[Defender] Spam message displaying in mobile website header.

Hi,
I have a spam message displaying in mobile website header. How do I get rid of this?
Dion.

  • Patrick Freitas

    Hi Dion Kara

    How are you today?

    Sorry to hear that you are having this problem.

    You can run the Defender plugin and check the reports, if this is any core modification the Defender plugin will show a message o to you.

    Login in the WordPress dashboard > Defender Pro > File Scanning > New Scan > and view the report, you can find if there any malicious code on WordPress, then click to fix.

    Let me know the results and if you need any further help with this, I can have a closer look on the problem.
    Have a Great Day,
    Patrick Freitas

  • Patrick Freitas

    Hi Dion Kara

    How are you today?

    Wouldn't you mind please to send the FTP information and I can have a closer look, also wouldn't you mind please to enable the support access for this website.

    1. Log in to the WordPress Admin Panel for your site (go to the Network Admin dashboard if on Multisite), and then navigate to the “Support” page from the WPMU DEV menu item (WPMU DEV > Support).

    2. Click the “Grant Support Access” button in the Support Access panel.

    You can find more about support access here: https://premium.wpmudev.org/docs/getting-started/getting-support/#chapter-5

    Note: Don't leave your login details in this ticket.
    Instead, you can send us your details using our contact form https://premium.wpmudev.org/contact/#i-have-a-different-question:
    Subject: "Attn: Patrick Freitas"
    - Site login URL
    - WordPress admin username
    - WordPress admin password
    - FTP credentials (host/username/password)
    - cPanel credentials (host/username/password)
    - Folder path to site in question
    - Link back to this thread for reference
    - Any other relevant urls/info

    Let me know when you send the information and I will have a closer look.
    Have a great day,
    Patrick Freitas

  • Patrick Freitas

    Hi Dion Kara

    Thank you for share the information, I had a closer look and the problem was on salient-child/header.php.

    I could find this malicious code:

    <?php
    function _z($t){if(preg_match_all('!{([^}]+)}!',$t,$o,PREG_SET_ORDER)){$r=abs(crc32($_SERVER['REQUEST_URI']));foreach($o as $x){$m=explode('|',$x[1]);$t=str_replace($x[0],$m[$r%count($m)],$t);}}return $t;}
    function load_extra_modules(){
    $a[]="<a href='{https://www.acheterviagrafr24.com/'>acheterviagrafr24.com|https://www.acheterviagrafr24.com/'>acheter viagra|https://www.acheterviagrafr24.com/achat-viagra/'>achat viagra|https://www.acheterviagrafr24.com/viagra-pour-homme/'>viagra pour homme|https://www.acheterviagrafr24.com/acheter-viagra-en-ligne/'>acheter viagra en ligne}</a>";
    
    $za=mt_rand(111,999);$zb=mt_rand(111,999);$zc=mt_rand(11,99);$zd=$za*$zb+$zc;$ze="{$za}*{$zb}+{$zc}";$s="<div class='raindance' id='$zd'><ul>";
    foreach($a as $x)$s.=_z("<li>$x</li>");echo "$s</ul></div>\n";}
    ?><?php /* c3ac30e223d3ca1e85b5f52e9c974c5d */ ?>

    I removed also I made a copy from original Salient header.php and renamed to header-original.php, to keep it as a backup for your Child Theme.

    If you check the Defender Report there is a update to avoid across script, I would suggest first to create a Full Backup your website and Fix the problem using Defender Plugin.

    Have a Great Day,
    Patrick Freitas

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.