Eli

Hi @paramedic192,
Thanks for creating your own topic. I have replied to the new topic but my reply has been help for moderation.

https://ww.wp.xz.cn/support/topic/donatelloflowfirstly-follow-up/#post-13271843

Hopefully the moderators will release my reply soon 😉

My plugin already has this threat in the definitions. Are you saying that you have multiple sites infected with this threat and my plugin found nothing, or did my plugin find something but you think that this threat is still there after the auto-fix was applied?

Do you happen to have either the pixelyoursite plugin or the elementorplugin installed on any of these sites?

Can you give the URL of an infected site so that I can check it out?

If you don’t want to post any URLs on this public forum you can email the info directly to me:
eli AT gotmls NOT net

I’m sorry for your loss…

I think I can help you find the source of your infection if you haven’t cleaned it already.

First, understand that “rogueads.unwanted_ads” is just a general classification assigned by Sucuri to the ad scripts that they found on your pages. These can come from all kinds of different places with the PHP code in your site, it was not necessarily generated by files named wp-vcd.php, wp-tmp.php, wp-feed.php.

What my plugin does is totally different from any external scan of your forward facing HTML. My plugin scans all the source code on the back end of your site looking for any patterns that might be part of the malicious code that is responsible for generating those scripts in your HTML output. I can see that “popunder” script in your HTML right under you FB connect scripts in the HEAD. It could be a direct injection into your theme’s header.php file but it more likely using a WP hook to dynamically insert that script from some other PHP file. Either way we need to start by examining the contents of the header.php file in your active theme.

If you don’t want to post the code here you can send that file directly to me:
eli AT gotmls DOT net

Sure, I can help you track this down. Just to be clear, I suspect that this code is coming from a plugin you have installed or else it’s integrated into your theme files. Also, as these images are clearly used for metrics, I am not convinced that this is even a malicious injection.

I can see that there is a meta tag in your HTML HEAD with the property “og:image” which loads content from reddogdangerous…
Also, as I said before, I see some hidden images in the first fusion-flip-box column on your home page.

I realize that this Avada theme you are using is a premium theme which usually costs around $60 to download. So I can’t help but jump to the most likely conclusion which would be that the developer of your site found some pirated/unofficial copy of this theme available from some other source either for free or at a steep discount. Unfortunately, when you download a premium theme from a free download site is it almost always hacked or modified in some way to benefit to the 3rd-party who pirated the original theme. They might add malware or even a back-door, or it might just be a little tracking include which is what I think you got, or I could by completely wrong here and this code might have been added some other way.

So, first thing would be to check the header.php file in the Theme Editor of your wp-admin to see if that META tag with the reddogdangerous content is hard-coded into that theme file or if it’s being injected dynamically by some other PHP include.

You can send me the contents of the header.php if you don’t want to post it on this public forum:
eli AT gotmls DOT net

Hi @bigbabol1981,
rogueads.unwanted_ads is a Sucuri thing. They have detected ads or metrics from from reddogdangerous[.]com and they are flagging these as “bad”. Have you included these hidden images in your site for metric purposes? if not then maybe they were part of your theme or a plugin you added. I see some references in the header and also some in the first fusion-flip-box column on your home page. If you did not add these and you are not sure why they are there or feel that they were put there maliciously then I can help you locate the original source code and remove them.

Do you know when you stopped being able to edit the theme, and what might have been added to the site around that time?

Are you sure that the redirects that you experience are caused by the code in your site and not something installed in your browser? Does it ever happen on other computers?

You can disable all the plugins that you don’t absolutely need for your site ti function and then see if the redirect goes away? Also, compare the complete list of Plugins installed with the list of Plugin folders that my scanner sees ( the list will pop up when you click on the word “plugins” under “What to scan:” on the Scan Settings page. Is there anything on that list that you cannot match up to one of the plugins that you know you have installed?

ok, so 6 hours is way too long. there must be something that is interfering with the scan and causing it to take so long, which might also explain why it was unable to get past 99%.

If you want to send me a screenshot of the scan progress now (or after at least 20 minutes of scanning) then it might help me determine if there is something obvious that is causing the scan to take so long. I can tell a lot from the initial file/folder count, and calculate the time it is taking on each file vs. the total estimated scan time to see if it is general slowness on the server of scan trouble in specific directories that could be causing it to hang.