• Resolved rebeccabroom

    (@rebeccabroom)


    Good morning,

    I have located an extremely obscure virus injected into our website and it does not seem to get picked up by the Sucuri Plugin

    The code is injected just after the body tag.

    In almost all browsers this is perfectly fine. The offending code is not present and not causing concerns, however in older versions of IE (So far I have discovered the bug in IE7 and IE8, and confirmed it is not present in IE EDGE) a very malicious code appears and attempts to install viruses and other unwanted material on the client machine.

    Additionally the code only appears to show up after clearing the cache and cookies of the browser before attempting to load the url.

    The following page displays this error very clearly: https://etrainu.com/update-browser/
    ?
    A full copy of the suspicious material has been emailed to [email protected]

    The code itself appears to change each time the page loads, making the methods I would usually use to locate the offending code ineffective.

    Additionally, I have attempted, with my limited PHP knowledge, to dump out the contents of the GTM plugin code to ensure it is not the source of the infection and it appears to be clean.

    Our developer is currently working on the theory that the body content is being buffered, and then modified before being rendered to the browser, allowing it to check for IE

    Are there any solutions or insight you can offer?

    Thanks for your help.

    https://www.ads-software.com/plugins/sucuri-scanner/

Viewing 2 replies - 1 through 2 (of 2 total)
  • I do not have a Windowz machine to reproduce the issue, but I see a notice in header related with BBPress [1] plus two warnings thrown by a plugin named “tickera” generated because of the first notice.

    I can not provide much information without access to the website, but I can suggest you to do what I would do in this case; your developer probably knows how to use the “grep” command, so I will assume that you posted this ticket because he could not find anything relevant using it. In this case my recommendation is to take down the website, install a fresh copy of WordPress with an empty database, and start adding each plugin you have installed one by one, and check the source with every addition to find the culprit of the issue that you are reporting.

    If a web scanner like SiteCheck [2] is not picking up the malicious code then is because it is using a condition to match certain criteria for the user-agent and/or the origin of the request. You will need a server side scanner in order to find the malicious code in your project.

    [1] Notice: bbp_setup_current_user was called incorrectly. The current user is being initialized without using $wp->init()
    [2] https://sitecheck.sucuri.net/results/etrainu.com/update-browser

    Thread Starter rebeccabroom

    (@rebeccabroom)

    Thanks Yorman,

    We were trying a few things at the same time, and ended up getting a Sucuri Pro account and letting you guys remove the malware.

    The error you saw is a conflict with bbpress and one of our plugins, and I think it is a separate issue. I am in the process of trying to see which plugin is causing the issue.

    Thanks for your help.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Virus not being picked up by plugin’ is closed to new replies.