Anti-Malware Security and Brute-Force Firewall - Version 4.19.44

Version Description

  • Updated links to use HTTPS by default and fixed some old URLs.
  • Various performance improvements.
  • Added more error handling to the DB Scan.
  • Fixed a few minor bugs causing PHP Notices.
  • Fixed a path search to work on Windows servers.
  • Tweaked code for compatibility with WP 5.3 (latest release).
Download this release

Release Info

Developer scheeeli
Plugin Icon 128x128 Anti-Malware Security and Brute-Force Firewall
Version 4.19.44
Comparing to
See all releases

Code changes from version 4.18.76 to 4.19.44

Files changed (4) hide show
  1. images/index.php +95 -73
  2. index.php +63 -15
  3. readme.txt +16 -7
  4. safe-load/wp-login.php +1 -1
images/index.php CHANGED
@@ -95,7 +95,7 @@ if ((isset($_SERVER["HTTPS"]) && ($_SERVER["HTTPS"] == "on" || $_SERVER["HTTPS"]
95
  else
96
  $GLOBALS["GOTMLS"]["tmp"]["protocol"] = "http:";
97
  GOTMLS_define("GOTMLS_script_URI", preg_replace('/\&(last_)?mt=[0-9\.]+/i', '', str_replace('&', '&', GOTMLS_htmlspecialchars($_SERVER["REQUEST_URI"], ENT_QUOTES))).'&mt='.$GLOBALS["GOTMLS"]["tmp"]["mt"]);
98
- GOTMLS_define("GOTMLS_plugin_home", $GLOBALS["GOTMLS"]["tmp"]["protocol"]."//gotmls.net/");
99
 
100
  if (!function_exists("GOTMLS_encode")) {
101
  function GOTMLS_encode($unencoded_string) {
@@ -134,6 +134,17 @@ GOTMLS_define("GOTMLS_Scan_Settings_LANGUAGE", __("Scan Settings",'gotmls'));
134
  GOTMLS_define("GOTMLS_Loading_LANGUAGE", __("Loading, Please Wait ...",'gotmls'));
135
  GOTMLS_define("GOTMLS_Automatically_Fix_LANGUAGE", __("Automatically Fix SELECTED Files Now",'gotmls'));
136
 
 
 
 
 
 
 
 
 
 
 
 
137
  function GOTMLS_user_can() {
138
  if (is_multisite())
139
  $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["user_can"] = "manage_network";
@@ -178,7 +189,6 @@ GOTMLS_define("GOTMLS_siteurl", get_option("siteurl", $GLOBALS["GOTMLS"]["tmp"][
178
  $GLOBALS["GOTMLS"]["log"] = get_option('GOTMLS_scan_log/'.(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:"0.0.0.0").'/'.$GLOBALS["GOTMLS"]["tmp"]["mt"], array());
179
  if (!(isset($GLOBALS["GOTMLS"]["log"]["settings"]) && is_array($GLOBALS["GOTMLS"]["log"]["settings"])))
180
  $GLOBALS["GOTMLS"]["log"]["settings"] = $GLOBALS["GOTMLS"]["tmp"]["settings_array"];
181
-
182
  GOTMLS_define("GOTMLS_installation_key", md5(GOTMLS_siteurl));
183
  GOTMLS_define("GOTMLS_update_home", "//updates.gotmls.net/".GOTMLS_installation_key."/");
184
 
@@ -314,7 +324,7 @@ iframe {border: 0;}
314
  margin-top: 10px;
315
  }
316
  #main-page-title {
317
- background: url("'.$GLOBALS["GOTMLS"]["tmp"]["protocol"].'//gravatar.com/avatar/5feb789dd3a292d563fea3b885f786d6?s=64") no-repeat scroll 0 0 transparent;
318
  height: 64px;
319
  line-height: 58px;
320
  margin: 10px 0 0 0;
@@ -322,7 +332,7 @@ iframe {border: 0;}
322
  padding: 0 110px 0 84px;
323
  }
324
  #main-page-title h1 {
325
- background: url("'.$GLOBALS["GOTMLS"]["tmp"]["protocol"].'//gravatar.com/avatar/8151cac22b3fc543d099241fd573d176?s=64") no-repeat scroll top right transparent;
326
  height: 64px;
327
  line-height: 32px;
328
  margin: 0;
@@ -714,17 +724,6 @@ function select_text_range(ta_id, start, end) {
714
  } elseif (isset($_GET["no_error_reporting"]))
715
  @error_reporting(0);
716
 
717
- if (function_exists("plugins_url"))
718
- GOTMLS_define("GOTMLS_images_path", plugins_url('/', __FILE__));
719
- elseif (function_exists("plugin_dir_url"))
720
- GOTMLS_define("GOTMLS_images_path", plugin_dir_url(__FILE__));
721
- elseif (isset($_SERVER["DOCUMENT_ROOT"]) && ($_SERVER["DOCUMENT_ROOT"]) && strlen($_SERVER["DOCUMENT_ROOT"]) < __FILE__ && substr(__FILE__, 0, strlen($_SERVER["DOCUMENT_ROOT"])) == $_SERVER["DOCUMENT_ROOT"])
722
- GOTMLS_define("GOTMLS_images_path", substr(dirname(__FILE__), strlen($_SERVER["DOCUMENT_ROOT"])));
723
- elseif (isset($_SERVER["SCRIPT_FILENAME"]) && isset($_SERVER["DOCUMENT_ROOT"]) && ($_SERVER["DOCUMENT_ROOT"]) && strlen($_SERVER["DOCUMENT_ROOT"]) < strlen($_SERVER["SCRIPT_FILENAME"]) && substr($_SERVER["SCRIPT_FILENAME"], 0, strlen($_SERVER["DOCUMENT_ROOT"])) == $_SERVER["DOCUMENT_ROOT"])
724
- GOTMLS_define("GOTMLS_images_path", substr(dirname($_SERVER["SCRIPT_FILENAME"]), strlen($_SERVER["DOCUMENT_ROOT"])));
725
- else
726
- GOTMLS_define("GOTMLS_images_path", "/wp-content/plugins/update/images/");
727
-
728
  $GOTMLS_image_alt = array("wait"=>"...", "checked"=>"&#x2714;", "blocked"=>"X", "question"=>"?", "threat"=>"!");
729
  $GOTMLS_dir_at_depth = array();
730
  $GOTMLS_dirs_at_depth = array();
@@ -1019,7 +1018,7 @@ $GLOBALS["GOTMLS"]["tmp"]["debug_fix"]="errors";
1019
  $GLOBALS["GOTMLS"]["tmp"]["debug_fix"]="GOTMLS_fix";
1020
  if (GOTMLS_get_nonce()) {
1021
  if ($className == "timthumb") {
1022
- if (($source = GOTMLS_get_URL("http://$className.googlecode.com/svn/trunk/$className.php")) && strlen($source) > 500)
1023
  $GLOBALS["GOTMLS"]["tmp"]["new_contents"] = $source;
1024
  else
1025
  $GLOBALS["GOTMLS"]["tmp"]["file_contents"] = "";
@@ -1187,71 +1186,94 @@ function GOTMLS_db_scan($id = 0) {
1187
  die(GOTMLS_html_tags(array("html" => array("body" => __("This record no longer exists.",'gotmls')."<br />\n<script type=\"text/javascript\">\nwindow.parent.showhide('GOTMLS_iFrame', true);\n</script>"))));
1188
  } else {
1189
  $threats_found = array();
 
1190
  if (!isset($_REQUEST["eli"]))
1191
  $and = " AND `post_status` != 'trash'";
1192
- foreach ($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"] as $scan_sql => $scan_regex) {
1193
- $SQL = preg_replace('/\{[a-f0-9]{64}\}/', '%', $wpdb->prepare("SELECT * FROM `$wpdb->posts` WHERE `post_content` LIKE %s $and", $scan_sql));
1194
- $threat_name = array_shift($scan_regex);
1195
- if (($found_row = $wpdb->get_results($SQL, ARRAY_A)) && is_array($found_row) && count($found_row)) {
1196
- $val = count($found_row);
1197
- if (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1198
- echo GOTMLS_return_threat("db_scan", "question", (print_r(array("scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("$val Rows", 0));//debug
1199
- foreach ($found_row as $frow) {
1200
- $encoded_id = GOTMLS_encode($frow["ID"].'.0');
1201
- $found = 0;
1202
- if ($frow["post_type"] != "revision" || isset($_REQUEST["eli"])) {
1203
- $GLOBALS["GOTMLS"]["tmp"]["file_contents"] = $frow["post_content"];
1204
- $GLOBALS["GOTMLS"]["tmp"]["threats_found"] = array();
1205
- $GLOBALS["GOTMLS"]["log"]["scan"]["last_threat"] = microtime(true);
1206
- foreach ($scan_regex as $threat_definition)
1207
- $found += GOTMLS_preg_match_all($threat_definition, $threat_name);
1208
- if ($found && !isset($threats_found['row_id_'.$encoded_id])) {
1209
- $li_js = GOTMLS_return_threat("db_scan", "threat", "$found $threat_name(\"".str_replace('%', '*', trim($scan_sql, "%")).'") in '.$frow["post_type"]."(".(($frow["post_status"]=='inherit')?$frow["post_parent"]:$frow["post_status"]).'):"'.GOTMLS_htmlspecialchars($frow["post_title"]).'":'.$frow["ID"], '<input type="checkbox" name="GOTMLS_fix[]" id="check_'.$encoded_id.'" value="'.$encoded_id.'" checked="true">'.GOTMLS_error_link(__("View DB Injection",'gotmls'), $frow["ID"].'.0', "db_scan"));
1210
- //if (isset($_REQUEST["eli"]))
1211
- echo str_replace($frow["ID"].'</a>', '</a><a target="_blank" title="Open '.$frow["post_type"].'" href="'.admin_url(($frow["post_type"]=="revision")?'revision.php?revision='.$frow["ID"].'">View Revision: ':'post.php?action=edit&post='.$frow["ID"].'">Edit '.$frow["post_type"].': ').$frow["ID"].'</a>', $li_js);
1212
- //else echo $li_js;
1213
- $threats_found['row_id_'.$encoded_id] = $threat_name;
1214
- } elseif (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1215
- echo GOTMLS_return_threat("db_scan", "question", (print_r(array("post_id"=>$frow["ID"], "scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("No preg_match", 0));//debug
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1216
  }
1217
  }
1218
- }
1219
- if (($found_row = $wpdb->get_results(preg_replace('/\{[a-f0-9]{64}\}/', '%', $wpdb->prepare("SELECT * FROM `$wpdb->options` WHERE `option_value` LIKE %s", $scan_sql)), ARRAY_A)) && is_array($found_row) && count($found_row)) {
1220
- $val = count($found_row);
1221
- if (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1222
- echo GOTMLS_return_threat("db_scan", "question", (print_r(array("scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("$val Rows", 0));//debug
1223
- foreach ($found_row as $frow) {
1224
- $encoded_id = GOTMLS_encode($frow["option_id"].'.1');
1225
- $found = 0;
1226
- $opt_val = maybe_unserialize($frow["option_value"]);
1227
- if (is_array($opt_val)) {
1228
- $GLOBALS["GOTMLS"]["tmp"]["threats_found"] = array();
1229
- $GLOBALS["GOTMLS"]["log"]["scan"]["last_threat"] = microtime(true);
1230
- foreach ($scan_regex as $threat_definition)
1231
- foreach ($opt_val as $GLOBALS["GOTMLS"]["tmp"]["file_contents"])
 
