Hi,
Did you make a backup that you can restore from? Here is how we recommend cleaning a hacked site:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Thanks,
Brian
Yes, I have backups but are you guys working on a clean for this code? I have been using the free version to test things out. I want to upgrade but I wonder how this kind of thing still gets through with WF installed. And when I do clean the files using your plugin the site crashed and burns. Some of the malicious code does not give the option to restore to original file only to delete it. When I do, the site crashes.
I’ve sent the code off to our development team to investigate. Thanks for bringing it to our attention. It’s reports like yours that help us keep on top of an ever changing security landscape.
-Brian
@mike would you mind giving us a filename or a location or something? The problem is that sometimes custom plugins use obscurification of their code to “protect” their licenses or proprietary information. Regardless if it is a good idea or not it is not something that WordPress allows in their rules for plugins in the wordpress.org repository (https://wordpress.org/plugins/about/guidelines/ see item number 4). We search for patterns and signatures of malware our researchers find ‘in the wild’ as well as ones that are submitted by users like you. Much like anti-virus software, all anti-malware programs are reactionary by nature. There is always the first infection that kicks it all off. As much as we would appreciate it if hackers, script kiddies, and exploiters would write the same code for us all the time, its a constantly changing and evolving landscape.
There could be several reasons for the file to get flagged. You might have been running scans on High Sensitivity mode, which warns you false positives might be found. You may have picked this plugin up from a paid site like wpmudev (just an example, I have used things from there before too) that does not have code in the repository (easy to download a fresh copy and verify it or replace with the clean copy), etc. We let you make the call on the things we find because ultimately we’d much rather alert you to a false positive than miss something bad.
As Brain said, the code will be submitted. Please email the whole file to samples [at] wordfence.com
Thanks
tim
If one of you can give me an email address I will give you access to a site of mine that has been clean for a few weeks and then WF started notifying me of infected files. Your people can peruse all you want.
I’m having a very similar problem. The first time it happened it was repairable and I deleted out a extra account that showed up with admin privs. Now it’s showing over 660+ files with malicious code with only the delete options. I’m wondering if the repair catch everything or not. I emailed you guys the log of the scan. Hopefully that helps.
I am getting that same code strtolower($sF[4].$sF[5].$sF[9]. I delete the files and it make smy site unusable. Have you all found a fix for this?
av-incare: Some of the files identified in scans may have been added, but others are real parts of WordPress or your plugins. If you have removed a file that WordPress needed, the best way to fix it is to get a copy from your latest backup.
If you don’t have a backup, and if the file was in a plugin, you can rename the plugin’s directory, to disable it temporarily, then log into the site and reinstall the plugin.
