Jimmyt53

I had exactly the same problem but with a different plugin from the same authors – in this case it was their mysql backup plugin.

Something has gone wrong here – and they need to fix it before their reputation is trashed. I have notified my server’s support staff of the problems with “Alex and Anthony” plugins.

I just upgraded to WP 3.6 and it seems to have gone

However, in the file I saved, base64_decode does turn up About halfway down, where the following code appears’

if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
	$stringTools = array(
		'Base64 encode' => 'base64_encode',
		'Base64 decode' => 'base64_decode',
		'Url encode' => 'urlencode',
		'Url decode' => 'urldecode',
		'Full urlencode' => 'full_urlencode',
		'md5 hash' => 'md5',
		'sha1 hash' => 'sha1',
		'crypt' => 'crypt',
		'CRC32' => 'crc32',
		'ASCII to HEX' => 'ascii2hex',
		'HEX to ASCII' => 'hex2ascii',
		'HEX to DEC' => 'hexdec',
		'HEX to BIN' => 'hex2bin',
		'DEC to HEX' => 'dechex',
		'DEC to BIN' => 'decbin',
		'BIN to HEX' => 'binhex',
		'BIN to DEC' => 'bindec',
		'String to lower case' => 'strtolower',
		'String to upper case' => 'strtoupper',
		'Htmlspecialchars' => 'htmlspecialchars',
		'String length' => 'strlen',
	);

It’s a big file with a lot of scary words (like “Brute”) hopefully i got it before it did any harm.

This is probably not the way to do this but this is what I did.

I copied the files to my hard drive using Filezilla. Sure enough Norton 360 picked up two Trojans in the Simple Forum avatar files. (I immediately afterwards did a deep virus check with Norton 360 to make sure I hadn’t infected my computer.)

I also contacted my host (Sureserver) and they got their hacking experts on to it. This is what I should have done as soon as aI noticed the website behaving oddly. Anyway, they found a third Trojan in the same directory.

They also later discovered that a rogue “base64/eval” code in the phpmyadmin folder was dumping the rogue code in my index.php file. They advised me to kill phpmyadmin as there have been a lot of attacks through those files which are no longer required in any case.

EVERYBODY SHOULD DO THIS NOW! UPGRADES DON’T REMOVE REDUNDANT FOLDERS OR FILES AND THEY ARE VULNERABLE TO ATTACK.

meanwhile I ran the plugin “Exploit Scanner” which picked up literally hundreds of ‘potentially” dangerous code. I copied the results to Sureserver (Word arranges it into a neat table) and they assured me there was no dangerous code in what the scanner had picked up.

As of now I’ve been going about 10 hours without a repetition of the attacks (touch wood). I am now backing up and changing passwords. I have also removed the ability for members of my forum to upload their own avatars.

Oh, and by the way, for the record, it had nothing to do with All-in-one SEO. Sorry about that.

OK, Thanks On it now

It’s Back. And yes it looks like some kind of hack. Norton is stopping an attack by “Blackhole Toolkit”.

I have had online checks done of the website and it’s coming up clean

This is very worrying. Guess I’ll have to clean out the website.

Have disabled All-in-one SEO plugin and so far so good. Fingers crossed, that was the issue. If so, all I need now is a reliable SEO.

Finally worked out Pastebin.

Here’s the index.php with the extra coding
<script src=”https://pastebin.com/embed_js.php?i=B1QguY7h”></script&gt;

And here’s the ‘rogue’ code translated

<script src=”https://pastebin.com/embed_js.php?i=uus6mihQ”></script&gt;

OK, as an absolute newbie – I know what the main CSS is but “adding style code to match the ID of the text in question”?? Can anybody point me in the right direction because I’m having the same problem and it’s driving me nuts trying to find out which piece of coding I need to change. Thanks.