Title: ScreenName's Replies | WordPress.org

---

# ScreenName

  [  ](https://wordpress.org/support/users/screenname/)

 *   [Profile](https://wordpress.org/support/users/screenname/)
 *   [Topics Started](https://wordpress.org/support/users/screenname/topics/)
 *   [Replies Created](https://wordpress.org/support/users/screenname/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/screenname/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/screenname/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/screenname/engagements/)
 *   [Favorites](https://wordpress.org/support/users/screenname/favorites/)

 Search replies:

## Forum Replies Created

Viewing 15 replies - 1 through 15 (of 21 total)

1 [2](https://wordpress.org/support/users/screenname/replies/page/2/?output_format=md)
[→](https://wordpress.org/support/users/screenname/replies/page/2/?output_format=md)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[User Access Manager] [Plugin: User Access Manager] Advanced Use of UAM (Automation of Subscriber Roles)](https://wordpress.org/support/topic/plugin-user-access-manager-advanced-use-of-uam-automation-of-subscriber-roles/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-user-access-manager-advanced-use-of-uam-automation-of-subscriber-roles/#post-2814685)
 * Looks like i have found a solution… the below code updates the usergroup. As 
   long as you know the WP_UID and the GROUP NUMBER.
 * WP_UID can be pulled form the WP_DB with a simple username/password verification
   script (not included here).
 * The group number(ID) can be found in the HTML souce code of any subscriber page.
   Look for the CheckBox formfield value.
 * > Example:
   >  <input type=”checkbox” id=”uam_usergroups-1″ value=”1″ name=”uam_usergroups[]”/
   > >
 * You could potentially first query the UAM class for a list of all groups, but
   this was beyond my needs so I have not spent time investigating it.
 * The below code updates the Groups associated with the access level.
 * In this case the GroupID being update is Group 2.
 *     ```
       $wp_uid=25; //WordPress user ID
         $userGroupId=2; // Group ID to be updated
   
         global $userAccessManager;
   
         $uamAccessHandler = $userAccessManager->getAccessHandler();
         $uamUserGroup = $uamAccessHandler->getUserGroups($userGroupId);
   
         $uamUserGroup->addObject('user', $wp_uid);
         $uamUserGroup->save();
       ```
   
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Malware Script generated by WP_HEAD() in Header File](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/page/2/#post-2783968)
 * Update: Its been 4 days since my last post. All sites are clean… no reports from
   google or site users otherwise.
 * It would appear the malware code was injected into a WP_Include file, thus the
   update to 3.2.2 has over written the hacked file. If you are running 3.2.2 already
   you might try copying a fesh seto f WP include files ot your WP_Includes directory…
 * As for “how” this attack happened, I am unsure – and we may never know… so for
   now I am tightening all security on the server to protect us as best as possible.
   I suggest other WP users do the same.
 * Thank you to the community – especially those listed above for all your help 
   and support.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Contact Form 7] [Plugin: Contact Form 7] No CF7 pages will load after 3.1.2 update (WP 3.3.2)](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/page/2/#post-2781158)
 * Thank you Takayuki Miyoshi.
 * I have updated to 2.4.6 and it works. I will wait to try the new version once
   released. Thank you for your help.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Contact Form 7] [Plugin: Contact Form 7] No CF7 pages will load after 3.1.2 update (WP 3.3.2)](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/page/2/#post-2781137)
 * For now I will roll each site back to 2.4.3
 * If there is anything else i can do to help you pinpoint the issue please let 
   me know.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Malware Script generated by WP_HEAD() in Header File](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/page/2/#post-2783926)
 * I would suggest the vulnerability in the server or WP is still present in the
   latest version. Allowing the hacker access. I upgraded AFTER notice of the virus(
   May 30).
 * I run 5 websites. I did not upgrade them all… instead I upgraded only 1, then
   resubmited them all to google for a health review.
 * Within hours all sites were listed as “clean”… but with 48 hours I had a new 
   notice from google regarding TWO of the 4 sites not updated to WP 3.2.2.
 * Since then I have updated these sites and resubmitted for Google HealthCheck.
 * I’ll need ot take a good look at how the hacker gained access to prevent this
   happening again. I’ll post anything I find that might be useful for others.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Malware Script generated by WP_HEAD() in Header File](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/#post-2783920)
 * OK, great, thanks. I’d done a search in my PHP files for hte same script (and
   portions of) and nothing is returned… however…
 * If the location was the same for me (hidden in WP includes) then the upgrade 
   on my sever from and older version of WP to 3.2.2 would have overwritten the 
   file, thuse removed the virus.
 * I’ll need to resubmit to google and wait. Meanwhile I work on possible security
   issues that might have allowed the hacker access to the site.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Malware Script generated by WP_HEAD() in Header File](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/#post-2783915)
