so let me see if I have this correct.

    1) When anyone register for a key, the key is stored on your site, not theirs.
    2) Each time they go to the 'Anti-Malware' option, requests are sent to both 'wordpress.ieonly.com' and 'gotmls.net' under the covers
    3) the site admin has no control over this.
    4) the site admin can't delete the key since it is not stored on their site.
    5) the site admin has no idea what information you might be collecting

    looking at things this way, I am very suspicious - sorry but with all the malware and hacking going on in wordpress sites, thats the way I am.

    So can you convince me or anyone else that we should trust this plugin?

  8. Juggledad - did you install a fresh copy of the plugin or, liked do when I'm lazy, copy it over from Site A?

    Eli - if you can elaborate on where the registration info is stored, that would be great. I THINK you're saying "I keep a record on gotmls.com with your ID/Email and the code." which is fine, but in light of a user having it AUTO inserted into a site, it is something we should double check. You don't have to use user IDs to explain how it works :)

    FWIW, phoning home is fine, IF there's a justifiable reason for it. Of course you have to send proof of ownership to verify a license, BUT unless that license is being used for an API of sorts, or acces to paid content, it could be an issue.

    What is this GotMLs doing that requires a user ID/key setup?

  9. juggledad
    Member
    Posted 2 years ago #

    first time I did a copy, then I created a new site and put in a fresh copy.

  10. Fresh from the plugin page?

    Eli, in doing a quick read-through of the plugin, there are some ... hinky things.

    Nowhere in your plugin page do you say there's a need for registration. That must be explicitly clear so people know what they're getting into. If people have to register and get a key, put that in the Installation notes at the very least.

    It does send an email on error. You should take that out. Emailing without explicit permission is a little shady:
    http://plugins.trac.wordpress.org/browser/gotmls/trunk/index.php?rev=528278#L78

    The .images/index.php file has a call to 'update' definitions. So these definitions are being pulled down from your server and updated on the user? How is this going to handle plugin updates (which delete that folder). Why, if the file's just being downloaded anyway, did you not just include it in the plugin?
    http://plugins.trac.wordpress.org/browser/gotmls/trunk/images/index.php?rev=528278#L95

    /images/tt2.php looks like it's just a copy of the timthumb file. I take it you're putting it there to 'replace' if you find an old version of TimThumb? I'd advise against that, since timthumb has been yanked from the WP theme repo and, like as not, may be pulled from plugins. Just check for it and tell them WHERE to get the latest and greatest. Also you're not using the latest version. http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php

  11. Eli
    Member
    Plugin Author

    Posted 2 years ago #

    Ipstenu,
    My Plugin can be used out-of-the-box and without registration to find files on your server that use eval() code. Only if you register do you get definitions for "known threats" that I have personally identified before. You can then automatically remove these "known threat" from the files they have infected. Because I have worked very had on this automatic removal and because it has the potential to remove code that may result in a broken site I find it essential that I only offer this feature to registered users who have already shown the initiative to follow through and make personal contact with me (my site).

    I have considered charging for registration but I still consider this plugin BETA and want to work out the kinks first. There is also the possibility that I could receive enough donations to stay afloat without ever charging (it's a dream, but It could happen).

    To address your concerns about "hinky things":

    1. I will make it explicitly clear, in the Installation notes at the very least, the benefits of registering on my external site gotmls.NET (not .com).
    2. The mail() line is in the function GOTMLS_debug() which is not being called anywhere in the released version. I only use that for pre-release debugging, but I will rem it out in future releases.
    3. The definitions can be updated from a file but the updates are now being stored in the DB so they will not be lost.
    4. Yes, tt2.php is a copy of the timthumb version 2.8 file. This was an essential step in patching my own server when it was hacked. I did initially use the latest version but my host (BlueHost) started overwriting my newer timthumbs with version 2.8, so I just started using 2.8 to replace anything under 2.0 (as it is 1.x versions that are exploitable). I will look into a better solution here but for now this seems to work best as there are still a lot of vulnerable timthumb 1.x out there.

    I will release a new version of my plugin soon to address these issues.

