• Resolved casperjam


    Hi, a customer told me yesterday morning that SPAM messages appeared on the home page of his site.
    The problem occurred only on devices NOT connected to wifi (and not on all), therefore only in mobile data mode.
    I tried to scan wordpress with wordfence, with sitecheck.sucuri.net and verified that there were no alerts in the google search console. The filters in my hosting were also active and reported nothing. On the desktop the problem did not occur, and there was no trace of calls to unknown URLs.

    Checking the files I found two files, helad.php and admin_ips.txt in the plugins folder. The code of the first file refers to the second and there are references to urls of SPAM sites, such as topflownews.

    Deleting these files the problem did not recur.
    So I looked for a reference to this file in the code of all the installation files and found it only in the analysis-1420.js file present in the js folder in the yoast wordpress-seo folder.

    I re-downloaded the plugin from the wordpress.org repository and compared the file that was on my server with the “official” one just downloaded with Kaleidoskope (mac) and they are identical.
    At the moment for safety I have deleted the yoast folder.

    Keep in mind that the problem occurs only in mobile data mode, and since in many countries there is still the lockdown many may not have noticed the problem using mainly with the wifi

    can you check that js?


Viewing 15 replies - 1 through 15 (of 15 total)
  • Hi @casperjam and thank you for your message. I’ve been looking into your report but I am unable to locate any malware in our analysis-1420.js file. Although it’s unclear to me what you mean with:

    > So I looked for a reference to this file in the code of all the installation files and found it only in the analysis-1420.js file present in the js folder in the yoast wordpress-seo folder.

    If you’re referring to the reference helad; I can only find that word without the .php extension and as part of Spanish morphology (anhelado, anhelada, et cetera), so with no malicious intent.

    I am marking this as resolved because of the above conclusion and because we don’t like to discuss potential security issues publicly. Feel free to contact us at our security e-mail address if you’re convinced we ship malware.

    • This reply was modified 3 years, 12 months ago by djennez.
    • This reply was modified 3 years, 12 months ago by djennez.
    Thread Starter casperjam


    I’m not convinced that you spread malware
    I just had a problem, found something and reported it to you.
    I understand that seeing the word malware written in the support thread annoys you, but if you don’t want to discuss security problems in public you could write it in the “read before post” post.

    thank you very much

    Sorry if I came across as “annoyed”, that was/is not my intention. I’m glad that people take the time to report security-related cases. My reply was based off of the assumed conclusion of you report that there would be malware in our files. If that assumption is wrong, I apologize. But in that case I’m also not sure what the intended goal of this forum thread is, if it was not to point out possible malware in our plugin 🙂

    The issue is not from Yoast, it’s something that gets its way into your WordPress content files.
    My site reported a critical issue this morning. During the investigation, I found the said files in the wp-content, well, nobody knows where those files came from.

    This is the error message captured:
    [04-Jun-2020 07:02:16 UTC] PHP Parse error: syntax error, unexpected end of file in /aaa/xxx/mm_html/yyyfolder/wp-content/plugins/helad.php on line 140.

    So, I checked the said location and found two unusual files; admin_ips.txt and helad.php
    Deleting those two files resolved the issue.

    Question is, are those two files legit?

    Hey, I had this malware files as well on my sites, they are showing nasty ads for non-admin users. It’s a 100% malware. I wonder how to prevent my sites from its return.


    in admin_ips.txt i see only ip adress


    • This reply was modified 3 years, 11 months ago by simonetat.

    Hello Everone,

    I have same issues on my webite, it is showing nasty ads on mobile phones. I came across this file ../wp-content/plugins/admin_ips.txt
    do you have any idea what generates this file ?


    My customer also called me and said that strange ads slide down from above.
    Google and other checks are clean.

    Thanks to the entry here, I also discovered the two files helad.php and admin_ips.txt.

    How can this happen? And more importantly, whether it is done with just deleting these two files. So far I have set all FTP permissions correctly.

    Now that’s interesting. I found something before i delete the files.

    If i was enter my domain directly in the browser (mobile). Then no ads come.

    If i was enter my domain or keywords in Google and jump to the domain via the Google entry, the ads came. ..?

    Can anyone do anything with this info?


    I have found the same Malware about 3 days ago on my Website.
    The Malware is located in wp-content/plugins
    3 Files (ccode.php helad.php and admin_ips.txt)

    For those of you wondering, I had a look into the suspicious code:
    The Malware redirects website users to nasty sites and shows them Ads on your website. BUT it filters out Website “Admins” so you will not even see it if a user does not inform you. It finds Admins by “logged in state”, IP adress and Browser Cookies.

    The Ads will only show to organic search users, who e.g. find your website on google.

    I am not sure yet, if removing the files will solve the problem and why they got into my plugins folder in the first place. Maybe someone else can help?

    Hello guys. I have the same issue. I have the ccode file on my plugins directory. Im searching through all my directories with Maldet to detect any malicious code on my theme or anything. If i get something i will update you

    I have the same files in plugin folder and same malicious ad popup problem..i deleted the helad.php file.. but it regenerates again. Need to solve the problem permanently..

    any suggestions ?

    • This reply was modified 3 years, 9 months ago by mridulmet.

    I have erased the file like a week ago. I have analyzed all my server files with maldet. And i dont find anything. The file has not regenerated up to this point. I recommend to erase the file and scan all the server with maldet through SSH

    Hi, faced the same issue today. I didn’t have yoast SEO on my site, so does not look like a plugin specific vulnerability. I cleared the files, and checked all files from references to ‘admin_ips’ and ‘helad’, no references found. If I find anything else, shall keep you updated.

    Moderator Yui



    to All, who has “same issues” :

    Please do not jump into other topics and detract from their problem. If the troubleshooting already posted made no difference for you, then, as per the Forum FAQ, please post your own topic. A lot more people will see your post, and that way you stand a good chance of getting the assistance you want. Despite any similarity in symptoms, your issue is likely to be completely different because of possible differences in physical servers, accounts, hosts, plugins, theme, configurations, etc. Thus one problem, on one setup is not indicative of the functionality and reliability of an application as a whole.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Malware?’ is closed to new replies.