 
 
 
 
 
 
 
 
 
1232
  $found += GOTMLS_preg_match_all($threat_definition, $threat_name);
1233
- if ($found && !isset($threats_found['row_id_'.$encoded_id])) {
1234
- $li_js = GOTMLS_return_threat("db_scan", "threat", "$found $threat_name(\"".str_replace('%', '*', trim($scan_sql, "%")).'") in '."$wpdb->options:".GOTMLS_htmlspecialchars($frow["option_name"]).'":'.$frow["option_id"].'.1', '<input type="checkbox" name="GOTMLS_fix[]" id="check_'.$encoded_id.'" value="'.$encoded_id.'" checked="true">'.GOTMLS_error_link(__("View DB Injection",'gotmls'), $frow["option_id"].'.1', "db_scan"));
1235
- echo $li_js;
1236
- $threats_found['row_id_'.$encoded_id] = $threat_name;
1237
- } elseif (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1238
- echo GOTMLS_return_threat("db_scan", "question", (print_r(array("post_id"=>$frow["ID"], "scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("No preg_match", 0));//debug
1239
- } else {
1240
- $GLOBALS["GOTMLS"]["tmp"]["file_contents"] = $opt_val;
1241
- $GLOBALS["GOTMLS"]["tmp"]["threats_found"] = array();
1242
- $GLOBALS["GOTMLS"]["log"]["scan"]["last_threat"] = microtime(true);
1243
- foreach ($scan_regex as $threat_definition)
1244
- $found += GOTMLS_preg_match_all($threat_definition, $threat_name);
1245
- if ($found && !isset($threats_found['row_id_'.$encoded_id])) {
1246
- $li_js = GOTMLS_return_threat("db_scan", "threat", "$found $threat_name(\"".str_replace('%', '*', trim($scan_sql, "%")).'") in '."$wpdb->options:".GOTMLS_htmlspecialchars($frow["option_name"]).'":'.$frow["option_id"].'.1', '<input type="checkbox" name="GOTMLS_fix[]" id="check_'.$encoded_id.'" value="'.$encoded_id.'" checked="true">'.GOTMLS_error_link(__("View DB Injection",'gotmls'), $frow["option_id"].'.1', "db_scan"));
1247
- echo $li_js;
1248
- $threats_found['row_id_'.$encoded_id] = $threat_name;
1249
- } elseif (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1250
- echo GOTMLS_return_threat("db_scan", "question", (print_r(array("post_id"=>$frow["ID"], "scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("No preg_match", 0));//debug
1251
  }
1252
  }
1253
  }
1254
  }
 
1255
  }
1256
  }
1257
  }
@@ -1300,7 +1322,7 @@ function GOTMLS_decodeHex($encoded_string) {
1300
 
1301
  function GOTMLS_return_threat($className, $imageFile, $fileName, $link = "") {
1302
  global $GOTMLS_image_alt;
1303
- $fileNameJS = GOTMLS_strip4java(str_replace(dirname($GLOBALS["GOTMLS"]["log"]["scan"]["dir"]), "...", $fileName));
1304
  $fileName64 = GOTMLS_encode($fileName);
1305
  $li_js = "/*-->*"."/";
1306
  if ($className != "scanned")
95
  else
96
  $GLOBALS["GOTMLS"]["tmp"]["protocol"] = "http:";
97
  GOTMLS_define("GOTMLS_script_URI", preg_replace('/\&(last_)?mt=[0-9\.]+/i', '', str_replace('&amp;', '&', GOTMLS_htmlspecialchars($_SERVER["REQUEST_URI"], ENT_QUOTES))).'&mt='.$GLOBALS["GOTMLS"]["tmp"]["mt"]);
98
+ GOTMLS_define("GOTMLS_plugin_home", "https://gotmls.net/");
99
 
100
  if (!function_exists("GOTMLS_encode")) {
101
  function GOTMLS_encode($unencoded_string) {
134
  GOTMLS_define("GOTMLS_Loading_LANGUAGE", __("Loading, Please Wait ...",'gotmls'));
135
  GOTMLS_define("GOTMLS_Automatically_Fix_LANGUAGE", __("Automatically Fix SELECTED Files Now",'gotmls'));
136
 
137
+ if (function_exists("plugins_url"))
138
+ GOTMLS_define("GOTMLS_images_path", plugins_url('/', __FILE__));
139
+ elseif (function_exists("plugin_dir_url"))
140
+ GOTMLS_define("GOTMLS_images_path", plugin_dir_url(__FILE__));
141
+ elseif (isset($_SERVER["DOCUMENT_ROOT"]) && ($_SERVER["DOCUMENT_ROOT"]) && strlen($_SERVER["DOCUMENT_ROOT"]) < __FILE__ && substr(__FILE__, 0, strlen($_SERVER["DOCUMENT_ROOT"])) == $_SERVER["DOCUMENT_ROOT"])
142
+ GOTMLS_define("GOTMLS_images_path", substr(dirname(__FILE__), strlen($_SERVER["DOCUMENT_ROOT"])));
143
+ elseif (isset($_SERVER["SCRIPT_FILENAME"]) && isset($_SERVER["DOCUMENT_ROOT"]) && ($_SERVER["DOCUMENT_ROOT"]) && strlen($_SERVER["DOCUMENT_ROOT"]) < strlen($_SERVER["SCRIPT_FILENAME"]) && substr($_SERVER["SCRIPT_FILENAME"], 0, strlen($_SERVER["DOCUMENT_ROOT"])) == $_SERVER["DOCUMENT_ROOT"])
144
+ GOTMLS_define("GOTMLS_images_path", substr(dirname($_SERVER["SCRIPT_FILENAME"]), strlen($_SERVER["DOCUMENT_ROOT"])));
145
+ else
146
+ GOTMLS_define("GOTMLS_images_path", "/wp-content/plugins/update/images/");
147
+
148
  function GOTMLS_user_can() {
149
  if (is_multisite())
150
  $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["user_can"] = "manage_network";
189
  $GLOBALS["GOTMLS"]["log"] = get_option('GOTMLS_scan_log/'.(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:"0.0.0.0").'/'.$GLOBALS["GOTMLS"]["tmp"]["mt"], array());
190
  if (!(isset($GLOBALS["GOTMLS"]["log"]["settings"]) && is_array($GLOBALS["GOTMLS"]["log"]["settings"])))
191
  $GLOBALS["GOTMLS"]["log"]["settings"] = $GLOBALS["GOTMLS"]["tmp"]["settings_array"];
 
192
  GOTMLS_define("GOTMLS_installation_key", md5(GOTMLS_siteurl));
193
  GOTMLS_define("GOTMLS_update_home", "//updates.gotmls.net/".GOTMLS_installation_key."/");
194
 
324
  margin-top: 10px;
325
  }
326
  #main-page-title {
327
+ background: url("https://secure.gravatar.com/avatar/5feb789dd3a292d563fea3b885f786d6?s=64") no-repeat scroll 0 0 transparent;
328
  height: 64px;
329
  line-height: 58px;
330
  margin: 10px 0 0 0;
332
  padding: 0 110px 0 84px;
333
  }
334
  #main-page-title h1 {
335
+ background: url("https://secure.gravatar.com/avatar/8151cac22b3fc543d099241fd573d176?s=64") no-repeat scroll top right transparent;
336
  height: 64px;
337
  line-height: 32px;
338
  margin: 0;
724
  } elseif (isset($_GET["no_error_reporting"]))
725
  @error_reporting(0);
726
 
 
 
 
 
 
 
 
 
 
 
