Title: Potential Malware Compromise Last modified: August 30, 2016 --- # Potential Malware Compromise * [jaydokie](https://wordpress.org/support/users/jaydokie/) * (@jaydokie) * [10 years, 5 months ago](https://wordpress.org/support/topic/potential-malware-compromise/) * My domain host (Inmotion Hosting) is bumping my host plan up by 400% due to the issues identified below. What can I do to resolve all of these problems? * As your site looks to be properly optimized, I have ran a malware scan on the account and found the files below to be potentially compromised. You will likely want to work with a seasoned WordPress developer to ensure that there are no compromised files on the site. This type of file compromise can cause an increase in server load and resource usage. If you do have any other questions or anything else we can help you with, please let us know! * MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/stati.php MATCH[ Suspicious (evals/base64)]: /home/roundh9/public_html/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wp-includes/functions.wp-date.php MATCH[ Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/index.php MATCH[ Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/index. php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/wp- content/plugins/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wordpress/wp-content/plugins/nextgen-gallery-image-optimizer/index.php MATCH [ Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/ nextgen-gallery-image-optimizer/js/index.php MATCH [Suspicious (evals/base64)]:/ home/roundh9/public_html/wordpress/wp-content/plugins/nextgen-gallery-image-optimizer/ css/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/ wp-content/plugins/nextgen-gallery-image-optimizer/include/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/nextgen- gallery-image-optimizer/include/tools/index.php MATCH [Suspicious (evals/base64)]:/ home/roundh9/public_html/wordpress/wp-content/plugins/nextgen-gallery-image-optimizer/ include/functions/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wordpress/wp-content/plugins/akismet/index.php MATCH [Suspicious ( evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/wysija- newsletters/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wordpress/wp-content/plugins/gabfire-widget-pack/index.php MATCH [Suspicious ( evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/gabfire- widget-pack/js/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wordpress/wp-content/plugins/gabfire-widget-pack/lang/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/gabfire- widget-pack/images/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wordpress/wp-content/plugins/gabfire-widget-pack/images/share/index. php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/wp- content/plugins/gabfire-widget-pack/lib/index.php MATCH [Suspicious (evals/base64)]:/ home/roundh9/public_html/wordpress/wp-content/plugins/user-meta-manager/backups/ index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/ wp-content/plugins/jetpack/modules/minileven/theme/pub/minileven/index.php MATCH[ Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/ app-your-wordpress-uppsite/themes/mysiteapp/index.php MATCH [Suspicious (evals/ base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/app-your-wordpress- uppsite/themes/webapp/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wordpress/wp-content/plugins/app-your-wordpress-uppsite/themes/landing/ index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/ wp-content/plugins/facebook/index.php MATCH [Suspicious (evals/base64)]: /home/ roundh9/public_html/wordpress/wp-content/plugins/facebook/languages/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/ plugins/facebook/social-plugins/index.php MATCH [Suspicious (evals/base64)]: / home/roundh9/public_html/wordpress/wp-content/plugins/facebook/social-plugins/ widgets/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wordpress/wp-content/plugins/facebook/includes/index.php MATCH [Suspicious (evals/ base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/facebook/includes/ facebook-php-sdk/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wordpress/wp-content/plugins/facebook/extras/index.php MATCH [Suspicious (evals/ base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/simple-contact- form/extension/readygraph/index.php MATCH [Suspicious (evals/base64)]: /home/ roundh9/public_html/wordpress/wp-content/plugins/simple-contact-form/extension/ readygraph/assets/js/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wordpress/wp-content/plugins/simple-contact-form/extension/readygraph/ assets/css/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wordpress/wp-content/plugins/contextual-related-posts/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/contextual- related-posts/timthumb/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wordpress/wp-content/plugins/contextual-related-posts/timthumb/cache/ index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/ wp-content/plugins/contextual-related-posts/css/index.php MATCH [Suspicious ( evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/plugins/contextual- related-posts/languages/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wordpress/wp-content/themes/index.php MATCH [Suspicious (evals/base64)]:/ home/roundh9/public_html/wordpress/wp-content/themes/twentyfifteen/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wordpress/wp-content/ themes/twentythirteen/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wordpress/wp-content/themes/twentyfourteen/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wp-content/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wp-content/plugins/index.php MATCH [ Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/plugins/nextgen- gallery-image-optimizer/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wp-content/plugins/nextgen-gallery-image-optimizer/js/index.php MATCH[ Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/plugins/nextgen- gallery-image-optimizer/css/index.php MATCH [Suspicious (evals/base64)]: /home/ roundh9/public_html/wp-content/plugins/nextgen-gallery-image-optimizer/include/ index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/ plugins/nextgen-gallery-image-optimizer/include/tools/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wp-content/plugins/nextgen-gallery- image-optimizer/include/functions/index.php MATCH [Suspicious (evals/base64)]:/ home/roundh9/public_html/wp-content/plugins/akismet/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wp-content/plugins/gabfire-widget-pack/ index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/ plugins/gabfire-widget-pack/js/index.php