Hello! There was a malicious JavaScript snippet in the theme’s header.php template. The file didn’t didn’t show specifically in the scan results, as it seems the plugin doesn’t do any local scanning, but the code would have been included by all public WordPress pages. I think the plugin has potential, but as, it is kind of limited in what it’s able to detect – for example, .htaccess files are excluded, and also conditional redirects, if there is no local scanning.
Apologies if my review seems negative. These were just my thoughts. If there’s anything I can do to help, please give me a shout.
Unfortunately, I’ve already cleaned the site, and the exploits were deleted, but I will email you the site address. Since I have absolutely no association with the website, only that the client asked me to remove the malware, I’d prefer not to post the address publicly.
I’m dealing with a lot of infected sites as of recently, though, and since you seem genuinely interested in feedback, I’m willing to give this plugin another go. Having said that, most of the infected sites I’m seeing are Joomla sites; not a lot of WordPress sites.
Here is another compromised WordPress site that Quttera flagged as clean:
http://goo.gl/hTbdj
This is the source code:
http://pastebin.com/XvaFwxKs
Hi Julian,
Thank you for your information!
Decoding showed nothing – string: “<style undefined>.nemonn{position:absolute;top:-9999px}</style>”
I’m trying to understand what exactly did plugin miss? The “pharma-related” words/ links?
Hi! Yes, that’s what the JavaScript inserts into the page, and it effectively hides the <p> element with class “nemonn” (the pharma-related link spam) from regular users. It is visible to search engines, though, and this malware will have a lot of negative impacts on an infected website.
The JavaScript snippet is well known as malware, especially the function name “xViewState”. There’s some more info here:
http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html
I will open a bug for our development team to fix it ASAP.
Again, thanks a lot for your feedback. Any new samples will be appreciated …