 
727
  $GOTMLS_image_alt = array("wait"=>"...", "checked"=>"&#x2714;", "blocked"=>"X", "question"=>"?", "threat"=>"!");
728
  $GOTMLS_dir_at_depth = array();
729
  $GOTMLS_dirs_at_depth = array();
1018
  $GLOBALS["GOTMLS"]["tmp"]["debug_fix"]="GOTMLS_fix";
1019
  if (GOTMLS_get_nonce()) {
1020
  if ($className == "timthumb") {
1021
+ if (($source = GOTMLS_get_URL("https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/timthumb/timthumb.php")) && strlen($source) > 500)
1022
  $GLOBALS["GOTMLS"]["tmp"]["new_contents"] = $source;
1023
  else
1024
  $GLOBALS["GOTMLS"]["tmp"]["file_contents"] = "";
1186
  die(GOTMLS_html_tags(array("html" => array("body" => __("This record no longer exists.",'gotmls')."<br />\n<script type=\"text/javascript\">\nwindow.parent.showhide('GOTMLS_iFrame', true);\n</script>"))));
1187
  } else {
1188
  $threats_found = array();
1189
+ $li_js = "";
1190
  if (!isset($_REQUEST["eli"]))
1191
  $and = " AND `post_status` != 'trash'";
1192
+ if (isset($_REQUEST["limit"]) && is_numeric($_REQUEST["limit"]))
1193
+ $and = " LIMIT ".$_REQUEST["limit"];
1194
+ if (isset($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"]) && is_array($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"])) {
1195
+ if (isset($_GET["GOTMLS_scan"]) && strlen($_GET["GOTMLS_scan"]) > 8 && isset($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"][substr($_GET["GOTMLS_scan"], 8)])) {
1196
+ $scan_replace = str_replace("db_scan", "Database for ", GOTMLS_htmlspecialchars($_GET["GOTMLS_scan"]));
1197
+ $db_scan_a = array(substr($_GET["GOTMLS_scan"], 8) => $GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"][substr($_GET["GOTMLS_scan"], 8)]);
1198
+ } elseif (isset($_GET["GOTMLS_only_file"]) && strlen($_GET["GOTMLS_only_file"]) && isset($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"][GOTMLS_decode($_GET["GOTMLS_only_file"])])) {
1199
+ $scan_replace = str_replace("db_scan", "Database only for ", GOTMLS_htmlspecialchars("db_scan".GOTMLS_decode($_GET["GOTMLS_only_file"])));
1200
+ $_GET["GOTMLS_scan"] = "db_scan=".GOTMLS_decode($_GET["GOTMLS_only_file"]);
1201
+ $db_scan_a = array(GOTMLS_decode($_GET["GOTMLS_only_file"]) => $GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"][GOTMLS_decode($_GET["GOTMLS_only_file"])]);
1202
+ } else {
1203
+ $scan_replace = str_replace("db_scan", "Database", GOTMLS_htmlspecialchars($_GET["GOTMLS_scan"]));
1204
+ $db_scan_a = $GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"];
1205
+ }
1206
+ echo "/*<!--*"."/".GOTMLS_update_status(sprintf(__("Scanning %s",'gotmls'), $scan_replace));
1207
+ GOTMLS_flush();
1208
+ $li_js .= "/*<!--*"."/".GOTMLS_return_threat("dir", "checked", $_GET["GOTMLS_scan"]).GOTMLS_update_status(sprintf(__("Scanned %s",'gotmls'), $scan_replace));
1209
+ } else {
1210
+ echo "/*<!--*"."/".GOTMLS_update_status(sprintf(__("No Definitions for DB Injections!",'gotmls')));
1211
+ GOTMLS_flush();
1212
+ $li_js .= GOTMLS_return_threat("error", "question", $_GET["GOTMLS_scan"]);
1213
+ $db_scan_a = $_GET["GOTMLS_scan"];
1214
+ }
1215
+ if (isset($db_scan_a) && is_array($db_scan_a)) {
1216
+ echo "//memory_limit=".@ini_get("memory_limit");
1217
+ foreach ($db_scan_a as $scan_sql => $scan_regex) {
1218
+ $SQL = preg_replace('/\{[a-f0-9]{64}\}/', '%', $wpdb->prepare("SELECT * FROM `$wpdb->posts` WHERE `post_content` LIKE %s $and", $scan_sql));
1219
+ $threat_name = array_shift($scan_regex);
1220
+ if (($found_row = $wpdb->get_results($SQL, ARRAY_A)) && is_array($found_row) && count($found_row)) {
1221
+ $val = count($found_row);
1222
+ if (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1223
+ echo GOTMLS_return_threat("db_scan", "question", (print_r(array("scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("$val Rows", 0));//debug
1224
+ foreach ($found_row as $frow) {
1225
+ $encoded_id = GOTMLS_encode($frow["ID"].'.0');
1226
+ $found = 0;
1227
+ if ($frow["post_type"] != "revision" || isset($_REQUEST["eli"])) {
1228
+ $GLOBALS["GOTMLS"]["tmp"]["file_contents"] = $frow["post_content"];
1229
+ $GLOBALS["GOTMLS"]["tmp"]["threats_found"] = array();
1230
+ $GLOBALS["GOTMLS"]["log"]["scan"]["last_threat"] = microtime(true);
1231
+ foreach ($scan_regex as $threat_definition)
1232
+ $found += GOTMLS_preg_match_all($threat_definition, $threat_name);
1233
+ if ($found && !isset($threats_found['row_id_'.$encoded_id])) {
1234
+ echo str_replace($frow["ID"].'</a>', '</a><a target="_blank" title="Open '.$frow["post_type"].'" href="'.admin_url(($frow["post_type"]=="revision")?'revision.php?revision='.$frow["ID"].'">View Revision: ':'post.php?action=edit&post='.$frow["ID"].'">Edit '.$frow["post_type"].': ').$frow["ID"].'</a>', GOTMLS_return_threat("db_scan", "threat", "$found $threat_name(\"".str_replace('%', '*', trim($scan_sql, "%")).'") in '.$frow["post_type"]."(".(($frow["post_status"]=='inherit')?$frow["post_parent"]:$frow["post_status"]).'):"'.GOTMLS_htmlspecialchars($frow["post_title"]).'":'.$frow["ID"], '<input type="checkbox" name="GOTMLS_fix[]" id="check_'.$encoded_id.'" value="'.$encoded_id.'" checked="true">'.GOTMLS_error_link(__("View DB Injection",'gotmls'), $frow["ID"].'.0', "db_scan")));
1235
+ $threats_found['row_id_'.$encoded_id] = $threat_name;
1236
+ } elseif (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1237
+ echo GOTMLS_return_threat("db_scan", "question", (print_r(array("post_id"=>$frow["ID"], "scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("No preg_match", 0));//debug
1238
+ }
1239
  }
1240
  }
1241
+ if (($found_row = $wpdb->get_results(preg_replace('/\{[a-f0-9]{64}\}/', '%', $wpdb->prepare("SELECT * FROM `$wpdb->options` WHERE `option_value` LIKE %s", $scan_sql)), ARRAY_A)) && is_array($found_row) && count($found_row)) {
1242
+ $val = count($found_row);
1243
+ if (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1244
+ echo GOTMLS_return_threat("db_scan", "question", (print_r(array("scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("$val Rows", 0));//debug
1245
+ foreach ($found_row as $frow) {
1246
+ $encoded_id = GOTMLS_encode($frow["option_id"].'.1');
1247
+ $found = 0;
1248
+ $opt_val = maybe_unserialize($frow["option_value"]);
1249
+ if (is_array($opt_val)) {
1250
+ $GLOBALS["GOTMLS"]["tmp"]["threats_found"] = array();
1251
+ $GLOBALS["GOTMLS"]["log"]["scan"]["last_threat"] = microtime(true);
1252
+ foreach ($scan_regex as $threat_definition)
1253
+ foreach ($opt_val as $GLOBALS["GOTMLS"]["tmp"]["file_contents"])
1254
+ $found += GOTMLS_preg_match_all($threat_definition, $threat_name);
1255
+ if ($found && !isset($threats_found['row_id_'.$encoded_id])) {
1256
+ echo GOTMLS_return_threat("db_scan", "threat", "$found $threat_name(\"".str_replace('%', '*', trim($scan_sql, "%")).'") in '."$wpdb->options:".GOTMLS_htmlspecialchars($frow["option_name"]).'":'.$frow["option_id"].'.1', '<input type="checkbox" name="GOTMLS_fix[]" id="check_'.$encoded_id.'" value="'.$encoded_id.'" checked="true">'.GOTMLS_error_link(__("View DB Injection",'gotmls'), $frow["option_id"].'.1', "db_scan"));
1257
+ $threats_found['row_id_'.$encoded_id] = $threat_name;
1258
+ } elseif (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1259
+ echo GOTMLS_return_threat("db_scan", "question", (print_r(array("post_id"=>$frow["ID"], "scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("No preg_match", 0));//debug
1260
+ } else {
1261
+ $GLOBALS["GOTMLS"]["tmp"]["file_contents"] = $opt_val;
1262
+ $GLOBALS["GOTMLS"]["tmp"]["threats_found"] = array();
1263
+ $GLOBALS["GOTMLS"]["log"]["scan"]["last_threat"] = microtime(true);
1264
+ foreach ($scan_regex as $threat_definition)
1265
  $found += GOTMLS_preg_match_all($threat_definition, $threat_name);
1266
+ if ($found && !isset($threats_found['row_id_'.$encoded_id])) {
1267
+ echo GOTMLS_return_threat("db_scan", "threat", "$found $threat_name(\"".str_replace('%', '*', trim($scan_sql, "%")).'") in '."$wpdb->options:".GOTMLS_htmlspecialchars($frow["option_name"]).'":'.$frow["option_id"].'.1', '<input type="checkbox" name="GOTMLS_fix[]" id="check_'.$encoded_id.'" value="'.$encoded_id.'" checked="true">'.GOTMLS_error_link(__("View DB Injection",'gotmls'), $frow["option_id"].'.1', "db_scan"));
1268
+ $threats_found['row_id_'.$encoded_id] = $threat_name;
1269
+ } elseif (isset($_REQUEST["eli"]) && ($_REQUEST["eli"] == "debug"))
1270
+ echo GOTMLS_return_threat("db_scan", "question", (print_r(array("post_id"=>$frow["ID"], "scan_regex:"=>$scan_regex,"SQL:"=>$SQL),1)), GOTMLS_error_link("No preg_match", 0));//debug
1271
+ }
 
 
 
 
 
 
 
 
 
 
 
 
1272
  }
1273
  }
1274
  }
1275
  }
1276
+ return "$li_js/*-->*"."/\nscanNextDir(-1);\n/*<!--*"."/";
1277
  }
1278
  }
1279
  }
1322
 