 * would you mind posting the line you found?
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Malware Script generated by WP_HEAD() in Header File](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/#post-2783870)
 * Agreed, and many of those steps are already taken… and will be taken again once
   the source is found.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Malware Script generated by WP_HEAD() in Header File](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/#post-2783861)
 * Ahh… looks like the moderator pulled my list of files…
 * Here is is again (condensed)
 * * ./wp-app.php (Filename)
    -long_text – base64_decode(substr($_SERVER[‘HTTP_AUTHORIZATION’-
   long_text – base64_decode(substr($_SERVER[‘REDIRECT_REMOTE_USE * ./wp-includes/
   class-IXR.php (Filename) -unknown – base64_decode( trim( $this->_currentTagContents*./
   wp-includes/class-simplepie.php (Filename) -unknown – base64_decode($data
 * I’ll check out the tool you have suggested.
 * I am encouraged that I am not the only one stupmed by this issue… and that there
   will be a host of people looking to solve this issue very quickly.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Malware Script generated by WP_HEAD() in Header File](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/#post-2783840)
 * Hi Redleg-too
 * The offending script code on my site isalmost identical to the one on your post
   at [https://badwarebusters.org/main/itemview/29055#itemblock-29059](https://badwarebusters.org/main/itemview/29055#itemblock-29059)
 * The bulk of the code is identical. Only the second half of the first param val/
   var (“en0no3mno3nia-sno3ndpno3rxrpno3rxen0d”) is different.
 * I’ve pasted a copy to Patebine for further review [http://pastebin.com/JUVgBW5P](http://pastebin.com/JUVgBW5P)
 * I’ve also completed a base64_decode search of all files below are the results.
   Only 3 files in my domain folder(and subfolders) contains the base64_decode line.
 * Only 3 files returned a match.
 * The first two look legit… however the third (class-simplepie) I need to check
   against a fresh install of WP to confirm thsi file and all contents are delivered
   with WP install.
 * _[Code moderated as per the [Forum Rules](http://codex.wordpress.org/Forum_Welcome#Posting_Code).
   The maximum number of lines of code that you can post in these forums is **ten
   lines**. Please use the [pastebin](http://wordpress.pastebin.com/)]_
 * Would you like a report of files containing “EVAL”
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Contact Form 7] [Plugin: Contact Form 7] No CF7 pages will load after 3.1.2 update (WP 3.3.2)](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/page/2/#post-2781118)
 * I just tried a different WP site
 * upgraded WP to 3.2.2
    Then upgraded the CF7 plugin to 3.1.2
 * It now has the same issue… page will not load while plugin is activated.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Contact Form 7] [Plugin: Contact Form 7] No CF7 pages will load after 3.1.2 update (WP 3.3.2)](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/page/2/#post-2781117)
 * debug now = TRUE
 * Version 2.4.3 page loads ok
    Version 3.1.2 same as before….
 * Is there a log I can retrieve?
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Contact Form 7] [Plugin: Contact Form 7] No CF7 pages will load after 3.1.2 update (WP 3.3.2)](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/#post-2781113)
 * Deactivated all plugin’s including CF7 and page loads (but without form – shortcode
   displayed)
 * Activated CF7 version 2.4.3 –> page loads with form
    Deactivated 2.4.3
 * Activated CF7 3.1.2 –> Page does not display – same message as before.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Contact Form 7] [Plugin: Contact Form 7] No CF7 pages will load after 3.1.2 update (WP 3.3.2)](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-contact-form-7-no-cf7-pages-will-load-after-312-update-wp-332/#post-2781110)
 * I have tested the default 2010 and 2011 themes (prior to and after updates of
   the themes). In all instances the resutl is the same…
 *  Internet Explorer cannot display the webpage
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Malware Script generated by WP_HEAD() in Header File](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/)
 *  Thread Starter [ScreenName](https://wordpress.org/support/users/screenname/)
 * (@screenname)
 * [14 years, 1 month ago](https://wordpress.org/support/topic/malware-script-generated-by-wp_head-in-header-file/#post-2783774)
 * Thanks esmi
 * I was just coming back to update my post with a little more information…
 * I have already:
    1.  Visited both [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/)
       
       and [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/). bot 
       hshow the site and pages as clean
 *  1.  confirmed HTAccess files are all clean.
 * I will continue to search, read, apply and report back.
 * It seems though that none of the posts I can find are specific to the script 
   appearing from within the wp_head()… most talk about base64_decode PHP, Iframes,
   and code injected stright into the header/footer.php files. this is different…
   its being generated somewhere deeper in the WP files.
 * A complete reinstall might be the only way to fix… the source.. I may never know.

Viewing 15 replies - 1 through 15 (of 21 total)

1 [2](https://wordpress.org/support/users/screenname/replies/page/2/?output_format=md)
[→](https://wordpress.org/support/users/screenname/replies/page/2/?output_format=md)