    Aloha, Eli

  12. Eli
    Member
    Plugin Author

    Posted 2 years ago #

    juggledad,

    I understand you are very suspicious, as am I. My reputation is important to me as you can see from the quality and care I put into my work and my willingness to be contacted directly at many levels. I am not an anonymous blip on the internet. You have my email and URLs. You can read my personal blog, about my work, about my family.

    I have offered to help you with your issue. You have yet to make that personal contact. You are the anonymous one. I wrote this plugin to cleanup my BlueHost account after it got hacked. It was a lot of work and it is an invaluable asset to me. So I fixed it up nice and released it for others to use (for free).

    When it comes to trust it's up to you. I myself have been trust-passed on in many different way by many different people and even large corporations. I judge a trust a person based on my interaction with that person. If you took the initiative to mate personal contact with me I'm sure you would come to trust me as all my friends and clients do. But it is up to you to make that small leap of faith. I feel that I have explained and justified every aspect of my plugin that you and Ipstenu have scrutinized. I offer this plugin pure intentions and the utmost trust in other to download and use it for their own good. Take it or leave it. The decisions of trust can only be your's.

    "I can only show you the door, you must be the one to walk through it." :)

    I would like to get an email from you so that I can figure out if there really is a "duplicate key" issue. If there is, your's is the first I've heard of it, and I would like to get it fixed so that it doesn't happen again.

    Mahalo, Eli

  13. FWIW, Beta or not, you released it into the wild, you gotta be clear on what it is, what it does, what it doesn't, and what support there is ;)

    BTW, I'm wearing my Moderator Hat in this thread, with my 'Plugin Monitor' armband. I'm not about to yank your plugin from the repo, there were just oddities that caught my eye.

    My Plugin can be used out-of-the-box and without registration to find files on your server that use eval() code. Only if you register do you get definitions for "known threats" that I have personally identified before.

    Cool. Make that clear then.

    The definitions can be updated from a file but the updates are now being stored in the DB so they will not be lost.

    Hmm. So you pull the definitions from your website, only if you've registered? Did I get that right? That's an edge case, but I think it falls within the reasonable usage of a phone-home (you're not gathering information, you're just pulling down new defs). The DB is a good place for that :)

    Bluehost and TimThumb is part of why I say this probably shouldn't be in your plugin. When the TimThumb exploit happened, VaultPress updated everyone's sites. This would impact your plugin: http://blog.vaultpress.com/2011/08/04/712-fewer-vulnerable-timthumb-scripts/

    Basically, given the nature of THAT hack, it or anything like it will be dealt with best by the hosts or the user being told.

  14. Eli
    Member
    Plugin Author

    Posted 2 years ago #

    Ipstenu,

    I understand and appreciate you input and your role here.

    My own sense of responsibility mandates me to only release my definition updates to registered users. These updates enable automatic removal of "known threat" and that comes with a certain amount of risk. If my plugin brakes someone site by removing required code from a script I what a pre-established relationship with this person so that they may more easily and readily contact me for support. I have already had many comments on my site by registered users that I have responded to and, in some cases release upgrade/updates for. I even granted the request of a registrant, who said he was just testing my plugin, and completely removed his account from my server.

    As for timthumb, it is great that the vulnerabilities are being addressed by some hosts but old versions are still widespread and my technique for patching them is still effective and crucial. My plugin updated hundreds of old timthumb files across many site on all my servers and hosting accounts before any host had taken any steps to correct it. As long as this code as a chance of doing some good for some people I will leave it in. It certainly doesn't do any harm to have it check for this vulnerability.

    Mahalo for your time in this, Eli

  15. Sure, that makes sense and that's why I said it's an edge case, but I think it's acceptable :) Totally understandable to want to keep definitions out of the hands of a quick scan, and make it easier to update without spamming the hell out of everyone with plugin updates.

    I can't say for sure if plugins with timthumb will be yanked from the repo (IMO, they should be, since we don't permit themes with it anymore). Detection is fine, including would be a vulnerability issue (since, if that version you have has a hole, you've just introduced one by accident). But I thought, since you've got it, I should probably mention it :) Other similar plugins just scan for a reason. THEY no longer have to worry about maintaining.

