Security issue, possible injected ads

A co-worker says one of our sites is having ads injected, namely http://portaugustamechanical.com.au/
I don't see anything amiss.
He suggested it may be Easy Bootstrap Shortcode Pro pligin by Oscitas. Again I can't see any reports of plroblems with this plugin.
I've added Securi but I don't really know how to read what it reports.
I have some of your plugins running also - Google Maps, Dashboard and Smushit - any problems I should know about?
Any suggestions?

  • Michael Bissett
    • Recruit

    Hey @Grant, hope you're doing well today! :slight_smile:

    Did he say where the ads were showing up, and under what circumstances?

    I'd say we'd want to make sure that it isn't a plugin you have installed on the site, just to be safe. Could you try disabling the plugins you have presently, and then re-enabling them one at a time, and seeing if there's a particular one that makes these ads show up?

    I'd also check the theme as well, just to be safe.

    Do you have a log file for Sucuri? If so, could you post it here please (if you can't upload it here, then please use a service like pastebin.com)?

    Please advise,
    Michael

  • Ash
    • WordPress Hacker

    Hello @Grant

    Would you please post a screenshot of injected ad? Does that worker see that ad in other browser or from other pc? I doubt because, sometimes some browser add ons show ads inside of a website.

    Also, would you please make sure all the files and folders have correct permission?
    Folders: 0755
    Files: 0644

    Please let us know.

    Cheers
    Ash

  • Grant
    • New Recruit

    Here is the ad
    I believe the ad was within the wordpress site,My colleague made a clone of the site and says the ad also appeared within the site which was a clone.
    I still have not seen the ad and cant reproduce it.My colleague says he removed some js but I don't have details.

  • Grant
    • New Recruit

    We work in a virtual setup but I don't have continuous access to my colleague, thus the paucity of information.
    I have since added Securi and have updated our passwords.
    Securi has reported some failed attemppts to login. I've seen brute force attacks before and in this case they seem very infrequent (just a handful per day. I don't know if this is related.

  • Michael Bissett
    • Recruit

    Hey @Grant,

    I've been looking around on your site, and I'm not seeing that ad showing up anywhere (though that screenshot doesn't indicate exactly where on the page it should show up, and on what page it does show up).

    Unless something was fixed in the meantime, I'm wondering as to whether it's only showing up on his end.

    As my colleague @Ashok had asked, does your colleague only see that ad in a certain browser? Does he see it only on a certain device of his (PC, tablet, smartphone)?

    Has he already checked to see that there isn't a browser add-on injecting something into the page?

    And also, what was the JavaScript that he had removed?

    Please advise,
    Michael

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.