MATCH [Suspicious (evals/base64)]: / home/roundh9/public_html/wp-content/plugins/gabfire-widget-pack/css/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/plugins/ gabfire-widget-pack/lang/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wp-content/plugins/gabfire-widget-pack/images/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wp-content/plugins/gabfire-widget-pack/ images/share/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wp-content/plugins/gabfire-widget-pack/lib/index.php MATCH [Suspicious (evals/ base64)]: /home/roundh9/public_html/wp-content/plugins/simple-contact-form/extension/ readygraph/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wp-content/plugins/simple-contact-form/extension/readygraph/assets/js/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/plugins/ simple-contact-form/extension/readygraph/assets/css/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wp-content/plugins/gabfire-media-module/ index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/ plugins/gabfire-media-module/videojs/index.php MATCH [Suspicious (evals/base64)]:/ home/roundh9/public_html/wp-content/plugins/gabfire-media-module/videojs/font/ index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/ uploads/wysija/themes/qAuKkNexYt/stati.php MATCH [Suspicious (evals/base64)]:/ home/roundh9/public_html/wp-content/themes/index.php MATCH [Suspicious (evals/ base64)]: /home/roundh9/public_html/wp-content/themes/twentyfifteen/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/themes/ sharp_0ld/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wp-content/themes/sharp_0ld/inc/index.php MATCH [Suspicious (evals/base64)]: / home/roundh9/public_html/wp-content/themes/sharp_0ld/inc/js/index.php MATCH [ Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/themes/sharp_0ld/ inc/js/flowplayer/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wp-content/themes/sharp_0ld/inc/lang/index.php MATCH [Suspicious ( evals/base64)]: /home/roundh9/public_html/wp-content/themes/sharp_0ld/images/ index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/ themes/sharp_0ld/images/thumbs/index.php MATCH [Suspicious (evals/base64)]: / home/roundh9/public_html/wp-content/themes/sharp_0ld/styles/red/index.php MATCH[ Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/themes/sharp_0ld/ styles/brown/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wp-content/themes/sharp_0ld/styles/green/index.php MATCH [Suspicious (evals/base64)]:/ home/roundh9/public_html/wp-content/themes/sharp_0ld/styles/blue/index.php MATCH[ Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/themes/sharp_0ld/ styles/default/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/ wp-content/themes/sharp_0ld/styles/white/index.php MATCH [Suspicious (evals/base64)]:/ home/roundh9/public_html/wp-content/themes/sharp_0ld/styles/yellow/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/themes/ sharp_0ld/styles/dark/index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/ public_html/wp-content/themes/sharp_0ld/styles/purple/index.php MATCH [Suspicious( evals/base64)]: /home/roundh9/public_html/wp-content/themes/sharp_0ld/framework/ index.php MATCH [Suspicious (evals/base64)]: /home/roundh9/public_html/wp-content/ themes/sharp_0ld/framework/functions/index.php * [http://roundhousetalk.com](http://roundhousetalk.com) Viewing 4 replies - 1 through 4 (of 4 total) * [codeManiac](https://wordpress.org/support/users/codemaniac/) * (@codemaniac) * [10 years, 5 months ago](https://wordpress.org/support/topic/potential-malware-compromise/#post-6766552) * that’s a base64 encoded backdoor and I assume the backdoor code is right after the opening tag of every php file mentionned above.First, start with shutting down the website until the problem is solved, there maybe an exploit kit ( assuming worse case here ) and it would affect your website visitors.Then, try to find out what’s the vulnerability that caused your website to be hacked ( apache logs would be a quick way to find out ) , fix it in the backup files and restart your website.Honestly, it won’t be sthg easy if you didn’t already know how to do it.Quick and dirty solutions will only delay getting your website hacked again * Thread Starter [jaydokie](https://wordpress.org/support/users/jaydokie/) * (@jaydokie) * [10 years, 5 months ago](https://wordpress.org/support/topic/potential-malware-compromise/#post-6766571) * If it’s not easy, how does a person such as myself attempt to try this without fear of making something worse? Can’t I just re-install the WP 4.3.1 download which I would think would overwrite the vulnerable files causing my problems? I don’t know, I’m just trying to ensure that I don’t make things worse. Also, where do I find the Apache Logs? * [codeManiac](https://wordpress.org/support/users/codemaniac/) * (@codemaniac) * [10 years, 5 months ago](https://wordpress.org/support/topic/potential-malware-compromise/#post-6766631) * usually you find apache logs under /var/log/apache2 in your server files but well am not sure if you will know how to deal with this but apparently the advice is hiring someone who knows how to do it , simply reinstalling wp is one of the quick and dirty solutions I advised to stay away from.If the server is also compromised( which is prolly the case because it can be used for setting mailers for spam etc ), new wp installation won t change anything.Also if we say the server wasn’t compromised , if you reconfigure your website just like before it was compromised without identifying the vulnerability,it will certainly be hacked again. To resume, best solution is hiring someone who knows how to deal with such cases 🙂 * [Krasi](https://wordpress.org/support/users/krasi4/) * (@krasi4) * [10 years, 5 months ago](https://wordpress.org/support/topic/potential-malware-compromise/#post-6766861) * Replacing the core files will get rid of the malware unless its in the wp-content directory or has its own directory which wont be removed when you replace the core files, re-installing will fix it but then you have to start all over, there could also be malware in the database so even if you replace all the files and just restore the database with your posts there could still be malware inside causing the website to get re-infected. Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Potential Malware Compromise’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 4 replies * 3 participants * Last reply from: [Krasi](https://wordpress.org/support/users/krasi4/) * Last activity: [10 years, 5 months ago](https://wordpress.org/support/topic/potential-malware-compromise/#post-6766861) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics