Title: Plugin Leak? Last modified: August 21, 2016 --- # Plugin Leak? * [RSSfeed](https://wordpress.org/support/users/rssfeed/) * (@rssfeed) * [12 years ago](https://wordpress.org/support/topic/plugin-leak/) * Hi, * For 2 weeks I’ve got “Louis Vuitton” look-a-like spam on my website and can’t figure out where the spam comes from. Also a articlesmap.xml is placed in the root but not as a file. When I change my user-agent to the GoogleBot I see more spam (also in the robots.txt). * When I re-install WordPress the spam disappears. Then I figured out that wp-blog- header.php had been changed and /wp-includes/images/slider.gif is placed in a required tag… * I’ve opened the slider.gif and saw an encrypted code that also had been encrypted. The encryption wasn’t that strong so after 5 decrypts I saw this code: * _[ Malware script deleted, please do not post those here ]_ * Does anyone have an idea where the code comes from? I changed the FTP- MySQLAdmin- and WP-logins several times but they change the code every time. * These are the plugins that I use: - Advanced Custom Fields - Contact Form 7 - Cubell Themes - Custom Recent Posts Widget - Easy FancyBox - Easy Table - Envato WordPress Toolkit - Events Manager - Floating Social Bar - Google Sitemap - Image Widget - Jetpack door WordPress.com - List category posts - PHP Code Widget - Pre Date Future Post - Simple Ads Manager - Weptile Image Slider Widget - WordPress Popular Posts - WP Super Cache - Yop Poll Plugin * Thank you for your help. Viewing 4 replies - 1 through 4 (of 4 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [12 years ago](https://wordpress.org/support/topic/plugin-leak/#post-4763174) * > For 2 weeks I’ve got “Louis Vuitton” look-a-like spam on my website and can’t > figure out where the spam comes from. * If it’s comment spam have you considered installing anti-spam plugins? * [https://codex.wordpress.org/Combating_Comment_Spam](https://codex.wordpress.org/Combating_Comment_Spam) * But as you’ve got modified files you really need to review the standard reading list… * You need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Additional Resources: [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress) [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * [http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html](http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html) * [tunamaxx](https://wordpress.org/support/users/tunamaxx/) * (@tunamaxx) * [11 years, 11 months ago](https://wordpress.org/support/topic/plugin-leak/#post-4763322) * Hello RSSfeed. I’m just doing a post mortem on a site with exactly the same situation you describe. I was slowly unwrapping the slider.gif file when I found this post. Mine is in an odd encoding though, so I have to de-obfuscate the code while trying to decipher the oddly encoded bits too. * So far, I’ve found a bunch of nested base64_decode calls that eventually forms an `eval(gzuncompress(base64_decode(...)))` statement that seems to start the process over again in a different character encoding. * The list of plugins on this site has nothing overlapping with yours, except for the possibility of a PHP in Posts plugin. However, I do not think they are the same ones. * I’d love to compare notes if you are interested. I’d especially love to see what you came up with for the decoded version. * Thread Starter [RSSfeed](https://wordpress.org/support/users/rssfeed/) * (@rssfeed) * [11 years, 11 months ago](https://wordpress.org/support/topic/plugin-leak/#post-4763326) * I would love to paste the code i revealed but as you can see in my first post they removed it. * There is no option to send you private messages on this forum? * [tunamaxx](https://wordpress.org/support/users/tunamaxx/) * (@tunamaxx) * [11 years, 11 months ago](https://wordpress.org/support/topic/plugin-leak/#post-4763327) * If you want, you can email me. I have an old yahoo.com account that uses this username. Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Plugin Leak?’ is closed to new replies. ## Tags * [leak](https://wordpress.org/support/topic-tag/leak/) * [robots.txt](https://wordpress.org/support/topic-tag/robots-txt/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 4 replies * 3 participants * Last reply from: [tunamaxx](https://wordpress.org/support/users/tunamaxx/) * Last activity: [11 years, 11 months ago](https://wordpress.org/support/topic/plugin-leak/#post-4763327) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics