Eli,
Your plugin seems really helpful to a lot of WP admins, and your willingness to help beyond the scans is what made me decide to make a quick donation last night. I hope to make more, but the problem is, the Complete Scan finds no known issues on my site; it does turn up about two dozen potential threats (plugin php and js files, most of which from what I can see are from reputable makers).
Still, just about every night, a plug-in called GroupDocs Assembly Embedder appears in our wp-content/plugins directory (though it is not activated, so we’re looking at someone with file access but not WP admin access), plus a folder or folders with names like “heinous432″ show up in the site root, and then the standard WP index.php file suddenly has a div appended to it with a half-dozen hidden links to malicious websites.
So someone or something is there, but your scan — and even the free securi.net scan — aren’t finding anything. I’ve changed all our CPanel and FTP and WP admin passwords to hardened 10-character random strings, I’ve reinstalled WordPress and deleted any plugins that seemed iffy (although there are a couple that are no longer actively developed that we can’t do without).
I’m not experienced enough to know that to look for in the potential threat files, and just not sure what the next step is. Any help or advice would be appreciated, and meanwhile thanks for the good work you do.
Roger
Thanks Roger,
First, if both sucuri and my plugin are coming up with no known threats then I would suspect this is a new type of infection. I would love to get into your WP Admin and see what I can find. If I can look at the infected files I can add them to my definition update so they can be identified and removed automatically.
It was a great idea to change all those passwords but if the hacker is still able to plant files on your server then they are probably using a backdoor or a server vulnerability that has not been found yet. Maybe I can find this too and stop the reinfection of your site.
You can reply directly to my email to send login credentials (don’t post them on the forum 
) and I’ll let you know what I find.
Aloha, Eli
Eli, thank you for taking a look and finding the malicious code you turned up in the plugins folder. I added your plugin to another WordPress site I manage and made another donation tonight. Haven’t seen any more odd behavior on the original site, but we’ll see; meantime I truly appreciate your diligent work and followup. Cheers, Roger.
That’s great Roger. Thanks for donating again too. Let me know if either of your sites get re-infected and I’ll pop in and take a look.
