Title: Hack site?
Last modified: August 24, 2016

---

# Hack site?

 *  [FreeFelix](https://wordpress.org/support/users/freefelix/)
 * (@freefelix)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/)
 * Apologies if not correct forum for this topic.
 * A site I am looking after keep is getting the following code (see below) inserted
   into nav-menu.php which is in wp-includes.
 * When I remove it the site goes back to normal.
 * Cannot work out how it keeps getting inserted – originally on a windows my AVG
   virus detects it as an iFrame injection.
 * Have done all the things on the checklist – but is there some code elsewhere 
   automatically inserting this periodically, if so any ideas where it maybe located?
 * Anybody else had this happen?
    _ [hacked code removed by moderator – please do
   not post that here]

Viewing 13 replies - 1 through 13 (of 13 total)

 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962857)
 * Have you installed any server side scanning plugins?
 *  Thread Starter [FreeFelix](https://wordpress.org/support/users/freefelix/)
 * (@freefelix)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962899)
 * Yes installed Wordfence – free edition – currently giving all clear
 * Just had to clear the code again 🙁
 * Any other suggestions re scanners
 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962912)
 * I’m sorry your site keeps getting damaged. I know you probably understand this
   as well as I do. You are removing some malicious code but not the source of the
   malware. A file or files somewhere in your installation contains malware. There
   is nothing in a normal healthy WP installation that causes the functionality 
   you are seeing.
 * If you haven’t already adjusted the default setting in Wordfence, from the WordPress
   Dashboard > Wordfence > Options > Scanning options to include > check every box
   in this section to on.
 * Then rescan. If that doesn’t find more files with malware, I can suggest the 
   next step.
 *  [aeternal](https://wordpress.org/support/users/aeternal/)
 * (@aeternal)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962924)
 * WOW.. I am glad i found this post. I own a VPS and a majority of my sites are
   getting this very same infection. It is causing a blank screen with strange a
   few characters. It also, has the ///istart pre-fix. Im running all-in-one security
   and firewall. I’ll replace the file and it is only a matter of time before it
   gets injected / corrupted again. I have no idea where the vunerability is.
 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962930)
 * A moderator may move this post. It is always best to start your own post when
   you are looking for help. You are less likely to get a number of replies when
   your first post is way down the page.
 * I suggest installing Wordfence and configuring it from my previous post. If that
   doesn’t find your source of malware, I have other suggestions.
 * Reply to your post (where ever it may be) when you finish the scan.
 *  [Tim Nash](https://wordpress.org/support/users/tnash/)
 * (@tnash)
 * Spam hunter
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962932)
 * We don’t separate out posts, but yes if you are having issues you should start
   a separate post and hopefully can sort you out.
 * However I will include “our” standard response for hacked sites which is you 
   need to start working your way through these resources:
    - [https://codex.wordpress.org/FAQ_My_site_was_hacked](https://codex.wordpress.org/FAQ_My_site_was_hacked)
    - [https://wordpress.org/support/topic/268083#post-1065779](https://wordpress.org/support/topic/268083#post-1065779)
    - [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
    - [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Additional Resources:
    - [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/)
    - [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/)
    - [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 * On a side note simply installing a security plugin rarely fixes issues on it’s
   own.
 *  [aeternal](https://wordpress.org/support/users/aeternal/)
 * (@aeternal)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962944)
 * After doing some research I believe it is a darkleech infection. Copy and pasting
   the malicious code here: [http://ddecode.com/phpdecoder/](http://ddecode.com/phpdecoder/)
   will show you exactly what it is doing. I found that there was a base64 encode
   in those results for which i copied and pasted the string here: [https://www.base64decode.org/](https://www.base64decode.org/)
   which gave me the url that it was trying to direct visitors to. That ultimately
   lead me to this article: [http://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html](http://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html)
   which i am currently reading now. Hopefully this helps your situation.
 *  Thread Starter [FreeFelix](https://wordpress.org/support/users/freefelix/)
 * (@freefelix)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962948)
 * Well done an full scan as suggested
 * Found a file that looked OK in the theme being used that I removed and a couple
   of files that were created by Duplicator in wp-snapshot folder that I removed.
 * Then rescanned and got a clean bill of health
 * we will see.
 * Any other steps apart from the huge list above 🙂
 *  [Tim Nash](https://wordpress.org/support/users/tnash/)
 * (@tnash)
 * Spam hunter
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962953)
 * Work your way through that list, we regularly see folks, who fix the issue, but
   don’t actually fix the attack vector so reopen threads a few days/weeks later
   with exactly the same issue and seem shocked that it happened again.
 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962955)
 * As the moderator so kindly pointed out, there may be more malware. And unless
   you have already taken steps to clean it your database is possibly infected.
 *  [aeternal](https://wordpress.org/support/users/aeternal/)
 * (@aeternal)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962956)
 * Ive also begun installing the Sucuri Security system plugin and it seems pretty
   thorough as well. Watch out for the Revolution Slider plugin. If you have that
   make sure you’re above version 4.2. I’m a huge fan of it, but it only takes one
   outdated version on one site to infect the rest of my server. Im slowly going
   through each site and checking folder by folder. Hopefully, that is the culprit
 *  Thread Starter [FreeFelix](https://wordpress.org/support/users/freefelix/)
 * (@freefelix)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962976)
 * Thanks for this aeternal – looks very like darkleech from the article
 * Tried sucuri scanning and seems OK – but need to see what happens when offline
   for a bit
 *  [wslade](https://wordpress.org/support/users/wslade/)
 * (@wslade)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962980)
 * Unless you are using the paid version of sucuri, you are not getting a server
   side scan. Server side scans are technically superior and have the ability to
   find backdoors.

Viewing 13 replies - 1 through 13 (of 13 total)

The topic ‘Hack site?’ is closed to new replies.

## Tags

 * [iframe injection](https://wordpress.org/support/topic-tag/iframe-injection/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 13 replies
 * 4 participants
 * Last reply from: [wslade](https://wordpress.org/support/users/wslade/)
 * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/hack-site-1/#post-5962980)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics