Injectscr & Injectbody

Just wanted to give others a heads up that a standard Wordfence site scan will NOT catch the injectscr and injectbody malicious plugins.

You’ll need to change the passwords of ALL your Admin accounts first, then delete the 2 hidden plugins from your plugins directory. I then changed ALL my Admin account passwords again just to be safe.

We got a call from a new client yesterday who needed a site save. They’d been hacked but didn’t know how. After some digging, I saw what was going on. So I removed the malicious plugins – injectscr and injectbody. However, I hadn’t changed the Admin passwords yet, and between the time it took me to remove the directories and go change the password for the ‘admin’ username (the client set it up that way – now changed), an automated bot had logged in and re-installed the malicious, hidden, plugins in the plugins directory.

Sucuri details the infection here – https://blog.sucuri.net/2018/02/unwanted-popups-caused-injectbody-injectscr-plugins.html

Ironically enough, Sucuri scans don’t find the malicious plugins either, even though they documented the technique!

For anyone looking for details, Wordfence did alert me to the following, related, 6 malicious files as well:
wp-content/wpspl-load-compat.php
wp-includes/wpspl-load-compat.php
wp-includes/wp-scachetop.php
wp-includes/wp-sclouds.php
wp-includes/wpclan-rss.php
wp-includes/wpn-sops.php