1323
  function GOTMLS_return_threat($className, $imageFile, $fileName, $link = "") {
1324
  global $GOTMLS_image_alt;
1325
+ $fileNameJS = GOTMLS_strip4java(str_replace("db_scan", "Database", str_replace("db_scan=", "Database Query ", isset($GLOBALS["GOTMLS"]["log"]["scan"]["dir"])?str_replace(dirname($GLOBALS["GOTMLS"]["log"]["scan"]["dir"]), "...", $fileName):$fileName)));
1326
  $fileName64 = GOTMLS_encode($fileName);
1327
  $li_js = "/*-->*"."/";
1328
  if ($className != "scanned")
index.php CHANGED
@@ -1,14 +1,14 @@
1
  <?php
2
  /*
3
  Plugin Name: Anti-Malware Security and Brute-Force Firewall
4
- Plugin URI: http://gotmls.net/
5
  Author: Eli Scheetz
6
  Text Domain: gotmls
7
  Author URI: http://wordpress.ieonly.com/category/my-plugins/anti-malware/
8
  Contributors: scheeeli, gotmls
9
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=QZHD8QHZ2E7PE
10
  Description: This Anti-Virus/Anti-Malware plugin searches for Malware and other Virus like threats and vulnerabilities on your server and helps you remove them. It's always growing and changing to adapt to new threats so let me know if it's not working for you.
11
- Version: 4.18.76
12
  */
13
  if (isset($_SERVER["DOCUMENT_ROOT"]) && ($SCRIPT_FILE = str_replace($_SERVER["DOCUMENT_ROOT"], "", isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:isset($_SERVER["SCRIPT_NAME"])?$_SERVER["SCRIPT_NAME"]:"")) && strlen($SCRIPT_FILE) > strlen("/".basename(__FILE__)) && substr(__FILE__, -1 * strlen($SCRIPT_FILE)) == substr($SCRIPT_FILE, -1 * strlen(__FILE__)) || !(function_exists("add_action") && function_exists("load_plugin_textdomain")))
14
  include(dirname(__FILE__)."/safe-load/index.php");
@@ -504,7 +504,7 @@ function GOTMLS_Firewall_Options() {
504
  foreach ($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["firewall"] as $TP => $VA)
505
  if (is_array($VA) && count($VA) > 3 && strlen($VA[1]) && strlen($VA[2]))
506
  $sec_opts .= $lt.'div style="padding: 0 30px;"'.$gt.$lt.'input type="submit" style="float: right;" value="'.(isset($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["firewall"]["$TP"]) && $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["firewall"]["$TP"]?"Enable Protection\" onclick=\"setFirewall('$TP', 0);\"$gt$lt".'p'.$gt.$lt.'img src="'.GOTMLS_images_path.'threat.gif"'.$gt.$lt."b$gt$VA[1] (Currently Disabled)":"Disable Protection\" onclick=\"setFirewall('$TP', 1);\"$gt$lt".'p'.$gt.$lt.'img src="'.GOTMLS_images_path.'checked.gif"'.$gt.$lt."b$gt$VA[1] (Automatically Enabled)")."$lt/b$gt$lt/p$gt$VA[2]$lt/div$gt$lt".'hr /'.$gt;
507
- $sec_opts .= "$lt/form$gt\n$patch_action\n$lt".'form method="POST" name="GOTMLS_Form_patch"'.$gt.$lt.'div style="padding: 0 30px;"'.$gt.$lt.'input type="hidden" name="'.str_replace('=', '" value="', GOTMLS_set_nonce(__FUNCTION__."807")).'"'.$gt.$lt.'input type="submit" value="'.$patch_attr[$patch_status]["action"].'" style="float: right;'.($patch_status?'"'.$gt:' display: none;" id="GOTMLS_patch_button"'.$gt.$lt.'div id="GOTMLS_patch_searching" style="float: right;"'.$gt.__("Checking for session compatibility ...",'gotmls').' '.$lt.'img src="'.GOTMLS_images_path.'wait.gif" height=16 width=16 alt="Wait..." /'.$gt.$lt.'/div'.$gt).$lt.'input type="hidden" name="GOTMLS_patching" value="1"'.$gt.$lt.'p'.$gt.$lt.'img src="'.GOTMLS_images_path.$patch_attr[$patch_status]["icon"].'.gif"'.$gt.$lt.'b'.$gt.'Brute-force Protection '.$patch_attr[$patch_status]["status"].$lt.'/b'.$gt.$lt.'/p'.$gt.$patch_attr[$patch_status]["language"].__(" For more information on Brute-Force attack prevention and the WordPress wp-login-php file ",'gotmls').' '.$lt.'a target="_blank" href="http://gotmls.net/tag/wp-login-php/"'.$gt.__("read my blog",'gotmls')."$lt/a$gt.$lt/div$gt$lt/form$gt\n$lt"."script type='text/javascript'$gt\nfunction search_patch_onload() {\n\tstopCheckingSession = checkupdateserver('".GOTMLS_images_path."gotmls.js?SESSION=0', 'GOTMLS_patch_searching');\n}\nif (window.addEventListener)\n\twindow.addEventListener('load', search_patch_onload)\nelse\n\tdocument.attachEvent('onload', search_patch_onload);\n$lt/script$gt";
508
  $admin_notice = "";
509
  if ($current_user->user_login == "admin") {
510
  $admin_notice .= $lt.'hr /'.$gt;
@@ -573,7 +573,7 @@ function GOTMLS_ajax_load_update() {
573
  $finJS = "\n}";
574
  $form = 'registerKeyForm';
575
  $innerHTML = "<li style=\\\"color: #f00\\\">Your Installation Key could not be confirmed!</li>";
576
- $autoUpJS = '<span style="color: #C00;">This new feature is currently only available to registered users who have donated above the default level.</span><br />';
577
  if (is_array($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]))
578
  foreach ($GLOBALS["GOTMLS"]["tmp"]["definitions_array"] as $threat_level=>$definition_names)
579
  foreach ($definition_names as $definition_name=>$definition_version)
@@ -648,7 +648,7 @@ function GOTMLS_ajax_load_update() {
648
  $autoUpJS .= '<span style="color: #0C0;">(No newer Definition Updates are available at this time.)</span>';
649
  $innerHTML .= "<li style=\\\"color: #0C0\\\">No Newer Definition Updates Available.</li>";
650
  }
651
- if (isset($_SERVER["SCRIPT_FILENAME"]) && preg_match('/\/admin-ajax\.php/i', $_SERVER["SCRIPT_FILENAME"]) && isset($_REQUEST["action"]) && $_REQUEST["action"] == "GOTMLS_load_update") {
652
  if (!$user_donations_src)
653
  $li = "<li style=\\\"color: #f00;\\\">You have not donated yet!</li>";
654
  if (strlen($moreJS) == 0)
@@ -823,9 +823,9 @@ function GOTMLS_settings() {
823
  $fe = "";
824
  $scan_opts .= "\n$lt".'div style="padding: 10px;"'.$gt.$lt.'p'.$gt.$lt.'b'.$gt.__("Custom RegExp:",'gotmls').$fe.$lt.'/b'.$gt.' ('.__("For very advanced users only. Do not use this without talking to Eli first. If used incorrectly you could easily break your site.",'gotmls').')'.$lt.'/p'.$gt.$lt.'input type="text" name="check_custom" style="width: 100%;" value="'.GOTMLS_htmlspecialchars($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["check_custom"]).'" /'."$gt$lt/div$gt\n";
825
  }
826
- $QuickScan = $lt.((is_dir(dirname(__FILE__)."/../../../wp-includes") && is_dir(dirname(__FILE__)."/../../../wp-admin"))?'a href="'.admin_url("admin.php?page=GOTMLS-settings&scan_type=Quick+Scan&$GOTMLS_nonce_URL").'" class="button-primary" style="height: 22px; line-height: 13px; padding: 3px;">WP_Core</a':"!-- No wp-includes or wp-admin --").$gt;
827
  foreach (array("Plugins", "Themes") as $ScanFolder)
828
- $QuickScan .= '&nbsp;'.$lt.((is_dir(dirname(__FILE__)."/../../../wp-content/".strtolower($ScanFolder)))?'a href="'.admin_url("admin.php?page=GOTMLS-settings&scan_type=Quick+Scan&scan_only[]=wp-content/".strtolower($ScanFolder)."&$GOTMLS_nonce_URL")."\" class=\"button-primary\" style=\"height: 22px; line-height: 13px; padding: 3px;\"$gt$ScanFolder$lt/a":"!-- No $ScanFolder in wp-content --").$gt;
829
  $scan_opts .= "\n$lt".'p'.$gt.$lt.'b'.$gt.__("Skip files with the following extensions:",'gotmls')."$lt/b$gt".(($default_exclude_ext!=implode(",", $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_ext"]))?" {$lt}a href=\"javascript:void(0);\" onclick=\"document.getElementById('exclude_ext').value = '$default_exclude_ext';\"{$gt}[Restore Defaults]$lt/a$gt":"").$lt.'/p'.$gt.'
830
  '.$lt.'div style="padding: 0 30px;"'.$gt.$lt.'input type="text" placeholder="'.__("a comma separated list of file extentions to skip",'gotmls').'" name="exclude_ext" id="exclude_ext" value="'.implode(",", $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_ext"]).'" style="width: 100%;" /'."$gt$lt/div$gt$lt".'p'.$gt.$lt.'b'.$gt.__("Skip directories with the following names:",'gotmls')."$lt/b$gt$lt/p$gt$lt".'div style="padding: 0 30px;"'.$gt.$lt.'input type="text" placeholder="'.__("a folder name or comma separated list of folder names to skip",'gotmls').'" name="exclude_dir" value="'.implode(",", $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_dir"]).'" style="width: 100%;" /'.$gt.$lt.'/div'.$gt.'
831
  '.$lt.'table style="width: 100%" cellspacing="10"'.$gt.$lt.'tr'.$gt.$lt.'td nowrap valign="top" style="white-space: nowrap; width: 1px;"'.$gt.$lt.'b'.$gt.__("Automatically Update Definitions:",'gotmls').$lt."br$gt$lt/b$gt$lt/td$gt$lt".'td'.$gt.$lt.'div id="UPDATE_definitions_div"'.$gt.$lt.'br'.$gt.$lt.'span style="color: #C00;"'.$gt.__("This feature is only available to registered users who have donated at a certain level.",'gotmls')."$lt/span$gt$lt/div$gt$lt/td$gt$lt".'td align="right" valign="bottom"'.$gt.$lt.'input type="submit" id="save_settings" value="'.__("Save Settings",'gotmls').'" class="button-primary" onclick="document.getElementById(\'scan_type\').value=\'Save\';" /'."$gt$lt/td$gt$lt/tr$gt$lt/table$gt$lt/form$gt";
@@ -1032,7 +1032,7 @@ var startTime = 0;
1032
  echo "\n$lt".'script type="text/javascript"'.$gt.'showhide("inside_'.md5($ScanSettings).'");'.$lt.'/script'.$gt.GOTMLS_box(GOTMLS_htmlspecialchars($_REQUEST["scan_type"]).' Status', $lt.'div id="status_text"'.$gt.$lt.'img src="'.GOTMLS_images_path.'wait.gif" height=16 width=16 alt="..."'.$gt.' '.GOTMLS_Loading_LANGUAGE.$lt.'/div'.$gt.$lt.'div id="status_bar"'.$gt.$lt.'/div'.$gt.$lt.'p id="pause_button" style="display: none; position: absolute; left: 0; text-align: center; margin-left: -30px; padding-left: 50%;"'.$gt.$lt.'input type="button" value="Pause" class="button-primary" onclick="pauseresume(this);" id="resume_button" /'.$gt.$lt.'/p'.$gt.$lt.'div id="status_counts"'.$gt.$lt.'/div'.$gt.$lt.'p id="fix_button" style="display: none; text-align: center;"'.$gt.$lt.'input id="repair_button" type="submit" value="'.GOTMLS_Automatically_Fix_LANGUAGE.'" class="button-primary" onclick="loadIframe(\'Examine Results\');" /'.$gt.$lt.'/p'.$gt);
1033
  $scan_groups_UL = "";
1034
  foreach ($scan_groups as $scan_name => $scan_group)
1035
- $scan_groups_UL .= "\n{$lt}ul name=\"found_$scan_group\" id=\"found_$scan_group\" class=\"GOTMLS_plugin $scan_group\" style=\"background-color: #ccc; display: none; padding: 0;\"$gt{$lt}a class=\"rounded-corners\" name=\"link_$scan_group\" style=\"float: right; padding: 0 4px; margin: 5px 5px 0 30px; line-height: 16px; text-decoration: none; color: #C00; background-color: #FCC; border: solid #F00 1px;\" href=\"#found_top\" onclick=\"showhide('found_$scan_group');\"{$gt}X$lt/a$gt{$lt}h3$gt$scan_name$lt/h3$gt\n".($scan_group=='potential'?$lt.'p'.$gt.' &nbsp; * '.__("NOTE: These are probably not malicious scripts (but it's a good place to start looking <u>IF</u> your site is infected and no Known Threats were found).",'gotmls').$lt.'/p'.$gt:($scan_group=='wp_core'?$lt.'p'.$gt.' &nbsp; * '.sprintf(__("NOTE: We have detected changes to the WordPress Core files on your site. This could be an intentional modification or the malicious work of a hacker. We can restore these files to their original state to preserve the integrity of your original WordPress %s installation.",'gotmls'), GOTMLS_wp_version).' (for more info '.$lt.'a target="_blank" href="http://gotmls.net/tag/wp-core-files/"'.$gt.__("read my blog",'gotmls').$lt.'/a'.$gt.').'.$lt.'/p'.$gt:$lt.'br /'.$gt)).$lt.'/ul'.$gt;
1036
  if (!($dir = implode(GOTMLS_slash(), array_slice($dirs, 0, -1 * (2 + $_REQUEST["scan_what"]))))) $dir = "/";
1037
  GOTMLS_update_scan_log(array("scan" => array("dir" => $dir, "start" => time(), "type" => GOTMLS_htmlentities($_REQUEST["scan_type"]))));
1038
  echo GOTMLS_box($lt.'div id="GOTMLS_scan_dir" style="float: right;"'.$gt.'&nbsp;('.$GLOBALS["GOTMLS"]["log"]["scan"]["dir"].")&nbsp;$lt/div$gt".__("Scan Details:",'gotmls'), $scan_groups_UL);
@@ -1070,10 +1070,17 @@ var startTime = 0;
1070
  if ($_REQUEST["scan_type"] == "Quick Scan")
1071
  echo GOTMLS_update_status(__("Completed!",'gotmls'), 100);
1072
  else {
1073
- echo GOTMLS_update_status(__("Starting Scan ...",'gotmls'));
1074
- if (isset($GLOBALS["GOTMLS"]["log"]["settings"]["check"]) && is_array($GLOBALS["GOTMLS"]["log"]["settings"]["check"]) && in_array("db_scan", $GLOBALS["GOTMLS"]["log"]["settings"]["check"]))
1075
- GOTMLS_db_scan();
1076
- echo "/*--{$gt}*"."/\nvar scriptSRC = '".admin_url('admin-ajax.php?action=GOTMLS_scan&'.GOTMLS_set_nonce(__FUNCTION__."1087").'&mt='.$GLOBALS["GOTMLS"]["tmp"]["mt"].preg_replace('/\&(GOTMLS_scan|mt|GOTMLS_mt|action)=/', '&last_\1=', isset($_SERVER["QUERY_STRING"])&&strlen($_SERVER["QUERY_STRING"])?"&".$_SERVER["QUERY_STRING"]:"").'&GOTMLS_scan=')."';\nvar scanfilesArKeys = new Array('".implode("','", array_keys($GLOBALS["GOTMLS"]["tmp"]["scanfiles"]))."');\nvar scanfilesArNames = new Array('Scanning ".implode("','Scanning ", $GLOBALS["GOTMLS"]["tmp"]["scanfiles"])."');".'
 
