I’m working on an Anti-Malware plugin for WordPress.

Posted on February 23, 2012 by Eli Scheetz

I haven’t posted anything this whole month because one of my servers got hacked and I’ve spent the last three week working on a new plugin to scan and remove malicious software from my server.

It wasn’t enough for me to just remove the hack. I had to make sure it wouldn’t come back and because it was such a widespread exploit I thought it would be good to release a plugin for other website admins to check their site for themselves.

I looks like my infestation of nasty scripts came in through a vulnerability in an older version of timthumb.php. Apparently any version older that 2.0 can be used to place a file on the server. If that file is a back-door of some kind then the person who put it there could have full access to your server.

I’m still testing and working out the kinks in my security scanner but it should be ready soon…

Download of GOTMLS from WordPress.org

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Globals Profiler (1,017.82 ms) SQL (90 queries in 16.00 ms) Errors (0) Toggle Close

$_GET = array (
);

$_POST = array (
);

$_COOKIE = array (
);

$_SESSION = array (
  'GOTMLS_SESSION_LAST' => 0,
  'GOTMLS_SESSION_TIME' => 1701517736.475516,
  'GOTMLS_detected_attacks' => '',
  'GOTMLS_login_attempts' => 0,
);

$_SERVER = array (
  'SERVER_SOFTWARE' => 'Apache',
  'REQUEST_URI' => '/im-working-on-an-anti-malware-plugin-for-wordpress/',
  'CONTEXT_DOCUMENT_ROOT' => '/home/elijah/sites/wordpress.ieonly.com/public_html',
  'CONTEXT_PREFIX' => '',
  'DOCUMENT_ROOT' => '/home/elijah/sites/wordpress.ieonly.com/public_html',
  'GATEWAY_INTERFACE' => 'CGI/1.1',
  'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  'HTTP_ACCEPT_ENCODING' => 'br,gzip',
  'HTTP_ACCEPT_LANGUAGE' => 'en-US,en;q=0.5',
  'HTTP_AUTHORIZATION' => '',
  'HTTP_CONNECTION' => 'Keep-Alive',
  'HTTP_HOST' => 'wordpress.ieonly.com',
  'HTTP_IF_MODIFIED_SINCE' => 'Sun, 28 May 2023 19:19:21 GMT',
  'HTTP_USER_AGENT' => 'CCBot/2.0 (https://commoncrawl.org/faq/)',
  'PATH' => '/bin',
  'PERL5LIB' => '/usr/share/awstats/lib:/usr/share/awstats/plugins',
  'QUERY_STRING' => '',
  'REDIRECT_HTTP_AUTHORIZATION' => '',
  'REDIRECT_PERL5LIB' => '/usr/share/awstats/lib:/usr/share/awstats/plugins',
  'REDIRECT_STATUS' => '200',
  'REDIRECT_UNIQUE_ID' => 'ZWsZqMdlohWMUQGaeFjZswAAAIE',
  'REDIRECT_URL' => '/im-working-on-an-anti-malware-plugin-for-wordpress/',
  'REMOTE_ADDR' => '44.220.249.141',
  'REMOTE_PORT' => '58686',
  'REQUEST_METHOD' => 'GET',
  'REQUEST_SCHEME' => 'http',
  'SCRIPT_FILENAME' => '/home/elijah/sites/wordpress.ieonly.com/public_html/index.php',
  'SCRIPT_NAME' => '/index.php',
  'SERVER_ADDR' => '158.69.23.200',
  'SERVER_ADMIN' => 'root@localhost',
  'SERVER_NAME' => 'wordpress.ieonly.com',
  'SERVER_PORT' => '80',
  'SERVER_PROTOCOL' => 'HTTP/1.1',
  'SERVER_SIGNATURE' => '',
  'UNIQUE_ID' => 'ZWsZqMdlohWMUQGaeFjZswAAAIE',
  'dont_vary' => '1',
  'no_gzip' => '1',
  'PHP_SELF' => '/index.php',
  'REQUEST_TIME_FLOAT' => 1701517736.459827,
  'REQUEST_TIME' => 1701517736,
);

Profiler Initiaded	0.0000 ms	37461 kB
Profiler Noise	0.0041 ms	37461 kB
Profiler Stopped	1,017.8161 ms	96026 kB

