Title: Malware? Last modified: August 26, 2020 --- # Malware? * Resolved [casperjam](https://wordpress.org/support/users/casperjam/) * (@casperjam) * [5 years, 11 months ago](https://wordpress.org/support/topic/malware-118/) * Hi, a customer told me yesterday morning that SPAM messages appeared on the home page of his site. The problem occurred only on devices NOT connected to wifi( and not on all), therefore only in mobile data mode. I tried to scan wordpress with wordfence, with sitecheck.sucuri.net and verified that there were no alerts in the google search console. The filters in my hosting were also active and reported nothing. On the desktop the problem did not occur, and there was no trace of calls to unknown URLs. * Checking the files I found two files, **helad.php** and **admin_ips.txt** in the plugins folder. The code of the first file refers to the second and there are references to urls of SPAM sites, such as topflownews. * Deleting these files the problem did not recur. So I looked for a reference to this file in the code of all the installation files and found it only in the** analysis-1420.js** file present in the **js** folder in the yoast **wordpress- seo** folder. * I re-downloaded the plugin from the wordpress.org repository and compared the file that was on my server with the “official” one just downloaded with Kaleidoskope( mac) and they are identical. At the moment for safety I have deleted the yoast folder. * Keep in mind that the problem occurs only in mobile data mode, and since in many countries there is still the lockdown many may not have noticed the problem using mainly with the wifi * can you check that js? * thanks Viewing 15 replies - 1 through 15 (of 15 total) * [djennez](https://wordpress.org/support/users/djennez/) * (@djennez) * [5 years, 11 months ago](https://wordpress.org/support/topic/malware-118/#post-12931368) * Hi [@casperjam](https://wordpress.org/support/users/casperjam/) and thank you for your message. I’ve been looking into your report but I am unable to locate any malware in our `analysis-1420.js` file. Although it’s unclear to me what you mean with: * > So I looked for a reference to this file in the code of all the installation files and found it only in the analysis-1420.js file present in the js folder in the yoast wordpress-seo folder. * If you’re referring to the reference `helad`; I can only find that word without the .php extension and as part of Spanish morphology (an**helad**o, an**helad** a, et cetera), so with no malicious intent. * I am marking this as resolved because of the above conclusion and because we don’t like to discuss potential security issues publicly. Feel free to contact us at our security e-mail address if you’re convinced we ship malware. - This reply was modified 5 years, 11 months ago by [djennez](https://wordpress.org/support/users/djennez/). - This reply was modified 5 years, 11 months ago by [djennez](https://wordpress.org/support/users/djennez/). * Thread Starter [casperjam](https://wordpress.org/support/users/casperjam/) * (@casperjam) * [5 years, 11 months ago](https://wordpress.org/support/topic/malware-118/#post-12931643) * I’m not convinced that you spread malware I just had a problem, found something and reported it to you. I understand that seeing the word malware written in the support thread annoys you, but if you don’t want to discuss security problems in public you could write it in the “read before post” post. * thank you very much * [djennez](https://wordpress.org/support/users/djennez/) * (@djennez) * [5 years, 11 months ago](https://wordpress.org/support/topic/malware-118/#post-12931862) * Sorry if I came across as “annoyed”, that was/is not my intention. I’m glad that people take the time to report security-related cases. My reply was based off of the assumed conclusion of you report that there would be malware in our files. If that assumption is wrong, I apologize. But in that case I’m also not sure what the intended goal of this forum thread is, if it was not to point out possible malware in our plugin 🙂 * [philarpy](https://wordpress.org/support/users/philarpy/) * (@philarpy) * [5 years, 11 months ago](https://wordpress.org/support/topic/malware-118/#post-12936259) * The issue is not from Yoast, it’s something that gets its way into your WordPress content files. My site reported a critical issue this morning. During the investigation, I found the said files in the wp-content, well, nobody knows where those files came from. * This is the error message captured: [04-Jun-2020 07:02:16 UTC] PHP Parse error: syntax error, unexpected end of file in /aaa/xxx/mm_html/yyyfolder/wp-content/ plugins/helad.php on line 140. * So, I checked the said location and found two unusual files; admin_ips.txt and helad.php Deleting those two files resolved the issue. * Question is, are those two files legit? * [solmediapl](https://wordpress.org/support/users/solmediapl/) * (@solmediapl) * [5 years, 11 months ago](https://wordpress.org/support/topic/malware-118/#post-12953512) * Hey, I had this malware files as well on my sites, they are showing nasty ads for non-admin users. It’s a 100% malware. I wonder how to prevent my sites from its return. * [simonetat](https://wordpress.org/support/users/simonetat/) * (@simonetat) * [5 years, 11 months ago](https://wordpress.org/support/topic/malware-118/#post-12954669) * hello, * in admin_ips.txt i see only ip adress * thanx simone - This reply was modified 5 years, 11 months ago by [simonetat](https://wordpress.org/support/users/simonetat/). * [toprak54](https://wordpress.org/support/users/toprak54/) * (@toprak54) * [5 years, 10 months ago](https://wordpress.org/support/topic/malware-118/#post-13145595) * Hello