 
 
 
 
 
 
1077
  var scanfilesI = 0;
1078
  var stopScanning;
1079
  var gotStuckOn = "";
@@ -1134,7 +1141,8 @@ function GOTMLS_login_form($form_id = "loginform") {
1134
  $ajaxURL = admin_url("admin-ajax.php?action=GOTMLS_logintime&GOTMLS_sess=");
1135
  echo '<input type="hidden" name="sess_id" value="'.substr($sess, 4).'"><input type="hidden" id="offset_id" value="0" name="sess'.substr($sess, 4).'"><script type="text/javascript">'."\nvar GOTMLS_login_offset = new Date();\nvar GOTMLS_login_script = document.createElement('script');\nGOTMLS_login_script.src = '$ajaxURL'+GOTMLS_login_offset.getTime();\n\ndocument.head.appendChild(GOTMLS_login_script);\n</script>\n";//GOTMLS_login_script.onload = set_offset_id();
1136
  }
1137
- add_action("login_form", "GOTMLS_login_form");
 
1138
 
1139
  function GOTMLS_ajax_logintime() {
1140
  @header("Content-type: text/javascript");
@@ -1172,7 +1180,7 @@ add_filter("plugin_action_links", "GOTMLS_set_plugin_action_links", 1, 2);
1172
 
