Website has Popup saying ‘You’re a winner’. Wordfence scan can’t detect it.

  • Resolved jedco03

    (@jedco03)


    1 month, 3 weeks ago

    My website started having these pop ups like “You’re a winner” or something like that, usually the usual scam pop up. I downloaded wordfence hoping that it would help me with it, but with multiple scans, it wasn’t able to find the problem.

    I was hoping for anybody to help me or give me an idea on how to deal with this problem.

    I’ve already checked and updated all the plugins. All though I ran multiple scans, it didn’t seem to find the script. It is still happening and redirecting us to a malicious website, it happened even with different devices and different networks. Even a customer messaged us about the same reason.

    What I could gather about the threat are:
    1. It does not happen always, it may not redirect now, but it would later. It seems like the hacker doesn’t want to be easily found.
    2. It mostly happens when you search ‘EA Pilipinas’ on google first and then clicking the link. Typing the address doesn’t trigger it always. If it won’t show, try doing it in incognito also.
    3. Its mostly redirects, or this is just the thing I encountered.

    I really hope someone could help me with this. Please try and test if you would get the problem based on the things I shared.

    Try to search EA Pilipinas via google on incognito and click the website from there. From what I know it mostly happens on that method.

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @jedco03, sorry to see you’re having this trouble.

    I remember that you contacted us about another site and also have another topic open. Unfortunately we are unable to walk customers through a cleaning process here on the forums as there could be many factors as to why this has happened and a large quantity of investigation.

    I still can’t replicate the issue with the steps mentioned, or be faced with blocked popups/redirections, or other warnings from my browser that suggest my side is blocking the problem from showing itself.

    It looks like you’ve been extremely thorough already and I will once again suggest a few things that were not mentioned above. I would consider looking into the possibility a browser add-on or local problem with files installed on your computer that might be affecting your browsing whilst I understand you’ve replicated it in incognito/private.

    If your site was compromized in order to add the code/files, we’ll always recommend?the passwords for your hosting control panel, FTP, other WordPress admin users, and database?have?all?been changed. Also make sure WordPress, themes, and all of your plugins are fully up-to-date in case a known exploit on an unpatched vulnerability was used. Wordfence and other providers do have paid site cleaning services should you not be able to rectify the problem yourself, but this is by no means a requirement and I’m only mentioning it so you’re aware of all options.

    You may find our detailed site cleaning instructions and free Learning Center can help you find the cause and clear it yourself:
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
    https://wordfence.com/learn/

    I would recommend providing any suspicious file(s) you find to samples @ wordfence . com. If the source that caused it is packaged in a way Wordfence isn’t currently picking up during a full scan, our researchers can look into it and get back to you with a suitable course of action.

    Make sure any database credentials or keys/salts are removed before sending anything to us.

    Many thanks,
    Peter.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.