Everone, * I have same issues on my webite, it is showing nasty ads on mobile phones. I came across this file ../wp-content/plugins/admin_ips.txt do you have any idea what generates this file ? * thanks adem * [buganihere](https://wordpress.org/support/users/buganihere/) * (@buganihere) * [5 years, 10 months ago](https://wordpress.org/support/topic/malware-118/#post-13180142) * My customer also called me and said that strange ads slide down from above. Google and other checks are clean. * Thanks to the entry here, I also discovered the two files helad.php and admin_ips. txt. * How can this happen? And more importantly, whether it is done with just deleting these two files. So far I have set all FTP permissions correctly. * [buganihere](https://wordpress.org/support/users/buganihere/) * (@buganihere) * [5 years, 10 months ago](https://wordpress.org/support/topic/malware-118/#post-13180173) * **Now that’s interesting. I found something before i delete the files.** * If i was enter my domain directly in the browser (mobile). Then no ads come. * If i was enter my domain or keywords in **Google **and jump to the domain via the Google entry, the ads came. ..? * Can anyone do anything with this info? * [4nderi](https://wordpress.org/support/users/4nderi/) * (@4nderi) * [5 years, 10 months ago](https://wordpress.org/support/topic/malware-118/#post-13189646) * Hello, * I have found the same Malware about 3 days ago on my Website. The Malware is located in wp-content/plugins 3 Files (ccode.php helad.php and admin_ips.txt) * For those of you wondering, I had a look into the suspicious code: The Malware redirects website users to nasty sites and shows them Ads on your website. BUT it filters out Website “Admins” so you will not even see it if a user does not inform you. It finds Admins by “logged in state”, IP adress and Browser Cookies. * The Ads will only show to organic search users, who e.g. find your website on google. * I am not sure yet, if removing the files will solve the problem and why they got into my plugins folder in the first place. Maybe someone else can help? * [Eduard Armstrong](https://wordpress.org/support/users/p4r0dy/) * (@p4r0dy) * [5 years, 9 months ago](https://wordpress.org/support/topic/malware-118/#post-13282871) * Hello guys. I have the same issue. I have the ccode file on my plugins directory. Im searching through all my directories with Maldet to detect any malicious code on my theme or anything. If i get something i will update you - This reply was modified 5 years, 9 months ago by [Eduard Armstrong](https://wordpress.org/support/users/p4r0dy/). * [mridulmet](https://wordpress.org/support/users/mridulmet/) * (@mridulmet) * [5 years, 9 months ago](https://wordpress.org/support/topic/malware-118/#post-13300216) * I have the same files in plugin folder and same malicious ad popup problem..i deleted the helad.php file.. but it regenerates again. Need to solve the problem permanently.. * any suggestions ? - This reply was modified 5 years, 9 months ago by [mridulmet](https://wordpress.org/support/users/mridulmet/). * [Eduard Armstrong](https://wordpress.org/support/users/p4r0dy/) * (@p4r0dy) * [5 years, 9 months ago](https://wordpress.org/support/topic/malware-118/#post-13300516) * I have erased the file like a week ago. I have analyzed all my server files with maldet. And i dont find anything. The file has not regenerated up to this point. I recommend to erase the file and scan all the server with maldet through SSH * [therealdivij](https://wordpress.org/support/users/therealdivij/) * (@therealdivij) * [5 years, 9 months ago](https://wordpress.org/support/topic/malware-118/#post-13314684) * Hi, faced the same issue today. I didn’t have yoast SEO on my site, so does not look like a plugin specific vulnerability. I cleared the files, and checked all files from references to ‘admin_ips’ and ‘helad’, no references found. If I find anything else, shall keep you updated. * Moderator [Yui](https://wordpress.org/support/users/fierevere/) * (@fierevere) * 永子 * [5 years, 9 months ago](https://wordpress.org/support/topic/malware-118/#post-13315838) * to All, who has “same issues” : * Please do not jump into other topics and detract from their problem. If the troubleshooting already posted made no difference for you, then, as per the [Forum FAQ](https://wordpress.org/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too), please post your own topic. A lot more people will see your post, and that way you stand a good chance of getting the assistance you want. Despite any similarity in symptoms, your issue is likely to be completely different because of possible differences in physical servers, accounts, hosts, plugins, theme, configurations, etc. Thus one problem, on one setup is not indicative of the functionality and reliability of an application as a whole. Viewing 15 replies - 1 through 15 (of 15 total) The topic ‘Malware?’ is closed to new replies. * ![](https://ps.w.org/wordpress-seo/assets/icon-256x256.gif?rev=3419908) * [Yoast SEO - Advanced SEO with real-time guidance and built-in AI](https://wordpress.org/plugins/wordpress-seo/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordpress-seo/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordpress-seo/) * [Active Topics](https://wordpress.org/support/plugin/wordpress-seo/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordpress-seo/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordpress-seo/reviews/) * 15 replies * 12 participants * Last reply from: [Yui](https://wordpress.org/support/users/fierevere/) * Last activity: [5 years, 9 months ago](https://wordpress.org/support/topic/malware-118/#post-13315838) * Status: resolved