grt007

I should have pointed out when I first added to this post that in my instance it had nothing to do with WC Marketplace. I was merely reporting Avast and AVG were highlighting a similar issue with sites I maintain.

I have cleaned up my sites and eradicated the problem for now. I found the issue was occurring in a number of different .js files through out the sites. One of the files being reported with the problem was in the js folder for the theme I was using. I had a clean install of this theme on another site and I compared the content of each of the .js files. I found at the end of the code there was some additional code beginning with var _0xaae8=[“”,”\x6A…… I have no idea what it was as I am not a coding person so will not copy the full extraneous code here. I then looked at the last modified date on the file and looked for .js files with the same last modified date and found quite a number and on checking a few they had the same code at the end.

I reinstalled the theme and also found a number of themes had been installed on the sites which I had not done so. Also on one of the sites I found a plugin that I had not installed. I deleted these.

As the problem was in a number of .js files I thought manually fixing it would take me ages and also I had no idea how they were “infected”. After some research I installed the free version of Wordfence plugin and ran the scan. I checked the scan themes and plugins option before running the scan.

It picked up a number of plugins that were infected. Wordfence as a function fix the plugins which it did successfully, However a couple of plugins were not picked up by Wordfence and I was able to fix these manually.

I also changed all the passwords for the administrator users of the websites. And crossed fingers that I had resolved the problem but I had not discovered the cause.

48 hours later BANG! they got hit again including Wordfence. Fortunately Wordfence was able to log a strange login to the main sites admin area from and IP address that was not known to me at about 2am in the morning. Also the login password for that site had been reverted to old password. I also found another strange theme installed and on another site a strange plugin. I removed these, deleted and reinstalled Wordfence. This time before running the scan I also checked the option to scan files outside the WordPress install. It found numerous instances of the hack in .js files with the message “The infection type is: Redirector:PHP/0xaae8”. Wordfence resolved most and I resolved the others manually.

This time I also changed all the User ids and passwords for the WordPress administrators and also deleted all FTP accounts, and changed the hosting password on the premium hosting service being used.

On checking this morning Wordfence shows a number of attempted logins using the old login so hopefully I have resolved the issue for now.

But what troubles me is how was the old WP administrator user id found, it was not admin, and how was the password determined? It was a complex string of characters.