Title: Possible malware Last modified: August 22, 2016 --- # Possible malware * Resolved [SherabGyamtso](https://wordpress.org/support/users/sherabgyamtso/) * (@sherabgyamtso) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/) * I have last version of your plugin and WordPress. * Everything was ok until today. I’ve got a report from sitelock that my Contact page on my blog is infected with malware with iframe redirecting to h t t p :// 203koko.eu/hjnfh/ipframe2.php * Chcecked my page source on this contact page and found something like this: * * I desactivated just Total Cache and this page is not infected anymore. * I have other plugins (up to date) active: * Akismet Version 3.0.4 Custom Posts Per Page Version 1.7.1 FancyBox for WordPress Version 3.0.2 GetSocial Version 2.0.1 NextCellent Gallery Version 1.9.25.1 Official StatCounter Plugin Version 1.6.9 Use Google Libraries Version 1.6.2 WordPress SEO Version 1.7.1 * Can anybody helps me to determine source of this malware? * Best * Maciek * [https://wordpress.org/plugins/w3-total-cache/](https://wordpress.org/plugins/w3-total-cache/) Viewing 15 replies - 1 through 15 (of 110 total) 1 [2](https://wordpress.org/support/topic/possible-malware-2/page/2/?output_format=md) [3](https://wordpress.org/support/topic/possible-malware-2/page/3/?output_format=md)… [6](https://wordpress.org/support/topic/possible-malware-2/page/6/?output_format=md) [7](https://wordpress.org/support/topic/possible-malware-2/page/7/?output_format=md) [8](https://wordpress.org/support/topic/possible-malware-2/page/8/?output_format=md) [→](https://wordpress.org/support/topic/possible-malware-2/page/2/?output_format=md) * [Gennady Kovshenin](https://wordpress.org/support/users/soulseekah/) * (@soulseekah) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750758) * Total Cache has nothing to do with this, a client of mine got the same code today leading to 203koko.eu, blocked by Google as well for malware, but we can’t find the code in our pages at all which is very strange. Site did not have W3 Total Cache installed. * The only plugin we have in common is FancyBox for WordPress. * [Gennady Kovshenin](https://wordpress.org/support/users/soulseekah/) * (@soulseekah) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750760) * Can you please mail me at gennady[at]kovshenin[dot]com, I want access to your site to try to find the malware on yours, maybe it will help us find it on ours, since we can’t even get it to show anywhere on the pages although Google found it. * [wslade](https://wordpress.org/support/users/wslade/) * (@wslade) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750767) * I’m sorry that your sites are damaged. A Mod. will likely be by shortly to move this to a more appropriate forum. * You may want to have a look at this information: * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) [http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/](http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/) [http://sakinshrestha.com/wordpress/fix-if-your-wordpress-site-is-hacked/](http://sakinshrestha.com/wordpress/fix-if-your-wordpress-site-is-hacked/) [http://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/](http://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/) * The easiest and fastest way to get rid of the malware is to restore from a good back up. * Good luck. * [Johan Elisson](https://wordpress.org/support/users/johan-elisson/) * (@johan-elisson) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750769) * I have the same problem with [http://anglarna.se/](http://anglarna.se/) which is a site I’m webmaster for. I can’t seem to find the code snippet anywhere on any of the indicated pages either. * We have the following plugins (all latest version) AdRotate Contact Form 7 Custom Facebook Feed Download Manager FancyBox for WordPress HTML Editor Reloaded NextGEN Gallery by Photocrati Quick Page/Post Redirect Plugin Really Simple CAPTCHA Share Buttons by AddToAny Surveys WP-Polls WP to Twitter Yoast Breadcrumbs * [Gennady Kovshenin](https://wordpress.org/support/users/soulseekah/) * (@soulseekah) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750775) * Full source of OP’s page here: [http://hastebin.com/raw/acawutiwaq](http://hastebin.com/raw/acawutiwaq) for those following the investigation. * [Gennady Kovshenin](https://wordpress.org/support/users/soulseekah/) * (@soulseekah) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750776) * Johan, contact me please. I’m actively investigating this issue and we can help each other, I need access