Plugin Author
Eli
(@scheeeli)
It looks like it cleaned some stuff, did you “Force a Re-scan” to clear the cache on that sucuri page after you cleaned the site?
It looks like you just have a holding page up now. How do you know that you are still infected?
This threat is usually triggered from a malicious include in your theme’s functions.php file. Can you check the Anti-Malware Quarantine to see if that was found and cleaned?
If you want to share anything with me that you don’t want to post on this public forum then you can email me directly:
eli AT gotmls DOT net
Hi. Thanks for taking a look. I’ve taken down the holding page. The plugin says it’s cleaned the functions PHP, but still there are adds. Any other ideas? Thank you so much.
Plugin Author
Eli
(@scheeeli)
Sorry, but I still only see your holding page so I can’t see any signs that your site is still infected.
What specifically are you seeing that indicates that your site is still infected?
Hi,
Thanks for looking. I’ve disabled the holding page again, site is up now and still infected – the Menu isn’t working because I’ve broken on CCS but if you click on a few links popups appear.
Plugin Author
Eli
(@scheeeli)
Ok, I see the live site now…
The first thing I noticed was this error:
Fatal error: Uncaught Error: Call to undefined function wp_foots() in …wp-content/themes/genesis/footer.php on line 56
I didn’t see that redirect script until I looked at some of the sub-pages. Now I see that the remaining malicious scripts were probably injected directly into your page content.
I have added these new script references to my definition updates so they should be found by the Complete Scan now, and you can remove them using the Automatic Fix.
If they are still not found then please let me know and I will look for another source for this malicious output.
Great! I will restore a backup version of the site and try to remove them again. I also have another site http://suttonsheds.co.uk which is also infected, perhaps with the same code? I will try clean that tomorrow too using your new database, but if you want to check the sheds site it would be great. If I can get all this sorted I will certainly donate more as I really appreciate your help.
Plugin Author
Eli
(@scheeeli)
Looks like the same stuff on that other site.
Lit me know if it doesn’t come clean after the scan (be sure to clear the cache after the auto-fix).
Hi,
I have rescanned and both seem to be clean now. Time will tell, but at least for now the site is clean. I really appreciate your help and will be sending through more donation, just will be next week as on holiday at the moment and need a holiday after all this. Thank you!
Hi, it seemed clean, the scan worked with the new definitions, but not the hack is back :-/ Any ideas – seems it was still lurking in the website after the clean.
Plugin Author
Eli
(@scheeeli)
I’m sorry to tell you but I would guess that more than just the two sites you spoke of are infected on this server. It likely that there are many other infected site (on other accounts if not your own) or maybe even a root hack on the server.
I would strongly suggest that you find a more secure hosting environment to move your sites to where you can be sure that they will not be reinfected again.
You can email me directly if you need more direct help:
eli AT gotmls DOT net
Just a follow up to the previous posts and situation. I don’t believe the server was hacked…I have cloud hosting for multiple sites and the company specialises in wordpress so it is unlikely to be hacked server level. The hosting company was super good, but has gone downhill, but even so I think the root cause was a bad plugin on the WordPress sites, or two slow to update. This plugin solved my problems temporarily, but wasn’t able to remove the infection (which I believe can only have been lurking in PHP, JavaScript or the database). No worries, and I appreciate the replies and effort this plugin author has gone to. No other wordpress plugin would find or fix this without serious payment. I donated and wish the best for future malware protection!
some 1 found the solution ? sucuri keeps intimating about it but gotmls dont detects this
rogueads.unwanted_ads
please any 1 ?
Plugin Author
Eli
(@scheeeli)
@saad_rashad,
My Anti-Malware plugin was finding the malware mentioned in this topic so it sound like you have a different issue.
“rogueads.unwanted_ads” does not tell us anything about what code is actually being detected on your site. Can you post your scan results or a link to your URL so I can see what you are dealing with?