1173
  function GOTMLS_set_plugin_row_meta($links_array, $plugin_file) {
1174
  if ($plugin_file == substr(str_replace("\\", "/", __FILE__), (-1 * strlen($plugin_file))) && strlen($plugin_file) > 10)
1175
- $links_array = array_merge($links_array, array('<a target="_blank" href="http://gotmls.net/faqs/">FAQ</a>','<a target="_blank" href="http://gotmls.net/support/">Support</a>','<a target="_blank" href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=QZHD8QHZ2E7PE"><span style="font-size: 20px; height: 20px; width: 20px;" class="dashicons dashicons-heart"></span>Donate</a>'));
1176
  return $links_array;
1177
  }
1178
  add_filter("plugin_row_meta", "GOTMLS_set_plugin_row_meta", 1, 2);
@@ -1517,11 +1525,51 @@ if (typeof window.parent.showhide === "function")
1517
  die("\n$script_form".admin_url('admin-ajax.php?'.GOTMLS_set_nonce(__FUNCTION__."1779")).'" onsubmit="return confirm(\''.__("Are you sure you want to delete the record of this file from the quarantine?",'gotmls').'\');"><input type="hidden" name="GOTMLS_fix[]" value="'.$Q_post["ID"].'"><input type="hidden" name="GOTMLS_fixing" value="2"><input type="hidden" name="action" value="GOTMLS_fix"><input type="submit" value="DELETE from Quarantine" style="background-color: #C00; float: right;"></form><div id="fileperms" class="shadowed-box rounded-corners" style="display: none; position: absolute; left: 8px; top: 29px; background-color: #ccc; border: medium solid #C00; box-shadow: -3px 3px 3px #666; border-radius: 10px; padding: 10px;"><b>File Details</b><br />size: '.strlen(GOTMLS_htmlspecialchars($GLOBALS["GOTMLS"]["tmp"]["file_contents"])).' bytes<br />infected:'.$Q_post["post_modified_gmt"].'<br />encoding: '.(isset($GLOBALS["GOTMLS"]["tmp"]["encoding"])?$GLOBALS["GOTMLS"]["tmp"]["encoding"]:(function_exists("mb_detect_encoding")?mb_detect_encoding($GLOBALS["GOTMLS"]["tmp"]["file_contents"]):"Unknown")).'<br />quarantined:'.$Q_post["post_date_gmt"].'</div><div style="overflow: auto;"><span onmouseover="document.getElementById(\'fileperms\').style.display=\'block\';" onmouseout="document.getElementById(\'fileperms\').style.display=\'none\';">'.__("File Details:",'gotmls').'</span> ('.$fa.' )</div></td></tr><tr><td style="height: 100%"><textarea id="ta_file" style="width: 100%; height: 100%">'.GOTMLS_htmlentities(str_replace("\r", "", $GLOBALS["GOTMLS"]["tmp"]["file_contents"])).'</textarea></td></tr></table>');
1518
  } else
1519
  die(GOTMLS_html_tags(array("html" => array("body" => __("This record no longer exists in the quarantine.",'gotmls')."<br />\n<script type=\"text/javascript\">\nif (typeof window.parent.showhide === 'function') window.parent.showhide('GOTMLS_iFrame', true);\n</script>"))));
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1520
  } else {
1521
  $file = GOTMLS_decode($_GET["GOTMLS_scan"]);
1522
  if (is_numeric($file))
1523
  die("\n$script_form".GOTMLS_db_scan($file));
1524
- elseif (is_dir($file)) {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1525
  @error_reporting(0);
1526
  @header("Content-type: text/javascript");
1527
  if (isset($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_ext"]) && is_array($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_ext"]))
1
  <?php
2
  /*
3
  Plugin Name: Anti-Malware Security and Brute-Force Firewall
4
+ Plugin URI: https://gotmls.net/
5
  Author: Eli Scheetz
6
  Text Domain: gotmls
7
  Author URI: http://wordpress.ieonly.com/category/my-plugins/anti-malware/
8
  Contributors: scheeeli, gotmls
9
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=QZHD8QHZ2E7PE
10
  Description: This Anti-Virus/Anti-Malware plugin searches for Malware and other Virus like threats and vulnerabilities on your server and helps you remove them. It's always growing and changing to adapt to new threats so let me know if it's not working for you.
11
+ Version: 4.19.44
12
  */
13
  if (isset($_SERVER["DOCUMENT_ROOT"]) && ($SCRIPT_FILE = str_replace($_SERVER["DOCUMENT_ROOT"], "", isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:isset($_SERVER["SCRIPT_NAME"])?$_SERVER["SCRIPT_NAME"]:"")) && strlen($SCRIPT_FILE) > strlen("/".basename(__FILE__)) && substr(__FILE__, -1 * strlen($SCRIPT_FILE)) == substr($SCRIPT_FILE, -1 * strlen(__FILE__)) || !(function_exists("add_action") && function_exists("load_plugin_textdomain")))
14
  include(dirname(__FILE__)."/safe-load/index.php");
504
  foreach ($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["firewall"] as $TP => $VA)
505
  if (is_array($VA) && count($VA) > 3 && strlen($VA[1]) && strlen($VA[2]))
506
  $sec_opts .= $lt.'div style="padding: 0 30px;"'.$gt.$lt.'input type="submit" style="float: right;" value="'.(isset($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["firewall"]["$TP"]) && $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["firewall"]["$TP"]?"Enable Protection\" onclick=\"setFirewall('$TP', 0);\"$gt$lt".'p'.$gt.$lt.'img src="'.GOTMLS_images_path.'threat.gif"'.$gt.$lt."b$gt$VA[1] (Currently Disabled)":"Disable Protection\" onclick=\"setFirewall('$TP', 1);\"$gt$lt".'p'.$gt.$lt.'img src="'.GOTMLS_images_path.'checked.gif"'.$gt.$lt."b$gt$VA[1] (Automatically Enabled)")."$lt/b$gt$lt/p$gt$VA[2]$lt/div$gt$lt".'hr /'.$gt;
507
+ $sec_opts .= "$lt/form$gt\n$patch_action\n$lt".'form method="POST" name="GOTMLS_Form_patch"'.$gt.$lt.'div style="padding: 0 30px;"'.$gt.$lt.'input type="hidden" name="'.str_replace('=', '" value="', GOTMLS_set_nonce(__FUNCTION__."807")).'"'.$gt.$lt.'input type="submit" value="'.$patch_attr[$patch_status]["action"].'" style="float: right;'.($patch_status?'"'.$gt:' display: none;" id="GOTMLS_patch_button"'.$gt.$lt.'div id="GOTMLS_patch_searching" style="float: right;"'.$gt.__("Checking for session compatibility ...",'gotmls').' '.$lt.'img src="'.GOTMLS_images_path.'wait.gif" height=16 width=16 alt="Wait..." /'.$gt.$lt.'/div'.$gt).$lt.'input type="hidden" name="GOTMLS_patching" value="1"'.$gt.$lt.'p'.$gt.$lt.'img src="'.GOTMLS_images_path.$patch_attr[$patch_status]["icon"].'.gif"'.$gt.$lt.'b'.$gt.'Brute-force Protection '.$patch_attr[$patch_status]["status"].$lt.'/b'.$gt.$lt.'/p'.$gt.$patch_attr[$patch_status]["language"].__(" For more information on Brute-Force attack prevention and the WordPress wp-login-php file ",'gotmls').' '.$lt.'a target="_blank" href="'.GOTMLS_plugin_home.'tag/wp-login-php/"'.$gt.__("read my blog",'gotmls')."$lt/a$gt.$lt/div$gt$lt/form$gt\n$lt"."script type='text/javascript'$gt\nfunction search_patch_onload() {\n\tstopCheckingSession = checkupdateserver('".GOTMLS_images_path."gotmls.js?SESSION=0', 'GOTMLS_patch_searching');\n}\nif (window.addEventListener)\n\twindow.addEventListener('load', search_patch_onload)\nelse\n\tdocument.attachEvent('onload', search_patch_onload);\n$lt/script$gt";
508
  $admin_notice = "";
509
  if ($current_user->user_login == "admin") {
510
  $admin_notice .= $lt.'hr /'.$gt;
573
  $finJS = "\n}";
574
  $form = 'registerKeyForm';
575
  $innerHTML = "<li style=\\\"color: #f00\\\">Your Installation Key could not be confirmed!</li>";
576
+ $autoUpJS = '<span style="color: #C00;">This new feature is currently only available to registered users who have donated $29 or more.</span><br />';
577
  if (is_array($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]))
578
  foreach ($GLOBALS["GOTMLS"]["tmp"]["definitions_array"] as $threat_level=>$definition_names)
579
  foreach ($definition_names as $definition_name=>$definition_version)
648
  $autoUpJS .= '<span style="color: #0C0;">(No newer Definition Updates are available at this time.)</span>';
649
  $innerHTML .= "<li style=\\\"color: #0C0\\\">No Newer Definition Updates Available.</li>";
650
  }
651
+ if (isset($_SERVER["SCRIPT_FILENAME"]) && preg_match('/[\/\\\\]admin-ajax\.php/i', $_SERVER["SCRIPT_FILENAME"]) && isset($_REQUEST["action"]) && $_REQUEST["action"] == "GOTMLS_load_update") {
652
  if (!$user_donations_src)
653
  $li = "<li style=\\\"color: #f00;\\\">You have not donated yet!</li>";
654
  if (strlen($moreJS) == 0)
823
  $fe = "";
824
  $scan_opts .= "\n$lt".'div style="padding: 10px;"'.$gt.$lt.'p'.$gt.$lt.'b'.$gt.__("Custom RegExp:",'gotmls').$fe.$lt.'/b'.$gt.' ('.__("For very advanced users only. Do not use this without talking to Eli first. If used incorrectly you could easily break your site.",'gotmls').')'.$lt.'/p'.$gt.$lt.'input type="text" name="check_custom" style="width: 100%;" value="'.GOTMLS_htmlspecialchars($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["check_custom"]).'" /'."$gt$lt/div$gt\n";
825
  }
826
+ $QuickScan = $lt.((is_dir(dirname(__FILE__)."/../../../wp-includes") && is_dir(dirname(__FILE__)."/../../../wp-admin"))?'a href="'.admin_url("admin.php?page=GOTMLS-settings&scan_type=Quick+Scan&$GOTMLS_nonce_URL").'" class="button-primary" style="min-height: 22px; height: 22px; line-height: 13px; padding: 3px;">WP_Core</a':"!-- No wp-includes or wp-admin --").$gt;
827
  foreach (array("Plugins", "Themes") as $ScanFolder)
828
+ $QuickScan .= '&nbsp;'.$lt.((is_dir(dirname(__FILE__)."/../../../wp-content/".strtolower($ScanFolder)))?'a href="'.admin_url("admin.php?page=GOTMLS-settings&scan_type=Quick+Scan&scan_only[]=wp-content/".strtolower($ScanFolder)."&$GOTMLS_nonce_URL")."\" class=\"button-primary\" style=\"min-height: 22px; height: 22px; line-height: 13px; padding: 3px;\"$gt$ScanFolder$lt/a":"!-- No $ScanFolder in wp-content --").$gt;
829
  $scan_opts .= "\n$lt".'p'.$gt.$lt.'b'.$gt.__("Skip files with the following extensions:",'gotmls')."$lt/b$gt".(($default_exclude_ext!=implode(",", $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_ext"]))?" {$lt}a href=\"javascript:void(0);\" onclick=\"document.getElementById('exclude_ext').value = '$default_exclude_ext';\"{$gt}[Restore Defaults]$lt/a$gt":"").$lt.'/p'.$gt.'
830
  '.$lt.'div style="padding: 0 30px;"'.$gt.$lt.'input type="text" placeholder="'.__("a comma separated list of file extentions to skip",'gotmls').'" name="exclude_ext" id="exclude_ext" value="'.implode(",", $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_ext"]).'" style="width: 100%;" /'."$gt$lt/div$gt$lt".'p'.$gt.$lt.'b'.$gt.__("Skip directories with the following names:",'gotmls')."$lt/b$gt$lt/p$gt$lt".'div style="padding: 0 30px;"'.$gt.$lt.'input type="text" placeholder="'.__("a folder name or comma separated list of folder names to skip",'gotmls').'" name="exclude_dir" value="'.implode(",", $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_dir"]).'" style="width: 100%;" /'.$gt.$lt.'/div'.$gt.'
831
  '.$lt.'table style="width: 100%" cellspacing="10"'.$gt.$lt.'tr'.$gt.$lt.'td nowrap valign="top" style="white-space: nowrap; width: 1px;"'.$gt.$lt.'b'.$gt.__("Automatically Update Definitions:",'gotmls').$lt."br$gt$lt/b$gt$lt/td$gt$lt".'td'.$gt.$lt.'div id="UPDATE_definitions_div"'.$gt.$lt.'br'.$gt.$lt.'span style="color: #C00;"'.$gt.__("This feature is only available to registered users who have donated at a certain level.",'gotmls')."$lt/span$gt$lt/div$gt$lt/td$gt$lt".'td align="right" valign="bottom"'.$gt.$lt.'input type="submit" id="save_settings" value="'.__("Save Settings",'gotmls').'" class="button-primary" onclick="document.getElementById(\'scan_type\').value=\'Save\';" /'."$gt$lt/td$gt$lt/tr$gt$lt/table$gt$lt/form$gt";
1032
  echo "\n$lt".'script type="text/javascript"'.$gt.'showhide("inside_'.md5($ScanSettings).'");'.$lt.'/script'.$gt.GOTMLS_box(GOTMLS_htmlspecialchars($_REQUEST["scan_type"]).' Status', $lt.'div id="status_text"'.$gt.$lt.'img src="'.GOTMLS_images_path.'wait.gif" height=16 width=16 alt="..."'.$gt.' '.GOTMLS_Loading_LANGUAGE.$lt.'/div'.$gt.$lt.'div id="status_bar"'.$gt.$lt.'/div'.$gt.$lt.'p id="pause_button" style="display: none; position: absolute; left: 0; text-align: center; margin-left: -30px; padding-left: 50%;"'.$gt.$lt.'input type="button" value="Pause" class="button-primary" onclick="pauseresume(this);" id="resume_button" /'.$gt.$lt.'/p'.$gt.$lt.'div id="status_counts"'.$gt.$lt.'/div'.$gt.$lt.'p id="fix_button" style="display: none; text-align: center;"'.$gt.$lt.'input id="repair_button" type="submit" value="'.GOTMLS_Automatically_Fix_LANGUAGE.'" class="button-primary" onclick="loadIframe(\'Examine Results\');" /'.$gt.$lt.'/p'.$gt);
1033
  $scan_groups_UL = "";
1034
  foreach ($scan_groups as $scan_name => $scan_group)
1035
+ $scan_groups_UL .= "\n{$lt}ul name=\"found_$scan_group\" id=\"found_$scan_group\" class=\"GOTMLS_plugin $scan_group\" style=\"background-color: #ccc; display: none; padding: 0;\"$gt{$lt}a class=\"rounded-corners\" name=\"link_$scan_group\" style=\"float: right; padding: 0 4px; margin: 5px 5px 0 30px; line-height: 16px; text-decoration: none; color: #C00; background-color: #FCC; border: solid #F00 1px;\" href=\"#found_top\" onclick=\"showhide('found_$scan_group');\"{$gt}X$lt/a$gt{$lt}h3$gt$scan_name$lt/h3$gt\n".($scan_group=='potential'?$lt.'p'.$gt.' &nbsp; * '.__("NOTE: These are probably not malicious scripts (but it's a good place to start looking <u>IF</u> your site is infected and no Known Threats were found).",'gotmls').$lt.'/p'.$gt:($scan_group=='wp_core'?$lt.'p'.$gt.' &nbsp; * '.sprintf(__("NOTE: We have detected changes to the WordPress Core files on your site. This could be an intentional modification or the malicious work of a hacker. We can restore these files to their original state to preserve the integrity of your original WordPress %s installation.",'gotmls'), GOTMLS_wp_version).' (for more info '.$lt.'a target="_blank" href="'.GOTMLS_plugin_home.'tag/wp-core-files/"'.$gt.__("read my blog",'gotmls').$lt.'/a'.$gt.').'.$lt.'/p'.$gt:$lt.'br /'.$gt)).$lt.'/ul'.$gt;
1036
  if (!($dir = implode(GOTMLS_slash(), array_slice($dirs, 0, -1 * (2 + $_REQUEST["scan_what"]))))) $dir = "/";
1037
  GOTMLS_update_scan_log(array("scan" => array("dir" => $dir, "start" => time(), "type" => GOTMLS_htmlentities($_REQUEST["scan_type"]))));
1038
  echo GOTMLS_box($lt.'div id="GOTMLS_scan_dir" style="float: right;"'.$gt.'&nbsp;('.$GLOBALS["GOTMLS"]["log"]["scan"]["dir"].")&nbsp;$lt/div$gt".__("Scan Details:",'gotmls'), $scan_groups_UL);
1070
  if ($_REQUEST["scan_type"] == "Quick Scan")
1071
  echo GOTMLS_update_status(__("Completed!",'gotmls'), 100);
1072
  else {
1073
+ // echo GOTMLS_update_status(__("Starting Scan ...",'gotmls'));
1074
+ if (isset($GLOBALS["GOTMLS"]["log"]["settings"]["check"]) && is_array($GLOBALS["GOTMLS"]["log"]["settings"]["check"]) && in_array("db_scan", $GLOBALS["GOTMLS"]["log"]["settings"]["check"])) {
1075
+ $DB_scan_JS = "'db_scan', ";
1076
+ echo GOTMLS_return_threat("dirs", "wait", "db_scan").GOTMLS_update_status(__("Starting Database Scan ...",'gotmls'));
1077
+ GOTMLS_flush('script');
1078
+ } else {
1079
+ $DB_scan_JS = "";
1080
+ echo GOTMLS_update_status(__("Starting File Scan of ".count($GLOBALS["GOTMLS"]["tmp"]["scanfiles"])." folders ...",'gotmls'));
1081
+ GOTMLS_flush('script');
1082
+ }
1083
+ echo "/*--{$gt}*"."/\nvar scriptSRC = '".admin_url('admin-ajax.php?action=GOTMLS_scan&'.GOTMLS_set_nonce(__FUNCTION__."1087").'&mt='.$GLOBALS["GOTMLS"]["tmp"]["mt"].preg_replace('/\&(GOTMLS_scan|mt|GOTMLS_mt|action)=/', '&last_\1=', isset($_SERVER["QUERY_STRING"])&&strlen($_SERVER["QUERY_STRING"])?"&".$_SERVER["QUERY_STRING"]:"").'&GOTMLS_scan=')."';\nvar scanfilesArKeys = new Array($DB_scan_JS'".implode("','", array_keys($GLOBALS["GOTMLS"]["tmp"]["scanfiles"]))."');\nvar scanfilesArNames = new Array(".str_replace("db_scan", "Scanning Database ...", $DB_scan_JS)."'Scanning ".implode("','Scanning ", $GLOBALS["GOTMLS"]["tmp"]["scanfiles"])."');".'
1084
  var scanfilesI = 0;
1085
  var stopScanning;
1086
  var gotStuckOn = "";
1141
  $ajaxURL = admin_url("admin-ajax.php?action=GOTMLS_logintime&GOTMLS_sess=");
1142
  echo '<input type="hidden" name="sess_id" value="'.substr($sess, 4).'"><input type="hidden" id="offset_id" value="0" name="sess'.substr($sess, 4).'"><script type="text/javascript">'."\nvar GOTMLS_login_offset = new Date();\nvar GOTMLS_login_script = document.createElement('script');\nGOTMLS_login_script.src = '$ajaxURL'+GOTMLS_login_offset.getTime();\n\ndocument.head.appendChild(GOTMLS_login_script);\n</script>\n";//GOTMLS_login_script.onload = set_offset_id();
1143
  }
1144
+ if (defined("GOTMLS_REQUEST_METHOD"))
1145
+ add_action("login_form", "GOTMLS_login_form");
1146
 