0.2580 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'GOTMLS_nonce_array' LIMIT 1;`
0.1419 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'GOTMLS_definitions_array' LIMIT 1;`
0.1538 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'GOTMLS_scan_log/1701517736.5889' LIMIT 1;`
0.2310 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'at_options' LIMIT 1;`
0.1121 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'jetpack_edit_links_calypso_redirect' LIMIT 1;`
0.1431 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'uninstall_plugins' LIMIT 1;`
0.2680 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_allow_tracking' LIMIT 1;`
0.1671 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'as_has_wp_comment_logs' LIMIT 1;`
0.1340 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'jetpack_connection_xmlrpc_verified_errors' LIMIT 1;`
0.1318 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'jetpack_sync_error_idc' LIMIT 1;`
0.1330 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'classic-editor-allow-users' LIMIT 1;`
0.1199 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'classic-editor-replace' LIMIT 1;`
0.1230 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'jetpack_excluded_extensions' LIMIT 1;`
0.1769 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_navigation_enabled' LIMIT 1;`
0.0858 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_settings_enabled' LIMIT 1;`
0.1130 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_show_marketplace_suggestions' LIMIT 1;`
0.1171 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_myaccount_view_subscriptions_endpoint' LIMIT 1;`
0.0970 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wcpay_account_data' LIMIT 1;`
0.0858 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_wcpay_feature_platform_checkout' LIMIT 1;`
0.1020 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_wcpay_feature_customer_multi_currency' LIMIT 1;`
0.1149 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_transient_timeout_wcpay_currency_format' LIMIT 1;`
0.2072 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_transient_wcpay_currency_format' LIMIT 1;`
0.1271 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_transient_timeout_wcpay_locale_info' LIMIT 1;`
2.4369 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_transient_wcpay_locale_info' LIMIT 1;`
0.1390 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_wcpay_feature_upe' LIMIT 1;`
0.1721 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'jetpack_sync_non_blocking' LIMIT 1;`
0.2410 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wc_connect_debug_logging_enabled' LIMIT 1;`
0.1080 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wc_connect_debug_display_enabled' LIMIT 1;`
0.1371 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wc_connect_services' LIMIT 1;`
0.1259 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_setup_automated_taxes' LIMIT 1;`
0.1299 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'jetpack_connection_disabled_plugins' LIMIT 1;`
0.1760 [ms]	`SELECT * FROM wp_posts WHERE ID = 1676 LIMIT 1;`
0.1020 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_transient_timeout_wcs_do_subscriptions_exist' LIMIT 1;`
0.0970 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_transient_wcs_do_subscriptions_exist' LIMIT 1;`
0.1709 [ms]	`SELECT ID FROM wp_posts WHERE post_type = 'shop_subscription' LIMIT 1;;`
0.0982 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'webpc_settings' LIMIT 1;`
0.1209 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'webpc_token_data' LIMIT 1;`
0.2050 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'medium_crop' LIMIT 1;`
0.1390 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'medium_large_crop' LIMIT 1;`
0.1512 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'large_crop' LIMIT 1;`
0.1271 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_thumbnail_cropping' LIMIT 1;`
0.1311 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wcpay_multi_currency_retrieval_error' LIMIT 1;`
0.1202 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wcpay_multi_currency_cached_currencies' LIMIT 1;`
0.0839 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wcpay_multi_currency_enabled_currencies' LIMIT 1;`
0.1462 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wcpay_multi_currency_price_charm_usd' LIMIT 1;`
0.0849 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wcpay_multi_currency_price_rounding_usd' LIMIT 1;`
0.0539 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wcpay_multi_currency_exchange_rate_usd' LIMIT 1;`
0.0851 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'wcpay_multi_currency_enable_auto_currency' LIMIT 1;`
0.0801 [ms]	`SELECT zone_id, zone_name, zone_order FROM wp_woocommerce_shipping_zones order by zone_order ASC, zone_id ASC;;`
0.0789 [ms]	`SELECT location_code, location_type FROM wp_woocommerce_shipping_zone_locations WHERE zone_id = 0;`
0.0799 [ms]	`SELECT method_id, method_order, instance_id, is_enabled FROM wp_woocommerce_shipping_zone_methods WHERE zone_id = 0;`
0.0861 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_flat_rate_settings' LIMIT 1;`
0.0808 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_free_shipping_settings' LIMIT 1;`
