Plugin injecting trojan virus into my website

It’s just a Virus. What I did to get rid of it is, I deactivated it and instantly went into Plugin Editor and deleted Some Lines of Actual CODES of the Plugin File. Now It is not able to ACTIVATE again. Although, it is still exist in my Plugin List like a CANCER.

I just discovered this plugin on our site. It was not in our list of plugins via the dashboard I only found it after looking in the wp-content/plugins directory. There was a WP Cron Job created for usage tracking and once I deleted that the plugin wasn’t able to restore itself. I had deleted it from the servers and then roughly 2 hours later it reappeared. May want to check your sites for cron jobs that don’t belong there.

• This reply was modified 6 months, 1 week ago by jquerin.

Hi @jquerin,

Thank you for sharing your experience, I’m sorry you ran into that issue. I just wanted to share that the usage tracking cron that WPCode creates has no way to install the plugin automatically on your site and is simply used to check if the plugin is allowed to send usage tracking data if you opted in. This is done simply to avoid adding a check to all requests on your site as the cron in this case runs the check just 1 time per day and usually in a separate thread.

From the reports we got so far, in most cases the plugin is automatically installed by abusers using compromised user credentials so the first thing I recommend is to change the password for all administrator users and check if any unknown administrator users are registered on your site.

Thanks @gripgrip

It does look like the cron job had nothing to do with it, it was still early in my analysis.