I neglected to mention, I did have the Wordfence option checked to search theme and plugin files.
Thanks for the report. Were you able to find code in any of the theme files before reinstalling the theme? If so, can you send a copy of the file to samples [at] wordfence.com and include a link to this post?
If not, there may still be other files outside of the theme that were causing the issue — some hacks hide themselves using cookies, time of day, or other methods, so the links may come back again or may still be displayed to other visitors.
The Divi theme would be scanned for known malicious patterns (which are pretty extensive), since the theme’s code is not available on wordpress.org for comparison to the original files.
You may want to try additional Wordfence scan options, such as high sensitivity scanning, mentioned in our guide to cleaning hacked sites, here — this could help find any other files that would let the attacker back in, if there are any:
Cleaning a hacked site with Wordfence
Remember also to change any passwords related to the site — sometimes hacks like this can be cause by a hosting account or FTP password being compromised.
Awesome – I’m grateful for the quick response. I’ve just emailed off the file (now called header.old) to the address you specified. I will definitely try the scan option you suggested. This being our 3rd attack in a short time, I am leary that we’ve gotten it all, but hopefully our comprehensive password changes will help.
Great, thank you also for sending the file! Let us know if you have questions on anything that comes up in the scan. There can be false positives using the high sensitivity option, that you might need to investigate to see if they are actually malicious.
I must have not gotten to the root of the problem as it showed up again this morning. The problem was the same but the file size was different so I shot it over to your samples email.
Sorry to hear that it hasn’t been completely cleaned yet. Thanks for sending the new sample file. Let us know if you need help identifying any issues in different files with the high sensitivity option in Wordfence, too.
I’m facing the same problem with the site teaserguide.com. The Wordfence don’t detected. I’ve found 12 instances of following code in header.php:
[ Malware deleted ]
arsilveira: Thanks for the report — if you can also send a copy of the header.php file to samples [at] wordfence.com, and include a link to this post, we will check it out.
It would be a good idea to follow the guide mentioned above:
Cleaning a hacked site with Wordfence
Make sure especially that all themes and plugins are up to date, and to change all passwords that are associated with the site.
the same problem here, a week ago I deleted the script from the header.php, but last night showed again, maybe we can compare the plugin we are using? the weird is that que header.php don’t even change the modification time.
rolyv – I noticed that with mine too, but thought the virus might have been there and not done anything for a few days. The header files in our 3 instances (we run 3 sites) were each changed but the last modified time was the same as the other files in the directory – all of which I’d recently updated. I’ve been going through FTP and checking file size each day to make sure it hasn’t changed as a precaution. So far we’ve been clean for 3 days.
I did the same… another thing is that “image.php” file appeared in the root of theme with code like a content-image.php, but I’m pretty sure don’t belong there (compared with my localhost), I hope this get a solution soon!
Can you tell me the themes and plugins you are all running, and if you are on the current version of WordPress core, or an older version? If you don’t want to post the lists here, you can email me the list at: mattr (at) wordfence.com
To help in cleaning your site, make sure WordPress is up to date, and that all of your plugins and themes are up to date (even inactive plugins and themes). If you have old themes or plugins that you don’t plan to use again, it is best to remove them. If you didn’t already do that before using the “cleaning a hacked site” link above, it would be best to go through the process again.
Our dev team also identified that there may be two related files — if you run another Wordfence scan without finding new issues, and can find these in your folders, please also send these to samples (at) wordfence.com
/wp-content/languages/plugins/ajax.php
/wp-content/languages/themes/start92.php
If you are on shared hosting, you may also want to check your file permissions, to make sure that other sites cannot write to your site’s folders. Your hosting company can help, if you are not sure how to do that yourself.
Matt, I’m so grateful you are looking into this. It’s reassuring.
I’ve emailed you the details, but for the sake of anyone who might be following along, we have 3 websites, 2 using DIVI (child) and one using twenty-thirteen (child). Only the site using twenty-thirteen had a wp-content languages directory and I’ve sent the 2 files in question as requested.
Between the 3 sites we use the following plugins:
WooCommerce
Meteor Slides
Meta Slides
Wordfence
Akismet
Our Team Enhanced
ewodrich: Thanks so much — I will see if I can find out anything more in the meantime.
arsilveira and rolyv, if you can post (or email) your list of plugins as well, we can see if there is anything common, especially since this list is pretty small.
Hello Matt, thank you for care about this, like ewodrich I’m using the Twenty Thirteen theme customized (v 1.5) I know there’s a new version (1.6), but personalize so much the current version I’m afraid the mess it to update
The plugin are I’m using are:
Advanced Text Widget
Akismet
Categories Images
Custom fields display
Facebook Open Graph, Google+ and Twitter Card Tags
Flexible Posts Widget
NextGEN Gallery by Photocrati
NS Featured Posts
Post Types Order
WordPress Popular Posts
WordPress Related Posts
WP-PageNavi
WP-PostRatings
WP No Category Base
WP Super Cache
I did not find the languages files in question.
