[Plugin: Get Off Malicious Scripts (Anti-Malware)] Is this plugin grabbing information from my site?

Whoa there buddy…

First of all I am not hiding any code anywhere. This is an open source plugin written specifically to help other find “hidden” malicious code on their sites. I would appreciate it if you didn’t start slandering my plugin before you know what it does. The index.php file in the images directory performs many important tasks:

1. It downloads new definition files for you.
2. It checks your admin page after an automatic fix
3. It can undu an automatic fix if that fix broke you admin
4. Help prevent others from seeing a list of file in that directory

Now, I will try and answer all your other questions by explaining the registration process. First, when you go to the setting page for Anti-Malware in your wp-admin, if you have not yet registered, you will see a registration for on the right-sidebar. This form is pre-populated with information from your WP DB to make it easy for you to register but it is all changeable prior to submission. The Installation Key is auto-generated using info unique to each site you it should be different on each site. When you submit this form to my site I am then collection that data, creating a user for you on gotmls.net, and then yes, I am storing your registration information. I then match your key when my plugin checks for definition updates to make sure you are a registered user.

That’s it, so if you have any other questions or concerns please let me know.

Aloha, Eli

Ok, I have two sites A and B. I added the plugin to A and got a installation key.

I now go to B and add the plugin and activate it – oh look, there is the installation key from site A.

So where is the installation key stored? Is it stored on my site? in the DB? in a file?

Can you please email me some details?

What are the two domains and the keys for each one.

DO NOT POST THAT INFO HERE.

email this info to: registrations at gotmls dot net

I’ll be happy to, but you still haven’t answered my basic question.
where is the installation key stored?

In the first post I said “When you submit this form to my site I am then collection that data, creating a user for you on gotmls.net, and then yes, I am storing your registration information”.
To summarize, I am storing your key on gotmls.net with your use registration. I can give you a lot more information that may help you if you give me your registration detail but I don’t want any personal info posted here so please email me or leave a comment on gotmls.net/members/

You may be a very nice person trying to give back to the community, but I see some issues, so let me see if I have this correct.

1) When anyone register for a key, the key is stored on your site, not theirs.
2) Each time they go to the ‘Anti-Malware’ option, requests are sent to both ‘wordpress.ieonly.com’ and ‘gotmls.net’ under the covers
3) the site admin has no control over this.
4) the site admin can’t delete the key since it is not stored on their site.
5) the site admin has no idea what information you might be collecting

looking at things this way, I am very suspicious – sorry but with all the malware and hacking going on in wordpress sites, thats the way I am.

So can you convince me or anyone else that we should trust this plugin?

Juggledad – did you install a fresh copy of the plugin or, liked do when I’m lazy, copy it over from Site A?

Eli – if you can elaborate on where the registration info is stored, that would be great. I THINK you’re saying “I keep a record on gotmls.com with your ID/Email and the code.” which is fine, but in light of a user having it AUTO inserted into a site, it is something we should double check. You don’t have to use user IDs to explain how it works ??

FWIW, phoning home is fine, IF there’s a justifiable reason for it. Of course you have to send proof of ownership to verify a license, BUT unless that license is being used for an API of sorts, or acces to paid content, it could be an issue.

What is this GotMLs doing that requires a user ID/key setup?

first time I did a copy, then I created a new site and put in a fresh copy.

Fresh from the plugin page?

Eli, in doing a quick read-through of the plugin, there are some … hinky things.

Nowhere in your plugin page do you say there’s a need for registration. That must be explicitly clear so people know what they’re getting into. If people have to register and get a key, put that in the Installation notes at the very least.

It does send an email on error. You should take that out. Emailing without explicit permission is a little shady:
https://plugins.trac.www.ads-software.com/browser/gotmls/trunk/index.php?rev=528278#L78

The .images/index.php file has a call to ‘update’ definitions. So these definitions are being pulled down from your server and updated on the user? How is this going to handle plugin updates (which delete that folder). Why, if the file’s just being downloaded anyway, did you not just include it in the plugin?
https://plugins.trac.www.ads-software.com/browser/gotmls/trunk/images/index.php?rev=528278#L95

/images/tt2.php looks like it’s just a copy of the timthumb file. I take it you’re putting it there to ‘replace’ if you find an old version of TimThumb? I’d advise against that, since timthumb has been yanked from the WP theme repo and, like as not, may be pulled from plugins. Just check for it and tell them WHERE to get the latest and greatest. Also you’re not using the latest version. https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php

Ipstenu,
My Plugin can be used out-of-the-box and without registration to find files on your server that use eval() code. Only if you register do you get definitions for “known threats” that I have personally identified before. You can then automatically remove these “known threat” from the files they have infected. Because I have worked very had on this automatic removal and because it has the potential to remove code that may result in a broken site I find it essential that I only offer this feature to registered users who have already shown the initiative to follow through and make personal contact with me (my site).

I have considered charging for registration but I still consider this plugin BETA and want to work out the kinks first. There is also the possibility that I could receive enough donations to stay afloat without ever charging (it’s a dream, but It could happen).

