Title: rofenstein's Replies | WordPress.org

---

# rofenstein

  [  ](https://wordpress.org/support/users/rofenstein/)

 *   [Profile](https://wordpress.org/support/users/rofenstein/)
 *   [Topics Started](https://wordpress.org/support/users/rofenstein/topics/)
 *   [Replies Created](https://wordpress.org/support/users/rofenstein/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/rofenstein/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/rofenstein/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/rofenstein/engagements/)
 *   [Favorites](https://wordpress.org/support/users/rofenstein/favorites/)

 Search replies:

## Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)

 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [advanced xp defender](https://wordpress.org/support/topic/advanced-xp-defender/)
 *  [rofenstein](https://wordpress.org/support/users/rofenstein/)
 * (@rofenstein)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/advanced-xp-defender/page/2/#post-786680)
 * Skaterkee, we have our own dedicated server, which means access like a normal
   computer. If you’re on shared hosting -contact your host to perform a scan.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [advanced xp defender](https://wordpress.org/support/topic/advanced-xp-defender/)
 *  [rofenstein](https://wordpress.org/support/users/rofenstein/)
 * (@rofenstein)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/advanced-xp-defender/page/2/#post-786676)
 * I’ve been struggling with this one too, but might(!) have solved it.
 * Couple of days ago this popped up on my custom coded php website. I’m running
   on a windows server and integrated into my site are 2 copies of wordpress and
   1 copy of phpBB. The only WordPress plugin running was akismet.
 * It seems to mainly infect files (see code in post above) with the prefix index,
   regardless of the extension. However, it did appear in login.php of phpbb.
 * Initially I thought this was an [injection attack](http://en.wikipedia.org/wiki/SQL_injection).
   So I removed all the hacked code from the infected files and upgraded to latest
   version of wordpress and phpBB.
 * We also have a custom form that uses a formmail script. I tightened up the validation
   on all the fields, and restricted the entry for fields to no more that 35 characters.
 * I thought this has solved it, until the next morning when it reappeared!
 * I then upgraded the formmail script, deleted any old files via FTP, changed ftp
   passwords and removed any other FTP users.
 * I also ran a spyware scanner on our server… Which is the key bit…
    It picked 
   up 2 trojans one of them being ‘advanced xp defender’.
 * So far (fingers crossed) we haven’t been re-infected.
 * I suggest that if you are having this problem that you:
    - Remove all malicious code from infected files
    - Upgrade to the latest version of wordpress/ other open source apps
    - Change FTP passwords
    - Upgrade plugins
    - Disable plugins that use forms on the front end
    - Delete any old files on your server
    - Ensure any custom forms use validation and the latest scripts
    - Get your host to perform a virus/spyware scan on their server
 * The spyware app I used was Spyware doctor from PCtools.
 * Hope this helps.

Viewing 2 replies - 1 through 2 (of 2 total)