1147
  function GOTMLS_ajax_logintime() {
1148
  @header("Content-type: text/javascript");
1180
 
1181
  function GOTMLS_set_plugin_row_meta($links_array, $plugin_file) {
1182
  if ($plugin_file == substr(str_replace("\\", "/", __FILE__), (-1 * strlen($plugin_file))) && strlen($plugin_file) > 10)
1183
+ $links_array = array_merge($links_array, array('<a target="_blank" href="'.GOTMLS_plugin_home.'faqs/">FAQ</a>','<a target="_blank" href="'.GOTMLS_plugin_home.'support/">Support</a>','<a target="_blank" href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=QZHD8QHZ2E7PE"><span style="font-size: 20px; height: 20px; width: 20px;" class="dashicons dashicons-heart"></span>Donate</a>'));
1184
  return $links_array;
1185
  }
1186
  add_filter("plugin_row_meta", "GOTMLS_set_plugin_row_meta", 1, 2);
1525
  die("\n$script_form".admin_url('admin-ajax.php?'.GOTMLS_set_nonce(__FUNCTION__."1779")).'" onsubmit="return confirm(\''.__("Are you sure you want to delete the record of this file from the quarantine?",'gotmls').'\');"><input type="hidden" name="GOTMLS_fix[]" value="'.$Q_post["ID"].'"><input type="hidden" name="GOTMLS_fixing" value="2"><input type="hidden" name="action" value="GOTMLS_fix"><input type="submit" value="DELETE from Quarantine" style="background-color: #C00; float: right;"></form><div id="fileperms" class="shadowed-box rounded-corners" style="display: none; position: absolute; left: 8px; top: 29px; background-color: #ccc; border: medium solid #C00; box-shadow: -3px 3px 3px #666; border-radius: 10px; padding: 10px;"><b>File Details</b><br />size: '.strlen(GOTMLS_htmlspecialchars($GLOBALS["GOTMLS"]["tmp"]["file_contents"])).' bytes<br />infected:'.$Q_post["post_modified_gmt"].'<br />encoding: '.(isset($GLOBALS["GOTMLS"]["tmp"]["encoding"])?$GLOBALS["GOTMLS"]["tmp"]["encoding"]:(function_exists("mb_detect_encoding")?mb_detect_encoding($GLOBALS["GOTMLS"]["tmp"]["file_contents"]):"Unknown")).'<br />quarantined:'.$Q_post["post_date_gmt"].'</div><div style="overflow: auto;"><span onmouseover="document.getElementById(\'fileperms\').style.display=\'block\';" onmouseout="document.getElementById(\'fileperms\').style.display=\'none\';">'.__("File Details:",'gotmls').'</span> ('.$fa.' )</div></td></tr><tr><td style="height: 100%"><textarea id="ta_file" style="width: 100%; height: 100%">'.GOTMLS_htmlentities(str_replace("\r", "", $GLOBALS["GOTMLS"]["tmp"]["file_contents"])).'</textarea></td></tr></table>');
1526
  } else
1527
  die(GOTMLS_html_tags(array("html" => array("body" => __("This record no longer exists in the quarantine.",'gotmls')."<br />\n<script type=\"text/javascript\">\nif (typeof window.parent.showhide === 'function') window.parent.showhide('GOTMLS_iFrame', true);\n</script>"))));
1528
+ } elseif (substr($_GET["GOTMLS_scan"]."1234567", 0, 7) == "db_scan") {
1529
+ @header("Content-type: text/javascript");
1530
+ if (isset($_GET["GOTMLS_only_file"])) {
1531
+ if (strlen($_GET["GOTMLS_only_file"])) {
1532
+ echo '//re-db_scan: '.md5($_GET["GOTMLS_only_file"]).date(" Y-m-d H:i:s\n");
1533
+ die(GOTMLS_db_scan().'//END OF JavaScript');
1534
+ } else {
1535
+ echo '//re-db_scan: all'.date(" Y-m-d H:i:s\n");
1536
+ if (isset($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"]) && is_array($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"])) {
1537
+ foreach ($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"] as $file => $regx) {
1538
+ $path = "db_scan=$file";
1539
+ echo "/*-->*"."/\nscanfilesArKeys.push('db_scan&GOTMLS_only_file=".GOTMLS_encode($file)."');\nscanfilesArNames.push('Re-Checking ".GOTMLS_strip4java(str_replace("db_scan", "Database", str_replace("db_scan=", "Database for ", $path)))."');\n/*<!--*"."/".GOTMLS_return_threat("dirs", "wait", $path);
1540
+ }
1541
+ }
1542
+ die(GOTMLS_return_threat("dir", "question", "db_scan").GOTMLS_update_status(__("Re-Starting Database Scan ...",'gotmls'))."/*-->*"."/\nscanNextDir(-1);\n/*<!--*"."/");
1543
+ }
1544
+ } else {
1545
+ echo '//db_scan: '.date("Y-m-d H:i:s\n");
1546
+ die(GOTMLS_db_scan().'//END OF JavaScript');
1547
+ }
1548
  } else {
1549
  $file = GOTMLS_decode($_GET["GOTMLS_scan"]);
1550
  if (is_numeric($file))
1551
  die("\n$script_form".GOTMLS_db_scan($file));
1552
+ elseif (substr($file."1234567", 0, 7) == "db_scan") {
1553
+ @header("Content-type: text/javascript");
1554
+ if (isset($_GET["GOTMLS_only_file"])) {
1555
+ if (strlen($_GET["GOTMLS_only_file"])) {
1556
+ echo '//encoded re-db_scan: '.md5($_GET["GOTMLS_only_file"]).date(" Y-m-d H:i:s\n");
1557
+ die(GOTMLS_db_scan().'//END OF JavaScript');
1558
+ } else {
1559
+ echo '//encoded re-db_scan: all'.date(" Y-m-d H:i:s\n");
1560
+ if (isset($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"]) && is_array($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"])) {
1561
+ foreach ($GLOBALS["GOTMLS"]["tmp"]["definitions_array"]["db_scan"] as $file => $regx) {
1562
+ $path = "db_scan=$file";
1563
+ echo "/*-->*"."/\nscanfilesArKeys.push('".GOTMLS_encode($dir)."&GOTMLS_only_file=".GOTMLS_encode($file)."');\nscanfilesArNames.push('Re-Checking ".GOTMLS_strip4java(str_replace("db_scan", "Database", str_replace("db_scan=", "Database for ", $path)))."');\n/*<!--*"."/".GOTMLS_return_threat("dirs", "wait", $path);
1564
+ }
1565
+ }
1566
+ echo GOTMLS_return_threat("dir", "question", "db_scan").GOTMLS_update_status(__("Re-Starting Encoded Database Scan ...",'gotmls'))."/*-->*"."/\nscanNextDir(-1);\n/*<!--*"."/";
1567
+ }
1568
+ } else {
1569
+ echo '//encoded db_scan: but no GOTMLS_only_file'.date("Y-m-d H:i:s\n");
1570
+ die(GOTMLS_db_scan().'//END OF JavaScript');
1571
+ }
1572
+ } elseif (is_dir($file)) {
1573
  @error_reporting(0);
1574
  @header("Content-type: text/javascript");
1575
  if (isset($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_ext"]) && is_array($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["exclude_ext"]))
readme.txt CHANGED
@@ -5,10 +5,10 @@ Author URI: http://wordpress.ieonly.com/category/my-plugins/anti-malware/
5
  Contributors: scheeeli, gotmls
6
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=QZHD8QHZ2E7PE
7
  Tags: security, firewall, anti-malware, scanner, automatic, repair, remove, malware, virus, threat, hacked, malicious, infection, timthumb, exploit, block, brute-force, wp-login, patch, antimalware, revslider, Revolution Slider
8
- Version: 4.18.76
9
- Stable tag: 4.18.76
10
  Requires at least: 3.3
11
- Tested up to: 5.2.2
12
 
