Title: Plugin frontend checklist containing malicious code? Last modified: September 10, 2016 --- # Plugin frontend checklist containing malicious code? * Resolved [sinna](https://wordpress.org/support/users/sinna/) * (@sinna) * [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-frontend-checklist-containing-malicious-code/) * Hello, * my site was opening Ads when clicking links. I had the security experts from sucuri scan my site and they identified your plugin file as the source. * It’s opening ads like these: [http://www.secretkontaktdienst.com/slp18_1?p=349927&prid=72207&pi=anna](http://www.secretkontaktdienst.com/slp18_1?p=349927&prid=72207&pi=anna) * See here for the message from sucuri: * **quote** * The second thing is that I was able to track down the redirects, here is the evidence: * ————————————————————- [http://pornburger.com/ar/out](http://pornburger.com/ar/out) [http://russian-baby.com/US/1/?offer_id=1559&aff_id=7437&url_id=0&aff_sub=1006&aff_sub2=&aff_sub3=&aff_sub4=&aff_sub5=](http://russian-baby.com/US/1/?offer_id=1559&aff_id=7437&url_id=0&aff_sub=1006&aff_sub2=&aff_sub3=&aff_sub4=&aff_sub5=) * ————————————————————– * According to my research, these redirects are being initiated by “foucdn.com/ c/trdsi”, could you please confirm if you’re aware of this code ?, here is the request: * URL: [http://foucdn.com/c/trdsi](http://foucdn.com/c/trdsi) Loaded By: [http://adult-income.com/wp-content/plugins/frontend-checklist/frontend-checklist.js?ver=fdc87c115e4575a7d72e29475509dd5c:58](http://adult-income.com/wp-content/plugins/frontend-checklist/frontend-checklist.js?ver=fdc87c115e4575a7d72e29475509dd5c:58) Host: foucdn.com IP: 104.28.24.9 Error/Status Code: 200 Client Port: 4310 Request Start: 1.798 s DNS Lookup: 183 ms Initial Connection: 33 ms Time to First Byte: 2577 ms Content Download: 0 ms Bytes In (downloaded): 0.5 KB Bytes Out (uploaded): 0.3 KB * In addition to that, the code has been located inside of the file “frontend-checklist. js ” located at “wp-content/plugins/frontend-checklist/” * WARN: Found suspicious file: ./wp-content/plugins/frontend-checklist/frontend- checklist.js (NOT CLEANED) – Manual inspection required (custom.search1): Content:‘ foucdn.com/c/trdsi”>’);function getCooki’. * Could you please confirm with your developer whether this code is legit ? * **/quote** * Can you answer the question? Do you know that code? Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Author [JonasBreuer](https://wordpress.org/support/users/jonasbreuer/) * (@jonasbreuer) * [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-frontend-checklist-containing-malicious-code/#post-8167468) * Hi sinna, * I’m sorry to hear about your malware problems. There is no such code in the Frontend Checklist plugin, like you can download it on wordpress.org. You can verify that by downloading a fresh copy and searching for “foucdn.com” in the frontend-checklist. js. * It is a common behaviour for malware to search the server for any files of a certain type and injecting it’s code in there. The source of malware can be the server settings, the WordPress version, another plugin, leaked FTP data, etc. It will most probably not be enough to re-install Frontend Checklist since the source is somewhere else and will most-probably re-inject the code at a later time. I would recommend you get your site cleaned by a security professional. The process will involve overwriting all WordPress core files, plugin files and theme files with fresh versions from the repository. The remaining files have to be hand-checked. A professional will also try to find the source of the malware. * Cheers, Jonas * Thread Starter [sinna](https://wordpress.org/support/users/sinna/) * (@sinna) * [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-frontend-checklist-containing-malicious-code/#post-8170529) * Hello Jonas, * thank you for the fast reply and explanations. I got that info from the security and malware professionals of sucuri (which I hired) and can now give your info back to them so they can dig deeper and find the source. * thanks! Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Plugin frontend checklist containing malicious code?’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/frontend-checklist_bfd1de.svg) * [Frontend Checklist](https://wordpress.org/plugins/frontend-checklist/) * [Frequently Asked Questions](https://wordpress.org/plugins/frontend-checklist/#faq) * [Support Threads](https://wordpress.org/support/plugin/frontend-checklist/) * [Active Topics](https://wordpress.org/support/plugin/frontend-checklist/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/frontend-checklist/unresolved/) * [Reviews](https://wordpress.org/support/plugin/frontend-checklist/reviews/) ## Tags * [ads](https://wordpress.org/support/topic-tag/ads/) * 3 replies * 2 participants * Last reply from: [sinna](https://wordpress.org/support/users/sinna/) * Last activity: [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-frontend-checklist-containing-malicious-code/#post-8170529) * Status: resolved