Title: Please fix Last modified: September 3, 2016 --- # Please fix * [blueprintmarketing](https://wordpress.org/support/users/blueprintmarketing/) * (@blueprintmarketing) * [10 years, 1 month ago](https://wordpress.org/support/topic/please-fix-4/) * Please fix * ``` 1 Suspicious Code Dangerous and threatening code often used to attack sites. PHP.Hidden.Code.2 This file contains suspicious hidden code, and should be checked for recent changes, or malicious code. Often hackers try to hide their hack attempts by obfuscating their attack code, to make it harder to detect. VaultPress has detected a string of suspicious characters in this file. Please check your backup history for recent changes to this file, or contact a Safekeeper if you are unsure. Fixing threat… 5 Files Affected 4 hours ago tcpdf_static.php /wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf/include 1 week ago tcpdf_static.php /wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf/include 4 hours ago tcpdf.php /wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf 4 hours ago tcpdf_parser.php /wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf 1 week ago tcpdf_parser.php /wp-content/plugins/tickera-event-ticketing-system/includes/tcpdf ``` Viewing 4 replies - 1 through 4 (of 4 total) * Plugin Author [Tickera](https://wordpress.org/support/users/tickera/) * (@tickera) * [10 years, 1 month ago](https://wordpress.org/support/topic/please-fix-4/#post-8079618) * Hi there, * We’re using original TCPDF library in Tickera and the code could be compared here [https://sourceforge.net/projects/tcpdf/files/](https://sourceforge.net/projects/tcpdf/files/) * What the VaultPress scanner actually spotted are things like these bellow and you can see the decoded results here for instance [http://ddecode.com/hexdecoder/?results=bcace881138d3437ef89d9b932d53c8b](http://ddecode.com/hexdecoder/?results=bcace881138d3437ef89d9b932d53c8b) * As you can see, result of this particular one is “Powered by TCPDF (www.tcpdf. org)” which is certainly not a malicious code 😉 * tcpdf_static.php: /** * Encryption padding string. * [@public](https://wordpress.org/support/users/public/) static */ public static $enc_padding = “\x28\xBF\x4E\x5E\x4E\x75\x8A\x41\x64\ x00\x4E\x56\xFF\xFA\x01\x08\x2E\x2E\x00\xB6\xD0\x68\x3E\x80\x2F\x0C\xA9\xFE\x64\ x53\x69\x7A”; * tcpdf.php: * public function Close() { … $msg = “\x50\x6f\x77\x65\x72\x65\x64\x20\x62\x79\ x20\x54\x43\x50\x44\x46\x20\x28\x77\x77\x77\x2e\x74\x63\x70\x64\x66\x2e\x6f\x72\ x67\x29”; … * } tcpdf_parser.php: * /** * Decode the Cross-Reference section * [@param](https://wordpress.org/support/users/param/) $startxref (int) Offset at which the xref section starts (position of the ‘xref’ keyword). * [@param](https://wordpress.org/support/users/param/) $xref (array) Previous xref array (if any). * [@return](https://wordpress.org/support/users/return/) Array containing xref and trailer data. * [@protected](https://wordpress.org/support/users/protected/)* [@since](https://wordpress.org/support/users/since/) 1.0.000 (2011-06-20) */ protected function decodeXref( $startxref, $xref = array() ) { $startxref += 4; // 4 is the lenght of the word ‘xref’ // skip initial white space chars: \ x00 null (NUL), \x09 horizontal tab (HT), \x0A line feed (LF), \x0C form feed( FF), \x0D carriage return (CR), \x20 space (SP) $offset = $startxref + strspn( $this->pdfdata, “\x00\x09\x0a\x0c\x0d\x20”, $startxref ); // initialize object number $obj_num = 0; // search for cross-reference entries or subsection …. * I hope it helps. Please consider changing a rating to 5 stars. * Thanks a lot! * Marko, Tickera Team * [slcreations](https://wordpress.org/support/users/slcreations/) * (@slcreations) * [10 years ago](https://wordpress.org/support/topic/please-fix-4/#post-8079627) * Thank you so much * [rajeshkumarpullati](https://wordpress.org/support/users/rajeshkumarpullati/) * (@rajeshkumarpullati) * [10 years ago](https://wordpress.org/support/topic/please-fix-4/#post-8079629) * hai iam facing these issues * PHP.Hidden.Code.2 This file contains suspicious hidden code, and should be checked for recent changes, or malicious code. Often hackers try to hide their hack attempts by obfuscating their attack code, to make it harder to detect. VaultPress has detected a string of suspicious characters in this file. Please check your backup history for recent changes to this file, or contact a Safekeeper if you are unsure. * Detected the signature PHP.Hidden.Code.2 on ./wp-content/themes/Avada/js/main. js. (active) * Detected the signature PHP.Hidden.Code.2 on ./wp-content/themes/Avada/js/main- min.js. * [rajeshkumarpullati](https://wordpress.org/support/users/rajeshkumarpullati/) * (@rajeshkumarpullati) * [10 years ago](https://wordpress.org/support/topic/please-fix-4/#post-8079630) * how to find out where the hidden code is please help Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Please fix’ is closed to new replies. * ![](https://ps.w.org/tickera-event-ticketing-system/assets/icon-256x256.jpg?rev =1328378) * [Tickera – Sell Tickets & Manage Events](https://wordpress.org/plugins/tickera-event-ticketing-system/) * [Frequently Asked Questions](https://wordpress.org/plugins/tickera-event-ticketing-system/#faq) * [Support Threads](https://wordpress.org/support/plugin/tickera-event-ticketing-system/) * [Active Topics](https://wordpress.org/support/plugin/tickera-event-ticketing-system/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/tickera-event-ticketing-system/unresolved/) * [Reviews](https://wordpress.org/support/plugin/tickera-event-ticketing-system/reviews/) * 4 replies * 4 participants * Last reply from: [rajeshkumarpullati](https://wordpress.org/support/users/rajeshkumarpullati/) * Last activity: [10 years ago](https://wordpress.org/support/topic/please-fix-4/#post-8079630)