GOTMLS flagging it’s own firewall rules as a backdoor script

  • Resolved toomanyairmiles

    (@toomanyairmiles)


    7 years, 9 months ago

    Around a week ago Wordfence started flagging up a file in my W3TC object cache as having ‘Suspicious eval with base64 decode..’, scans with GOTMLS also flag the files as being a backdoor script – the files look suspicious as they make reference in plaintext to viagra and cialis (see below). After some investigation it transpires that both GOTMLS and Wordfence are flagging a cached version of the wp_options table as suspicious and the concerning text is actually GOTMLS OWN FIREWALL RULES!

    keyspat viagra cialis";a:2:{i:0;s:5:"D1ON3";i:1;s:120:"/error_reporting\(0\);[ \t\r\n]+\$keyspat[= \t]+array\([ \t\r\n]*(['"](viagra|amoxicillin|cialis)['"][ \t\r\n,]+){2}.+/s";}s:18:"eval REQUEST alone";a:2:{i:0;s:5:"F4PLP";i:1;s:162:"/<\?[ph\s]+((\$[a-z\_0-9]+)\s*=\s*\$

    Please do something about this – at the very least make a post on a website about it – I spent the weekend hunting for an infection in 33 websites that actually turned out to be my own anti-malware solution detecting itself.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Eli

    (@scheeeli)

    I have mentioned many time the dangers and disadvantages of caching plugins, my advise is always to turn off caching and delete your cache file before scanning (I have also suggested omitting the cache folder from the scans, but that is not a great long term solution). Perhaps I should write an article on the subject of caching but it is an immense subject of which I have many beliefs that are unpopular with the caching community. I feel it would open a can of worms and begin an uphill battle.

    I learned long ago not to store my definition in files because the filesystem was also being scanned be other security plugins and anti-virus software installed by the server admins at the host level, and my definitions have enough keywords in them to be flagged as suspicious at the least. That is why I stopped putting the definition for my plugin on the filesystem. You have seen that it is not just my plugin that flaggs this cache file but others like Wordfence also flag it, so the real problem here is that it is being written to the disk as a plain-test file.

    That said the snippet you have posted here is not detected as any kind of threat by any of my current definitions. Can you send me the whole cache file or post the whole highlighted threat that was detected by my plugin?

    Plugin Author Eli

    (@scheeeli)

    The newest version of my plugin that I have just released now stores the definitions in an encoded blob so that your cached database records will not have any of those keywords in them that might be matched by any anti-malware software.

    Please download the latest release and let me know if that works (don’t forget to clear any existing DB cache).

    Thread Starter toomanyairmiles

    (@toomanyairmiles)

    Hi Eli,

    Thanks for responding so quickly, I apologise for not thanking you for your hard work in the first post, I had just had a very frustrating/worrying two days over this. I do find your plugin very useful as it often detects things that other security plugins don’t – I have also donated.

    The update worked perfectly GOTMLS no longer flags the object cache as a backdoor script and wordfence also no longer flags it as suspicious.

    RE: Caching, I understand your feelings on this, but when, as I am, you’re running sites with >200k visitors a month caching is a reality you can’t escape. I’m running REDIS, Varnish, Zend Opcode, Cloudflare, and a CDN on some sites and I need a plugin on the wordpress end of things to coordinate all of that, otherwise you can spend hours emptying caches. W3 Total Cache does that job nicely and offers other benefits like object and database caching which help to mitigate load on the server.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘GOTMLS flagging it’s own firewall rules as a backdoor script’ is closed to new replies.