To address your concerns about “hinky things”:

1. I will make it explicitly clear, in the Installation notes at the very least, the benefits of registering on my external site gotmls.NET (not .com).
2. The mail() line is in the function GOTMLS_debug() which is not being called anywhere in the released version. I only use that for pre-release debugging, but I will rem it out in future releases.
3. The definitions can be updated from a file but the updates are now being stored in the DB so they will not be lost.
4. Yes, tt2.php is a copy of the timthumb version 2.8 file. This was an essential step in patching my own server when it was hacked. I did initially use the latest version but my host (BlueHost) started overwriting my newer timthumbs with version 2.8, so I just started using 2.8 to replace anything under 2.0 (as it is 1.x versions that are exploitable). I will look into a better solution here but for now this seems to work best as there are still a lot of vulnerable timthumb 1.x out there.

I will release a new version of my plugin soon to address these issues.

Aloha, Eli

juggledad,

I understand you are very suspicious, as am I. My reputation is important to me as you can see from the quality and care I put into my work and my willingness to be contacted directly at many levels. I am not an anonymous blip on the internet. You have my email and URLs. You can read my personal blog, about my work, about my family.

I have offered to help you with your issue. You have yet to make that personal contact. You are the anonymous one. I wrote this plugin to cleanup my BlueHost account after it got hacked. It was a lot of work and it is an invaluable asset to me. So I fixed it up nice and released it for others to use (for free).

When it comes to trust it’s up to you. I myself have been trust-passed on in many different way by many different people and even large corporations. I judge a trust a person based on my interaction with that person. If you took the initiative to mate personal contact with me I’m sure you would come to trust me as all my friends and clients do. But it is up to you to make that small leap of faith. I feel that I have explained and justified every aspect of my plugin that you and Ipstenu have scrutinized. I offer this plugin pure intentions and the utmost trust in other to download and use it for their own good. Take it or leave it. The decisions of trust can only be your’s.

“I can only show you the door, you must be the one to walk through it.” ??

I would like to get an email from you so that I can figure out if there really is a “duplicate key” issue. If there is, your’s is the first I’ve heard of it, and I would like to get it fixed so that it doesn’t happen again.

Mahalo, Eli

FWIW, Beta or not, you released it into the wild, you gotta be clear on what it is, what it does, what it doesn’t, and what support there is ??

BTW, I’m wearing my Moderator Hat in this thread, with my ‘Plugin Monitor’ armband. I’m not about to yank your plugin from the repo, there were just oddities that caught my eye.

My Plugin can be used out-of-the-box and without registration to find files on your server that use eval() code. Only if you register do you get definitions for “known threats” that I have personally identified before.

Cool. Make that clear then.

The definitions can be updated from a file but the updates are now being stored in the DB so they will not be lost.

Hmm. So you pull the definitions from your website, only if you’ve registered? Did I get that right? That’s an edge case, but I think it falls within the reasonable usage of a phone-home (you’re not gathering information, you’re just pulling down new defs). The DB is a good place for that ??

Bluehost and TimThumb is part of why I say this probably shouldn’t be in your plugin. When the TimThumb exploit happened, VaultPress updated everyone’s sites. This would impact your plugin: https://blog.vaultpress.com/2011/08/04/712-fewer-vulnerable-timthumb-scripts/

Basically, given the nature of THAT hack, it or anything like it will be dealt with best by the hosts or the user being told.

Ipstenu,

I understand and appreciate you input and your role here.

My own sense of responsibility mandates me to only release my definition updates to registered users. These updates enable automatic removal of “known threat” and that comes with a certain amount of risk. If my plugin brakes someone site by removing required code from a script I what a pre-established relationship with this person so that they may more easily and readily contact me for support. I have already had many comments on my site by registered users that I have responded to and, in some cases release upgrade/updates for. I even granted the request of a registrant, who said he was just testing my plugin, and completely removed his account from my server.

As for timthumb, it is great that the vulnerabilities are being addressed by some hosts but old versions are still widespread and my technique for patching them is still effective and crucial. My plugin updated hundreds of old timthumb files across many site on all my servers and hosting accounts before any host had taken any steps to correct it. As long as this code as a chance of doing some good for some people I will leave it in. It certainly doesn’t do any harm to have it check for this vulnerability.

Mahalo for your time in this, Eli

Sure, that makes sense and that’s why I said it’s an edge case, but I think it’s acceptable ?? Totally understandable to want to keep definitions out of the hands of a quick scan, and make it easier to update without spamming the hell out of everyone with plugin updates.

I can’t say for sure if plugins with timthumb will be yanked from the repo (IMO, they should be, since we don’t permit themes with it anymore). Detection is fine, including would be a vulnerability issue (since, if that version you have has a hole, you’ve just introduced one by accident). But I thought, since you’ve got it, I should probably mention it ?? Other similar plugins just scan for a reason. THEY no longer have to worry about maintaining.

If anything, I’d change it to detect and pull from source, not your plugin. Hook it up to the official google code repository.

Other similar plugins just scan for a reason. THEY no longer have to worry about maintaining.

Sorry, I don’t understand, what do you mean by this?