Cosmeticsrc malware in site

Hi @acehobojoe,

So that I can see your site URL myself and a few other details of your WordPress environment, can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

Note: For the fastest response time, please make sure and add any information or questions directly to this topic and not the email address above unless asked.

Thanks,

Peter.

Peter thank you for that. I have obviously removed the malicious code manually, but let me see if I can find a version of the site that still has it so you can examine it.

I’m going to load the elementor template in that is infected in the staging environment.

https://wordpress-472822-1743422.cloudwaysapps.com/index.php/test-page/

here’s the test page with the code that is malicious. Wordfence scan isn’t picking it up, but normal antivirus software on pc’s can see the malicious site injected into the page.

I don’t know what plugin had a vulnerability, but it would be nice to have a solution that can pick up on it when it occurs.

Hi @acehobojoe,

Thanks for sharing the page and code you were seeing. I have requested that our threat intelligence team look into this a little further. If it is added to our list or requires updating to prevent your situation happening again, your protection will automatically be updated in the usual way.

As you mention cleaning your own site, to ensure it is truly clear from reoccurring was certainly the correct route to take. If you have already followed these steps, that’s fine but I didn’t want it to go unmentioned in case there’s anything helpful in there that could stop it from reoccurring.

Follow the checklist here:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
https://www.ads-software.com/download/releases/
WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this if you haven’t already.

Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

Thanks again,

Peter.

wooohooo thanks peter. I’m honored to have this virus added to the threat list.

I will keep an eye out for updates on all my sites and will update sftp/db passwords.

Hi @acehobojoe, we have indeed added the site you describe to our malicious domains list.

Thanks once again. If you have any further Wordfence issues in future, please start a new topic and we’ll be glad to help you out any time!

Peter.