    If anything, I'd change it to detect and pull from source, not your plugin. Hook it up to the official google code repository.

  16. Eli
    Member
    Plugin Author

    Posted 2 years ago #

    Other similar plugins just scan for a reason. THEY no longer have to worry about maintaining.

    Sorry, I don't understand, what do you mean by this?

  17. By including TimThumb in your plugin, you are now responsible for ensuring the following (of someone else's code) :

    1) That version isn't hack able
    2) That version is always the latest and greatest (it's not)
    3) That version won't conflict/break the rest of their site
    4) Their site won't be hacked with your provided version

    Frankly? That's just a bad idea to get involved with. You don't need the headache of being reponsibility for someone else's code. Alerting people is a different beast than fixing for them.

    Check out how Sucuri does it in their plugin. Fixes are hands on. You can't automate a fix like that for everyone, just due to the massive variations out there, and you're setting yourself up for disaster if you try. That's part of why WP doesn't have a 'This will fix your hacks!' tool. If TT is compromised, you should be resetting passwords and scrubbing your files like mad, not relying on an auto-replace.

  18. juggledad
    Member
    Posted 2 years ago #

    I have sent you the registration key in an email

    bty you are replacing tim thumb with version 2.8 but the current version is 2.8.10

  19. Eli
    Member
    Plugin Author

    Posted 2 years ago #

    Ipstenu,

    I got an email from plugins@wordpress.org saying:

    In an effort to preserve the security of WordPress.org sites, we are requiring all plugins that make use of TimThumb to update to the most recent version by Monday, April 16th.

    So I have updated the timthumb version that I am using to patch old version with to the newest version 2.8.10 as a temporary quick fix. I think I will later remove it from distrobution within my plugin but add a way for users to automatically download the latest version directly from the Google Code Repository.

    As for "Other similar plugins", well, I really don't like to brag but since you brought them up:

    • VaultPress - You posted a link to their article that brags about fixing 712 timthumb files (something you just told me was a "bad idea"). I would guesstimate that my plugin has already patched more old timthumbs than that, given that it has been downloaded over 1,400 times and it fixed over 100 older timthumb files on my servers alone.
    • Sucuri - Their inadequate scan did nothing for my own server's infections (it didn't even find most of them). Even though they say "your site for malware using Sucuri SiteCheck right in your WordPress dashboard" they are actually using an outside url (sitecheck.sucuri.net) to perform the scan (maybe you should be picking on them for that ;). And to top it all off, if you click on any of the gazillion links to their site you will find that what they really want is for you to pay them a few hundred dollars to fix you site. It seems to me that they are just using their "Plugin" to promote their services and drive potential customers to their site.

    I am:

    • Brave enough to release my own code, for free, to the word.
    • Intelligent enough to write a program that actually works very well for most people who need it
    • Tenacious enough to stand firm on my decision to take bold actions against these malicious hacks.
    • Creative enough to build a powerful plugin that you don't have to be a programmer to use to remove real "known threats" from your server.
    • Honest about my goals, intentions, and methods. Willing to answer any questions anyone may have about my plugin.

    I think those are all attributes that you can appreciate :)

    Anyway, I will continue to support my plugin as an attempt to "Get it fixed", not just another "foo-foo scan your site and do nothing about it" plugin. As I see it, WordPress is only thriving because of all the plugins that everyone has contributed to make it do anything you need it to do. I think WP could be a little more supportive of someone like me who has something really great to offer the community. I had originally written this plugin for myself but I have spent a lot of time nicing it up for others to use too.

    I had wanted to give it away, in the spirit of free software, and in the hopes that people would show their gratitude by making generous donation. I am now feeling like this could become a full time job for me to maintain and support and, although I have received a few donations already, it is not enough to support my family while I devote myself to this project. Perhaps I should charge for such a valuable program but I will keep it free for as long as I can.

    I hope you can appreciate what I have here and see how my boldness in offering a "fix" that others have not offered is a good thing.

    Aloha, Eli

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags