ddmcleod

I am now seeing the same problem on a different website with a similar configuration. When WordFence is enabled, I see the

The site is experiencing technical difficulties.

following a login through DigitalAccessPass.

David McLeod

Marius,

Thanks for the clue. Switching to all lowercase in the URL solved the problem.

Thanks!

David

I ended up using a different approach, so the CPTUI plugin was no longer required.

thanks,

David

Sorry, another detail about this. After the message is displayed, the input box below also asks for either username or email. This, too, should be limited to just the email address. (Or whatever is specified by the login type option.)

One thing I found for myself is that if I do a “Generate Full Backup” on HostGator and download the resulting tar.gz file onto my computer, then I can use Windows Defender to run a scan on that file. In my case the file is about 1.5GB in size and includes approximately 100,000 files, so it takes about 25 minutes to do a full scan. Windows Defender was able to detect the virus quite easily, and it was able to identify for me where it was located. Interestingly, it was mostly cached files that were infected, so when I deleted those and reset my caching plugins most of the infections disappeared.

I kept doing this until I was able to generate a clean backup on HostGator and assure myself that there are no more instances of the trojan on either my computer or my hosting service.

I think the mechanism for this trojan is as follows:
1. I go to a site that has the infection in one of its files. Nothing appears amiss when I visit this site.
2. I download something to my computer, where the trojan sees a “friendly environment” for operating.
3. At some point, I log into my HostGator account and the trojan recognizes the ftp connection. It uploads itself silently to my hosting service and modifies the files that it wants to modify. It can do this because it has access through my own credentials–even if it didn’t capture my credentials when I logged in.

I think all of this happened before Windows Defender became aware of the Trogan and updated its databases. Now, anytime I download something that has the infection, it is caught immediately.

Anyway, I’ve changed all my passwords and made them even more secure than they were before. I think I am out of the woods now, but I’m still on the lookout.

Good luck to everyone else.

Cheers,

David

As you saw in my earlier post, this trojan seemed to operate from my home machine. When it saw that I had logged into my hostgator account, it somehow tagged along and modified every header.php file it could find. I’m pretty certain that the trojan CANNOT operate from within the Hostgator environment–which is a Linux/Unix environment (unlike my home machine which is Windows 10).

Anyway, once I eliminated the trojan from my system, using Windows Defender AND Malwarebytes, I was able to clean up the header.php files and the problem has not recurred.

I still don’t know how the malware got onto my machine in the first place–I’m sure that it can come from various sources on the internet–but I’m confident it is gone…for now!

As for my website structure, I use different themes and different plugins on different websites. This trojan didn’t seem to care about any of that; it just modified all header.php files indiscriminately. In particular, I don’t use any of the themes or plugins that you’ve listed here.

Get Malwarebytes working on your computer; another alternative is SuperAntiSpyware which I’ve heard good things about but I haven’t tried myself. My Windows Defender is doing its job!

Hope this helps.

David

I think I found the source of this problem. It took the better part of two days to figure out, but as I put together the whole sequence of events, it looks like the following happened:

1. My computer got infected with the Trojan:JS/Iframeinject malware. This was detected and eliminated by Windows Defender, but not before the damage was done.
2. While this virus was active, I logged into my HostGator account. The virus appears to have injected its script into every header.php file it could find. Very cleverly, the malware achieved this by doing the following:
a. It read the timestamp on the header.php file.
b. It inserted its script right after the <body…> tag and saved the file.
c. It then touched the file to reset the timestamp to what it was before the modification.
3. Every header.php file in my system was modified, and this is what caused the spurious changes to occur in my rendered html.

Once the virus was completely removed from my computer (which took several scan passes by Windows Defender and Malwarebytes), it was a relatively simple task to remove the offending script lines from all of the header.php files. I did all of that manually. I could probably have accomplished the same by just upgrading all my themes; however, I wanted to make sure that none of my other changes got overwritten.

The problem seems to be resolved now, but I leave this information here in case someone else runs into the same problem.

Cheers,

David

Tried all that.

Also tried uploading different versions of WP. I got a clean result at WP 4.2 then I upgraded my plugins and the trash started showing up again. Can’t seem to clear it at all now.

Clearing cache, history & cookies doesn’t resolve the problem. I can’t tell where this injected code is coming from. Also, Google doesn’t seem to be much help in telling me anything useful about https://kfc.i.illuminationes.com/snitch, which is one of the links that is being created.

I’m completely baffled by this. Sure would be nice if someone else was seeing this problem so I could have another set of eyes on it.

You can see this problem for yourself at https://www.ilovemyshadow.com

I am having exactly the same problem as Jennie. It’s not at all obvious how to enable/disable comments for a particular post or page. Some help here would be appreciated.

Yes, thank you.

I also discovered that if you click the “Screen Options” tab at the top of the page, there is a “Discussion” checkbox that needs to be checked, in which case, a Discussion panel with “Allow comments” and “Allow trackbacks and pingbacks on this page” appears on the main Edit page as well.

Thanks again,

David

I am using U-Design, a premium theme that I got from ThemeForest. I’m also using WishList Member and a plugin that simplifies connection between PremiumWebCart and WishListMember–as a matter of fact, it was the developer of this last plugin who recommended “Theme My Profile” to me. However, when I went to download “Theme My Profile”, I saw that you don’t support that anymore, and that you recommend people use “Theme My Login” instead, which is why I installed that instead.

My active plugins are:
Akismet
Custom Contact Forms
PiMS PWC+
Plugins Load Order
Quick Page/Post Redirect Dev
SeedProd Coming Soon Pro
TinyMCE Advanced
U-Design ShortCode Insert Button
WishList Member
WP Show IDs
WP Super Cache (activated, but caching turned off)

Everything was working fine until I added the Theme My Login plugin and activated it. At that point, I can go to specific pages as normal, but when I try to go to the main page (settings configured to go to static “Home” page), I get the error I described before.