If you want to attach a screenshot of your options page, I can look to see what was missing.
tim
Thread Starter
John O
(@jossoway)
Hi – how do I attach a screenshot here? There doesn’t seem to be an option to upload anything.
Use postimage to upload the pic and share the link here.
tim
Thread Starter
John O
(@jossoway)
Really sorry for not understanding, but what do you mean when you say ‘use postimage’? Do you mean post the screenshot on the site and share it here? The site is down again so I can’t do that.
Yes. That’s what I meant. Postimg (I got the name wrong) is a service that hosts images for you for free. http://postimg.org/
tim
Thread Starter
John O
(@jossoway)
The only other option I would have checked is the one to scan images as executable. Can you send those suspect files to us at samples [at] wordfence.com? Make sure and include a link to this forum post.
tim
Thread Starter
John O
(@jossoway)
Yes no problem. Thanks for the help. I have sent the email with the suspected files and a link to this thread as requested.
So I had checked off for WordFence to scan files outside of the WordPress Core and all plugins and themes within the options area of WordFence and it didnt find a few basic eval injected files.
./wp-content/plugins/ml-slider/ajax.php: eval($bd4a[$GLOBALS[‘n7f30’][12]]);
./wp-content/plugins/groups-404-redirect/object21.php: eval($o34f7[$GLOBALS[‘w4c70’][18]]);
./wp-content/plugins/gravityformspaypal/js/include50.php: eval($w6612fc[$GLOBALS[‘m3c78’][41]]);
./wp-content/plugins/wp-realtime-sitemap/user44.php: eval($v4c7b2[$GLOBALS[‘m0b598’][94]]);
Here are a few samples from files that was found through a manual scan at the linux shell.
@wp if you would be so kind, please email the samples to the address I posted before.
A quick search found the ml slider and Groups 404 Redirect in the wordpress repository, which we check against. Were your scans for outdated themes and plugins and plugin files against repository versions for changes enabled?
The WP Realtime Sitemap was in the repository, but I notced it hasn’t been supported or develpoped since 2011 and isn’t supposed to work with WordPress versions past 3.2.1. I’m sure you realize how many times out of date and unsupported plugins are the attack vector against sites, right?
The Gravity Forms Paypal plugin is a paid plugin and not in the wordpress repository. Using the scan files outside your wordpress installation might have caught that one, if enabled.
If you continue to have issues, please follow forum rules and open a new post so the WordPress Mods are not angered. 🙂
tim