to another infected server to compare files. * [Jan Eckhoff](https://wordpress.org/support/users/janeckhoff/) * (@janeckhoff) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750779) * Hi guys, sorry for using this forum but … * me and a colleague also had the problem today. * Both sites got malware listed by Google but on none we could find the code mentioned above. * Both sites are using “Fancybox for WordPress”. But we have other sites online with that plugin that didn’t got blocked. * Weird. * [bigant841](https://wordpress.org/support/users/bigant841/) * (@bigant841) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750780) * I have the same problem as well with a clients site of mine. I checked every file and there is no indication of this script. Any luck with anyone yet? * [RedKobra](https://wordpress.org/support/users/redkobra/) * (@redkobra) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750781) * I have also got “h t t p://203koko.eu/hjnfh/ipframe2.php” on my site. I got a the dreaded email from Google saying my site has malware infected on it. I am currently in contact with Host Gator. They are currently scanning my site for malicious code. I have Total Cache as one of my sites plugins. * I will keep everyone posted once I hear back from Host Gator. * [Consultis](https://wordpress.org/support/users/consultis/) * (@consultis) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750791) * I too have been hit by this “drive-by” malware today. Half of my morning has been eaten up by this wild good chase. Glad to see I’m not the only one. * The only overlap I have with plugins from the above posters is FancyBox and Contact Form 7. I do not have the W3 Total Cache plugin. * I’m tempted to disable FancyBox, as it hasn’t been updated in years. “Easy FancyBox” seems like a suitable replacement. * [areohdeee](https://wordpress.org/support/users/areohdeee/) * (@areohdeee) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750792) * It’s looking like “Fancybox for WordPress” * it’s the only PI we have in common with the rest of you. * [bigant841](https://wordpress.org/support/users/bigant841/) * (@bigant841) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750795) * I have fancy box as well but disabled it. But this may be the problem that is causing all of our issues. * [RedKobra](https://wordpress.org/support/users/redkobra/) * (@redkobra) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750797) * I have Contact Form 7 and Fancybox on my site as well. All my plugins are updated to most current ones. * [Gennady Kovshenin](https://wordpress.org/support/users/soulseekah/) * (@soulseekah) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750798) * Has anoyone been able to actually see the code in question? Seems like it only shows up to Internet Explorer users. * [Johan Elisson](https://wordpress.org/support/users/johan-elisson/) * (@johan-elisson) * [11 years, 4 months ago](https://wordpress.org/support/topic/possible-malware-2/#post-5750800) * I’ve removed the “Fancybox for WordPress” plugin and requested a review from Google for my site. I’ll report back on the result. Viewing 15 replies - 1 through 15 (of 110 total) 1 [2](https://wordpress.org/support/topic/possible-malware-2/page/2/?output_format=md) [3](https://wordpress.org/support/topic/possible-malware-2/page/3/?output_format=md)… [6](https://wordpress.org/support/topic/possible-malware-2/page/6/?output_format=md) [7](https://wordpress.org/support/topic/possible-malware-2/page/7/?output_format=md) [8](https://wordpress.org/support/topic/possible-malware-2/page/8/?output_format=md) [→](https://wordpress.org/support/topic/possible-malware-2/page/2/?output_format=md) The topic ‘Possible malware’ is closed to new replies. * ![](https://ps.w.org/fancybox-for-wordpress/assets/icon-256x256.jpg?rev=1864321) * [FancyBox for WordPress](https://wordpress.org/plugins/fancybox-for-wordpress/) * [Frequently Asked Questions](https://wordpress.org/plugins/fancybox-for-wordpress/#faq) * [Support Threads](https://wordpress.org/support/plugin/fancybox-for-wordpress/) * [Active Topics](https://wordpress.org/support/plugin/fancybox-for-wordpress/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/fancybox-for-wordpress/unresolved/) * [Reviews](https://wordpress.org/support/plugin/fancybox-for-wordpress/reviews/) * 110 replies * 30 participants * Last reply from: [besso](https://wordpress.org/support/users/besso/) * Last activity: [11 years, 3 months ago](https://wordpress.org/support/topic/possible-malware-2/page/8/#post-5751159) * Status: resolved