Support » Plugin: Anti-Malware Security and Brute-Force Firewall » Do you know if this is malicious?

  • Resolved Momshof

    (@momshof)


    I am hoping you may know what this code is & if I should remove it. I was working in my site (not live yet) and noticed the text in one of my blurbs was askew. I went in to look at it & under the text area (did not show in Visual) I found this:

    <div id=”spoon-plugin-kncgbdglledmjmpnikebkagnchfdehbm-2″ style=”display: none;”></div>

    I have no idea what this is or where it came from. I don’t know what a spoon-plugin is – if one of my plugins is using this for something & has gone wonky adding it to all kinds of things or if my site has been infected.

    I ran a complete scan with the Anti-Malware from GOTMLS.NET plugin & nothing came back – there were just a few that were listed under the “suspicious” category – the ones to check if your site has been infected but nothing else showed up. My site seems to be working ok – just this has been added numerous places & I do not know why. The only reason I noticed it was because my text had gone askew & I happened to to look in text not only visible in my divi module text area.

    I also installed & used a search & replace plugin to see where it was on my site – using a dry run – and it reported it found this string in:

    Table Changes Found
    wp_em_events 34
    wp_postmeta 9
    wp_posts 473
    wp_sabai_entity_field_content_body 24
    wp_sabai_entity_fieldcache 4
    wp_usermeta 1

    The plugin did not provide any further details.

    I have over 3000 events in my site with events manager – so it looks like this string is somewhere in 34 of them? I thought events manager events were posts so this confuses me showing wp posts separate. I don’t have many more posts besides the events. But anyway – I am at a loss. Should I go ahead and try to use the search & replace plugin to replace this string with nothing – try leaving the replace box empty to see if it will remove it? Might it be used by one of my other plugins and that plugin has gone wonky?

    Someone mentioned to me this was just a placeholder – but for what? How do I find what this is holding a place for? If this is malicious – can your plugin get rid of it & whatever is at it’s root?

    Thanks for any assistance/guidance you can provide.

    https://wordpress.org/plugins/gotmls/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Eli

    (@scheeeli)

    I don’t see what harm a hidden div would do if it is in fact empty. Was there no JavaScript to go with it? Do you have anything call spoon-plugin installed on your site?
    You may also want to check your PC for viruses just to make sure your browser is not adding that stuff to your posts when you are working on your content.

    Hi Eli – I do not know how to check for Javascript with the string. That is beyond my knowledge base at this time.

    I don’t know what a spoon-plugin is. None of my plugins have that type of name either.

    I did check my pc – it is ok.

    I am worried that while this may be a placeholder – how is it getting inserted & can it be a delayed thing where it will end up sending my users to a malicious site, adding malicious content to their computer or trying to get their info (I have a paying site).

    Thanks for your input.

    Plugin Author Eli

    (@scheeeli)

    Yes, it could be a placeholder that is only populated under certain conditions. It is troubling to not know where it came from and how it got there. I think you should remove it wherever you find it and also look for any explanation as to how it got there.

    If it keeps coming back then you have an opportunity to further investigate possible sources. Are there any other admins on this site?

    Maybe you want to change your DB_PASSWORD and restrict all other access to your site until you get this under control.

    I’ve found that this code was inserted by a chrome extension. Check your chrome extensions, especially anything you use for RSS automation or submitting links to websites.

    Hey, i got the same problem, I reset chrome (no extension now) but have that code inserted everywhere in wordpress and can’t delete it. Anyone else?

    I was able to delete the code the chrome ext was putting in. I was using the Divi theme. The code was just in the modules where I could get to it.

    You might try a search and remove plugin – search for the exact string of code and when it is found let it remove it. BUT those plugins are very scary to me – I am still pretty much a newbie. I have only ever used one to remove an old domain and change it to a new domain – I had alot of extra work to do as it removed some other stuff too.

    This is “turbo VM” chrome extension from spoon.net

    Turbo VM Extension injecting code

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Do you know if this is malicious?’ is closed to new replies.