Eli

In the latest plugin release, version 4.23.69, there is now an setting on the Firewall Options to hide the Brute-Force Protection logo on the login page.

It turns out that this is not actually a problem with IIS or the Windows server, but rather something else on this website that is not allowing the posting of arrays. As I have a couple of circumstances that require submitting array variable, I have inserted workaround for this issue in my latest plugin release. You can now click on the little red X button to close/remove the array options on the settings page that would have otherwise prevented you from saving or scanning. Also, if threats are found and the Auto Fix form will not post that array of files to be fixed, you can click a new button to Go Back and Try Again which will change the form method from POST to GET. This seems to work around the issue of not being able to POST arrays, at least until you can figure out what is preventing you from posting array in the first place.

Just following up here…

Since the last response to my issue reported at https://github.com/Neo23x0/signature-base/issues/317 as that should be a matter of how your hosting provider was using their signatures and the Yara scanner developers are not taking responsibility for this False Positive, I had simply removed or changed all the code in my plugin that they were detecting so that it will not be a problem any more.

Please let me know if you still have any issues with your hosting provider flagging any files in my plugin.

Thanks for reporting this error. I will not prevent the plugin from finding treats, it will only bypass the custom whitelist (if you have whitelisted any file), but I will have this fixed in my next release.

If you want to fix this in your current copy you would only need to change the table name wp_posts to $wpdb->posts in the query on line 116 of wp-content/plugins/gotmls/safe-load/trace.php

Thanks for posting this feedback, and sorry if this change was a bit of a surprise. I did make a lot of changes to improve the Brute-Force Login Protection in this latest release. This was an intentional change to have the spinning GOTMLS logo now cover the login fields while performing the JavaScript SESSION Check. Though it might not stay visible long enough to read , it says “Checking for Session …” and then disappears to reveal the login form. This is similar to other Human checks and CAPTCHA loading screens but I know it is a new and unexpected change to the visual presentation of this security feature. Please let me know if you have any suggestions on how to make it better.

You don’t have to keep Wordfence but it doesn’t hurt to have both installed. The more protection you have, the better off you will be.

Wow! It’s been years since I have seen my plugin running on a Windows server. I know it used to work fine on IIS and I’m not sure what might have changed but I’d love to have opportunity to help you figure out why it’s not working and fix it so that it will once again work on a Windows IIS server.

Can you please send me the relevant entries from your error_log files which will have the detailed error messages and point me to the code that is causing this issue?

You can email those files directly to me if you don’t want to post them on this public forum:

eli AT gotmls DOT net

Thanks but I got in touch with them directly and they finally gave me the details I needed to get to the bottom of this. They are using the Yara scanner with signatures from this github account:

https://github.com/Neo23x0/signature-base

These signatures contain a very vague regex pattern that will match a lot of False Positives. So, I have reported this False Positive issue here but have not gotten a response yet:

https://github.com/Neo23x0/signature-base/issues/317

You can rest assured that this is in fact a False Positive, and there is not real threat in those files. I will let you know when I have a response or any solution to this issue.

It would actually be great if you could ask them what scanner they are using that is telling them that my plugin is infected or malicious, because the file you posted here is neither. I my plugin is come up as a False Positive in their software then I need to know what software that is and get that corrected so they stop slandering my good plugin.

You can also make then aware of this mistake and ask them to contact my directly to help get this resolved more quickly. My direct email is:

eli AT gotmls DOT net

The file you posted is not corrupt. the indexinfect.txt file is an exact match for the direct repository download. Are you sure that this text file is an exact copy of the files scanned?

Can you please tell me what software you were using on your server to scan these files?

Did it provide any other details about the corruption?

Thank you for reporting this issue. I would very much like to help you figure out what is causing this issue on your site but I will need more information to find the source of this problem you are having.

Can you please tell me if this happens when you first visit the settings page or only when you try to scan or save the settings (or any kind of form post to this page)?

Can you view the other two pages under this one (Firewall Options and View Quarantine)?

Can you please check the error_log files on your server to see if there is any explanation of this error that might help us determine the cause?

Do you have any other websites on this server or others that may or may not be having the same issue?

Any other relevant details about when this issue started and what you have already tried might be very useful. Please let me know what you find, especially in your error_log files, and I’m sure we can quickly get to the bottom of this and find a solution.

New malware is constantly being created and released, so I need to release frequent definition updates that will identify and remove these new threats. Because these definition contain text fragments of malicious code which is to be found and removed the definitions themselves are encoded and updated directly from my server rather than being built into my plugin. Therefore, I require that each user register their site with a unique key on my server to download these frequent definition updates into the scanner before running the complete scan. That way my plugin can be most effective at finding and removing the newest Known Threats out there.

I do encourage donations to support my continued work on this project and offer some premium features for these contributions but I am dedicated to keeping the core functionality of this plugin free and available to all those in need of malware removal.

This is flat out not true. You do not need to pay anything for my plugin to repair Known Threats that are found after you have downloaded the “FREE” definition updates.

In the future please try asking for support before you write a review. As you can see from nearly all of my other reviews, my plugin not only works great for most people, but many rave about the superb support I offer for my free plugin to anyone who bothers to ask for help.

I’m an terribly sorry if the proper usage of my plugin was not clear enough for you to find the definition updates and run the fully functional scan and automatic fix feature. Perhaps if you are willing to contact me directly for support then we can work together so that I can understand how to make it clearer how to use my free plugin to remove Known Threat. Hopefully I can also help clarify that point for you so that you too can use my plugin for FREE to clean any infected files you might have on your site.

You can email me directly if you like: eli AT gotmls DOT net

Yeah, I’m not sure where you are seeing that but that is not enough information to help diagnose the cause of this issue.

The error_log files will have detailed information about what script was being executed when the error was triggered and usually even points to what line of code triggered this error. That is what we need to see.

A 406 error generally mean “Not Acceptable”, which does indicate that your server is blocking the request for some reason. Hopefully your error_log file will have more info but you could also ask your hosting provider about this to see if there is some reason that they would be blocking this URL from Posting the update data to your website.

Sure, anything is possible, but I don’t think that litespeed has anything directly to do with the problem you are having. It is most likely a conflict with some other code on your site, or a restriction on the server that is preventing certain URLs, or else a configuration issue. But the only way to be sure of what the problem is and figure out what is causing it is to find the relevant error in the error_log files.