13
  This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.
14
 
@@ -16,10 +16,10 @@ This Anti-Malware scanner searches for Malware, Viruses, and other security thre
16
 
17
  **Features:**
18
 
 
19
  * Run a Complete Scan to automatically remove known security threats, backdoor scripts, and database injections.
20
  * Firewall block SoakSoak and other malware from exploiting Revolution Slider and other plugins with known vulnerabilites.
21
  * Upgrade vulnerable versions of timthumb scripts.
22
- * Download Definition Updates to protect against new threats.
23
 
24
  **Premium Features:**
25
 
@@ -27,8 +27,6 @@ This Anti-Malware scanner searches for Malware, Viruses, and other security thre
27
  * Check the integrity of your WordPress Core files.
28
  * Automatically download new Definition Updates when running a Complete Scan.
29
 
30
- Updated June 24th
31
-
32
  Register this plugin at [GOTMLS.NET](http://gotmls.net/) and get access to new definitions of "Known Threats" and added features like Automatic Removal, plus patches for specific security vulnerabilities like old versions of timthumb. Updated definition files can be downloaded automatically within the admin once your Key is registered. Otherwise, this plugin just scans for "Potential Threats" and leaves it up to you to identify and remove the malicious ones.
33
 
34
  NOTICE: This plugin make call to GOTMLS.NET to check for updates not unlike what WordPress does when checking your plugins and themes for new versions. Staying up-to-date is an essential part of any security plugin and this plugin can let you know when there are new plugin and definition update available. If you're allergic to "phone home" scripts then don't use this plugin (or WordPress at all for that matter).
@@ -74,7 +72,7 @@ First just leave it for a while. If there are a lot of files on your server it c
74
 
75
  = How did I get hacked in the first place? =
76
 
77
- First, don't take the attack personally. Lots of hackers routinely run automated script that crawl the internet looking for easy targets. Your site probably got hacked because you are unknowingly an easy target. This might be because you are running an older version of WordPress or have installed a Plugin or Theme with a backdoor or known security vulnerability. However, the most common type of infection I see is cross-conamination. This can happen when your site is on a shared server with other exploitable sites that got infected. In most shared hosting environments it's possible for hackers to use an one infected site to infect other sites on the same server, sometimes even if the sites are on different accounts.
78
 
79
  = What can I do to prevent it from happening again? =
80
 
@@ -94,6 +92,14 @@ sucuri.net caches their scan results and will not refresh the scan until you cli
94
 
95
  == Changelog ==
96
 
 
 
 
 
 
 
 
 
97
  = 4.18.76 =
98
  * Cleaned up the Nonce Token creation and storage functions.
99
  * Cleaned up View Quarantine page and fixed recovery link.
@@ -381,6 +387,9 @@ sucuri.net caches their scan results and will not refresh the scan until you cli
381
 
382
  == Upgrade Notice ==
383
 
 
 
 
384
  = 4.18.76 =
385
  Cleaned up the Nonce Token code and Quarantine page, fixed recovery link, and added debugging for login errors plus WP head and footer Hooks.
386
 
5
  Contributors: scheeeli, gotmls
6
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=QZHD8QHZ2E7PE
7
  Tags: security, firewall, anti-malware, scanner, automatic, repair, remove, malware, virus, threat, hacked, malicious, infection, timthumb, exploit, block, brute-force, wp-login, patch, antimalware, revslider, Revolution Slider
8
+ Version: 4.19.44
9
+ Stable tag: 4.19.44
10
  Requires at least: 3.3
11
+ Tested up to: 5.3
12
 
13
  This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.
14
 
16
 
17
  **Features:**
18
 
19
+ * Download Definition Updates to protect against new threats.
20
  * Run a Complete Scan to automatically remove known security threats, backdoor scripts, and database injections.
21
  * Firewall block SoakSoak and other malware from exploiting Revolution Slider and other plugins with known vulnerabilites.
22
  * Upgrade vulnerable versions of timthumb scripts.
 
23
 
24
  **Premium Features:**
25
 
27
  * Check the integrity of your WordPress Core files.
28
  * Automatically download new Definition Updates when running a Complete Scan.
29
 
 
 
30
  Register this plugin at [GOTMLS.NET](http://gotmls.net/) and get access to new definitions of "Known Threats" and added features like Automatic Removal, plus patches for specific security vulnerabilities like old versions of timthumb. Updated definition files can be downloaded automatically within the admin once your Key is registered. Otherwise, this plugin just scans for "Potential Threats" and leaves it up to you to identify and remove the malicious ones.
31
 
32
  NOTICE: This plugin make call to GOTMLS.NET to check for updates not unlike what WordPress does when checking your plugins and themes for new versions. Staying up-to-date is an essential part of any security plugin and this plugin can let you know when there are new plugin and definition update available. If you're allergic to "phone home" scripts then don't use this plugin (or WordPress at all for that matter).
72
 
73
  = How did I get hacked in the first place? =
74
 
75
+ First, don't take the attack personally. Lots of hackers routinely run automated script that crawl the internet looking for easy targets. Your site probably got hacked because you are unknowingly an easy target. This might be because you are running an older version of WordPress or have installed a Plugin or Theme with a backdoor or known security vulnerability. However, the most common type of infection I see is cross-contamination. This can happen when your site is on a shared server with other exploitable sites that got infected. In most shared hosting environments it's possible for hackers to use an one infected site to infect other sites on the same server, sometimes even if the sites are on different accounts.
76
 
77
  = What can I do to prevent it from happening again? =
78
 
92
 
93
  == Changelog ==
94
 
95
+ = 4.19.44 =
96
+ * Updated links to use HTTPS by default and fixed some old URLs.
97
+ * Various performance improvements.
98
+ * Added more error handling to the DB Scan.
99
+ * Fixed a few minor bugs causing PHP Notices.
100
+ * Fixed a path search to work on Windows servers.
101
+ * Tweaked code for compatibility with WP 5.3 (latest release).
102
+
103
  = 4.18.76 =
104
  * Cleaned up the Nonce Token creation and storage functions.
105
  * Cleaned up View Quarantine page and fixed recovery link.
387
 
388
  == Upgrade Notice ==
389
 
390
+ = 4.19.44 =
391
+ Updated links, added more error handling to the DB Scan, various performance improvements, fixed path to work on Windows servers and a few minor bugs causing PHP Notices, and weaked code for compatibility with WP 5.3 (latest release).
392
+
393
  = 4.18.76 =
394
  Cleaned up the Nonce Token code and Quarantine page, fixed recovery link, and added debugging for login errors plus WP head and footer Hooks.
395
 
safe-load/wp-login.php CHANGED
@@ -35,7 +35,7 @@ if ((GOTMLS_REQUEST_METHOD == "POST") && isset($_POST["log"]) && isset($_POST["p
35
  $GOTMLS_LOGIN_ARRAY = array("ADDR"=>(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:"REMOTE_ADDR"), "AGENT"=>(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:"HTTP_USER_AGENT"), "TIME"=>GOTMLS_INSTALL_TIME);
36
  $GOTMLS_LOGIN_KEY = md5(serialize($GOTMLS_LOGIN_ARRAY));
37
  if (!defined("GOTMLS_LOG_FILE"))
38
- define("GOTMLS_LOG_FILE", dirname(GOTMLS_SESSION_FILE)."/.GOTMLS.$GOTMLS_LOGIN_KEY.php");
39
  if (is_file(GOTMLS_LOG_FILE))
40
  include(GOTMLS_LOG_FILE);
41
  if (GOTMLS_REQUEST_METHOD == "POST")
35
  $GOTMLS_LOGIN_ARRAY = array("ADDR"=>(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:"REMOTE_ADDR"), "AGENT"=>(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:"HTTP_USER_AGENT"), "TIME"=>GOTMLS_INSTALL_TIME);
36
  $GOTMLS_LOGIN_KEY = md5(serialize($GOTMLS_LOGIN_ARRAY));
37
  if (!defined("GOTMLS_LOG_FILE"))
38
+ define("GOTMLS_LOG_FILE", dirname(GOTMLS_SESSION_FILE)."/GOTMLS.$GOTMLS_LOGIN_KEY.php");
39
  if (is_file(GOTMLS_LOG_FILE))
40
  include(GOTMLS_LOG_FILE);
41
  if (GOTMLS_REQUEST_METHOD == "POST")