0.0808 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_international_delivery_settings' LIMIT 1;`
0.0808 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_local_delivery_settings' LIMIT 1;`
0.0801 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_local_pickup_settings' LIMIT 1;`
0.0570 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_transient_timeout_doing_cron' LIMIT 1;`
0.0839 [ms]	`SELECT option_value FROM wp_options WHERE option_name = '_transient_doing_cron' LIMIT 1;`
0.5739 [ms]	INSERT INTO `wp_options` (`option_name`, `option_value`, `autoload`) VALUES ('_transient_doing_cron', '1701517736.9492609500885009765625', 'yes') ON DUPLICATE KEY UPDATE `option_name` = VALUES(`option_name`), `option_value` = VALUES(`option_value`), `autoload` = VALUES(`autoload`);
0.3791 [ms]	`SELECT ID, post_name, post_parent, post_type FROM wp_posts WHERE post_name IN ('im-working-on-an-anti-malware-plugin-for-wordpress') AND post_type IN ('page','attachment') ;`
0.2959 [ms]	`SELECT wp_posts.* FROM wp_posts WHERE 1=1 AND wp_posts.post_name = 'im-working-on-an-anti-malware-plugin-for-wordpress' AND wp_posts.post_type = 'post' ORDER BY wp_posts.post_date DESC ;`
0.3362 [ms]	`SELECT DISTINCT t.term_id, tr.object_id FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id INNER JOIN wp_term_relationships AS tr ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN ('category', 'post_tag', 'post_format') AND tr.object_id IN (268) ORDER BY t.name ASC ;`
0.2041 [ms]	`SELECT t., tt. FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE t.term_id IN (44,16,52,108);`
0.1640 [ms]	`SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE post_id IN (268) ORDER BY meta_id ASC;`
0.1531 [ms]	`SELECT meta_id FROM wp_shareable_meta WHERE meta_type = 'REMOTE_ADDR' AND meta_value = '44.220.249.141';`
0.1230 [ms]	`SELECT meta_id FROM wp_shareable_meta WHERE meta_type = 'HTTP_USER_AGENT' AND meta_value = 'CCBot/2.0 (https://commoncrawl.org/faq/)';`
0.1571 [ms]	`SELECT meta_id FROM wp_shareable_meta WHERE meta_type = 'HTTP_REFERER' AND meta_value = '';`
0.1290 [ms]	`SELECT meta_id FROM wp_shareable_meta WHERE meta_type = 'REQUEST_URI' AND meta_value = '/im-working-on-an-anti-malware-plugin-for-wordpress/';`
0.4110 [ms]	INSERT INTO wp_shareable_hits (`MONTH_OF`, REMOTE_ADDR, HTTP_USER_AGENT, HTTP_REFERER, REQUEST_URI, last_view, wp_user, hit_count) VALUES ('2023-12', 46447, 7541, 16079, 315, '2023-12-02 11:48:57', 0, 1) ON DUPLICATE KEY UPDATE last_view = '2023-12-02 11:48:57', wp_user = 0, hit_count = hit_count + 1;
0.0780 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_cart_page_id' LIMIT 1;`
0.0610 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_checkout_page_id' LIMIT 1;`
0.0889 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_myaccount_page_id' LIMIT 1;`
0.1009 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'sharedaddy_disable_resources' LIMIT 1;`
0.1111 [ms]	`SELECT * FROM wp_posts WHERE ID = 1677 LIMIT 1;`
0.0870 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'site_logo' LIMIT 1;`
0.0951 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'woocommerce_demo_store' LIMIT 1;`
0.1421 [ms]	`SELECT t., tt. FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE t.term_id = 105;`
0.3102 [ms]	`SELECT wp_posts.* FROM wp_posts LEFT JOIN wp_term_relationships ON (wp_posts.ID = wp_term_relationships.object_id) WHERE 1=1 AND ( wp_term_relationships.term_taxonomy_id IN (108) ) AND wp_posts.post_type = 'nav_menu_item' AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.menu_order ASC ;`
0.3159 [ms]	`SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE post_id IN (620,623,624,626,628,629) ORDER BY meta_id ASC;`
0.1669 [ms]	`SELECT t., tt. FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE t.term_id IN (103,21,84,35);`
0.1550 [ms]	`SELECT t., tt. FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE t.term_id = 22;`
0.2279 [ms]	`SELECT DISTINCT t.term_id FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id INNER JOIN wp_term_relationships AS tr ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN ('category') AND tr.object_id IN (268) ORDER BY t.name ASC ;`
0.2971 [ms]	`SELECT user_id, meta_key, meta_value FROM wp_usermeta WHERE user_id IN (1) ORDER BY umeta_id ASC;`
0.1309 [ms]	`SELECT * FROM wp_users WHERE ID IN (1);`
0.1760 [ms]	`SELECT p.ID FROM wp_posts AS p WHERE p.post_date < '2012-02-23 19:09:39' AND p.post_type = 'post' AND p.post_status = 'publish' ORDER BY p.post_date DESC LIMIT 1;`
0.1500 [ms]	`SELECT * FROM wp_posts WHERE ID = 247 LIMIT 1;`
0.1662 [ms]	`SELECT p.ID FROM wp_posts AS p WHERE p.post_date > '2012-02-23 19:09:39' AND p.post_type = 'post' AND p.post_status = 'publish' ORDER BY p.post_date ASC LIMIT 1;`
0.1361 [ms]	`SELECT * FROM wp_posts WHERE ID = 265 LIMIT 1;`
0.2780 [ms]	`SELECT SQL_CALC_FOUND_ROWS wp_comments.comment_ID FROM wp_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 268 AND comment_parent = 0 AND comment_type != 'order_note' AND comment_type != 'webhook_delivery' ORDER BY wp_comments.comment_date_gmt ASC, wp_comments.comment_ID ASC ;`
0.0830 [ms]	`SELECT option_value FROM wp_options WHERE option_name = 'akismet_comment_nonce' LIMIT 1;`

Eli's WordPress Blog

My WordPress Plugins, and other stuff.

I’m working on an Anti-Malware plugin for WordPress.

Leave a Reply Cancel reply