Malicious text appears when i am logged off

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

One of your plugins is hacked with this or similar code:

[redacted]

Here is the translation:
[redacted]

Search the hacked code text in all your wp files and simply remove it from the file.

[Moderator note: Please do not post malware code in the forums.]

• This reply was modified 8 years ago by Steven Stern (sterndata). Reason: redacted malware

@gabriello

I’m having the same issue. I don’t have any hacked or nulled plugins but I installed several outdated plugins inorder to make my registration page display the terms and conditions and since then I’m getting this message “Want create site? Find Free WordPress Themes and plugins.Did you find apk for android? You can find new Free Android Games and apps.”

I have removed all those plugins but still I’m getting the message. Please tell me how to remove it. Where and how should I search my files to get rid of the hacked code?
Please help! thanks in advance.

greedymind:
1. Please start a new thread for your issue if you need additional help rather than “me, tooing”.

2. Take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

You have to find the malicious code in the infected file! In this forum it is not allowed to share malicious code, so I cannot write down to you what exactly you have to find.

But I hope I can help you with this steps:

1. Download your entire wordpress installation to your computer. ex.: D:\YourSite\
2. Install a text finder app to your computer. ex.: https://www.ultraedit.com/downloads/ultrafinder.html
3. Google to your malicious text with the text hexdecoder. ex.: Want create site? Find hexdecoder
4. In the first hit will be your code what you have to find in your files. (They are numbers with \ characters.)
5. Start ultrafinder.
6. In “Find What”: paste the code (or just some part of it) you find in previous step (numbers with backslashes).
7. Choose at right side Find matches by: “File contents”
8. In “Find where”: choose your wordpress install folder (ex.: D:\YourSite\)
9. Hit START
10. It will find the file what inject the “Want create site?..” text to your pages.
11. Remove the code from the file and copy back to your FTP

I had this issue…it was a function added to the end of a plugin .php file.
Searching the outputted text did not help as mentioned above it is encoded in the file.
I found this page ….https://ddecode.com/hexdecoder/?results=1d2581e4d2824585fe6995e6e36df607
which I used to file search via ultraedit my wordpress installation…it had enough of the text to get a hit and locate the offending code.
Deleted it and all good.
Hope this helps someone as it is on alot of sites

Thank you @gabriello

I have found the hexadecimal code and removed it. Apart from this there were several other codes snippets injected into my theme files. Besides this there was also a whole new file named class.wp.php. With the help of ‘wordfence” plugin I removed the extra codes and deleted the file and all is back to normal.

Thanks a lot again. much appreciated.

@gabriello worked like a charm! I did exactly what you said step by step. thank You So Much!
@greedymind I would like to thank you for that WorldFence tip. I’ve installled and fortunatelly notihing found, but it worths to install.
And a special THANK YOU to Mr. @sterndata for those link tips, i never thought that WordPress securit has a such extensive material. THANK YOU
And i know they are not here but i would like to mention the help from the Staff of SucuriNet(https://sucuri.net/signup/) and https://ddecode.com for reply my emails.

Bye Fellows!

I have exactly the same problem with “Want create site? Find Free WordPress Themes..”
@gabriello please, can you explain better your hird step:
3. Google to your malicious text with the text hexdecoder. ex.: Want create site? Find hexdecoder
How exactly can I google my malicious text with the text hexdecoder?
Thank you!

principante:

Do this… There is no need to decode anything.

Take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Thank you Steve,
I read all guide and was implement all recommended security measures but problem still persist.
So, next step is to pay to someone to clean my site or is there anything else that I can do to solve the problem without spending money?
It seems that @gabriello found solution and help to few user.

Edited:
Ahhh…forget to mention that I was take a deep breath too ??

• This reply was modified 7 years, 11 months ago by principiante.

principiante: Exactly what did you do to try to fix your site?

Hi @principiante

This is caused by downloading a nulled theme / plugin from a specific site. Here’s how you can fix your problem:

1.) Download a plugin which searches your files such as ‘String Locator’.
2.) Search for ‘sorry_function’ (without the ‘) in the whole wordpress directory. Once complete you can see which theme / plugin is effected and in which file. You can either remove the code from the file or uninstall the theme / plugin completely.
3.) Do another search to make sure you’ve removed the code successfully.

I would however recommend buying the theme / plugin to help prevent issues like this in the future.

Good luck!

• This reply was modified 7 years, 11 months ago by JackTheAdmin.

@steve, first, I was take a deep breath and and carefully follow this guide
Then I was implement all of the recommended security measures.
And that didn’t help me becouse problem was still persist.

What I didn’t do is to contact reputable organizations that can clean my site becouse there was no need to spend 99$ on wordfence to scan my site (free version of wordfence didn’t find any malware)

@jacktheadmin Thank you so much!!! Plugin String Locator didn’t work on my site
(The above error was returned by your server, for more details please consult your servers error logs, but there was no any error “below”.
Anyway searching for ‘String Locator’ was great point.
I was found malicious code in nulled plugin (using them sometimes to testing functionality). After deleting this part of code everithing is ok again.
Thank you!

I found this pice of code in 1min.

My solution and yours when your WordPress runs on a linux derivative:

Create a file in the root of your WordPress called e.g. linux.php.
Use this pice of Code to found the file with line number:

<?php
$res = shell_exec('grep -rnw "./" -e "function sorry_function"');

echo '<pre>';
print_r($res);
echo '</pre>';

Remove this file after found this [redacted]-Code.

I hope i could help.

Regards, Daniel

• This reply was modified 7 years, 8 months ago by Steven Stern (sterndata).