sharoncreech

Just send to you.

Eli,

If you are interested i have all files which definition did not detected or they gave suspect status.

I can send you via email if you like.

Let me know it.

Cheers,
Sharon

And more information. They add inside wp-includes/pomo
mo.php on line 12:

require_once dirname(__FILE__) . ‘/configuration.php’;

It is not integral file from WordPress. Inside configuration they made
this:
https://pastebin.com/HYtsGvc9

Maybe it will be useful to you for making new definition and better Anit-Malware plugin.

Thank you again.

ps

Definition where any files with .filename.php or .folder will be suspected, maybe checking for comparation between integral file and scanned files and maybe you can find something useful from
https://pastebin.com/HYtsGvc9

which is actually puur php code used for hacking.

Finally.

I have found issue!!!

They was inside map theme-compat another map .temp

And inside were several files “0a13bd065ac3891143624e9662a1b249′
with code such as:
“.”

etc….

It was main problem. I’m glad that i have found it but not sure what to tell you for your definition to search.

Maybe all maps and file which starts with .
If there is for example .temp of .function.php then it is for sure something wrong.

Eli,

That’s are same infected pages. I have show you cache because to see it you must fake your user agent from default to Googlebot 2.1.

Take a look…

If you are using Mozilla for example then install this add-ons:
https://chrispederick.com/work/user-agent-switcher/

Switch then your user agent to Search Robots – Googlebot 2.1

Go to https://www.outdoorunlimited.nl/sitemap/ for example and you will see there somewhere link to Cialis or Viagra (this time it showed on another place below link Beroepsonderwijs)

Then switch again to your defaults user agent and you will see clean page.

Your plugin is great but unfortunately it did not cleaned up completely website from viagra and cialis hack.

This is for example sure infection public_html/wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/Storage/updater.php
(suspect files):

[ Malware code redacted, please do not post that in these forums ]

And they are 3-4 more but when i clean that files then Google have unfinished redirection.

Eli thanks for reply.

Google webmaster does not show anything special regarding infection.

But here is evidence of infection:

https://webcache.googleusercontent.com/search?q=cache:jKwnhIdIgiwJ:www.outdoorunlimited.nl/verhuur/+&cd=1&hl=en&ct=clnk (viagra link in footer)

https://webcache.googleusercontent.com/search?q=cache:O321D9oGiPkJ:www.outdoorunlimited.nl/verhuur/attracties/+&cd=6&hl=en&ct=clnk
(pfizer viagra 50 mg online link on right side)

https://webcache.googleusercontent.com/search?q=cache:oG_FBZu9p6sJ:www.outdoorunlimited.nl/sitemap/+&cd=20&hl=en&ct=clnk

(legal online viagra link near Exclusief link)
And they are probably more pages (but not on every page)

Through webmastertools when i chose fetch and render as Google i can see 2 examples. One is how Google see page (with hack link) and another one how visitors see it and it is without hacking link.

I have also through your excellent plugin found a 3-4 more infected files (suspec and it like to me as infection) but if i clean that files
then Google got unfinished redirection while visitor just see usually page.