My plugin does not write log “files” to your server. The closest thing to that would be the Scan Log on the bottom of the Scan Settings page, which just shows the prior activity of the plugin but without any details of the results of that activity.
I plan to have a more detailed Scan History feature in a future release but that is not in the plugin yet.
It looks like there is a corrupt file, maybe because only half of the malicious ode was removed. Chack the error_log files on your server to see which file is causing this 500 error and then I can help you fix or restore that file.
Actually, even Sucuri is saying that your site is clean now. You just needed to refresh their scan results after my plugin cleaned your site.
There is a link a the bottom of Sucuri’s scan results page that says:
*Cached results from 48 hrs ago. Force a Re-scan to clear the cache.
Actually, I would like to see the contents of the files that my plugin is going to clean before you click on the automatic fix button. That way I can see if there is anything I need to change first.
Again, if it’s easier for you to send me your wp-admin login through direct email then I can check the files in-place before the fix is applied.
I think that there must have been some malicious code leftover in one o f those two files. The remaining malicious code is probably incomplete and that is what is causing this syntax error.
So first, if you are still on (or can get back to) the quarantine page to restore those two files that were cleaned then your site will be restored. Then we can take a closer look at those files and see what it would take to get them completely clean without breaking the syntax.
If that is not an option then I can help you manually fix the remaining code that is causing the syntax error. Can you download those files using FTP and send them to me as attachments? or maybe you can send me your FTP credentials or your hosting control panel login so that I can fix these files in-place.
You can email sensitive info or attachments directly to me:
eli AT gotmls DOT net
Is it suck in a recursive symlink loop or is it stopping on a particular directory?
How many subdirectories re initialized when the scan begins?
I tried re-activating your wpjobboard plugin but there was a fatal error that pref=vented activation so I looked in your error log files and found that it was a configuration issue with W3 Total Cache that was causing the error. Once I deactivated W3 Total Cache I was then able to re-activate wpjobboard for you. Maybe you can try running without W3 Total Cache for a while, I don’t think your site will be any slower without it 
Thanks for sending me your FTP info. I found that it was the wpjobboard plugin that was conflicting. Apparently that plugin is intercepting all ajax calls and it is overriding the proper WordPress response, thus it breaks my login protection and any other script that utilized a standard WordPress ajax call.
I disabled that plugin by renaming the folder to xjobboard and the login page is now working properly. You should contact the plugin developer to request that they fix this but are at least provide you with a workaround. If you need to reactivate that plugin then you should turn off the login protection in the Anti-Malware Firewall Setting first.
That error number refers to a failure of the JavaScript on your wp-login.php page. In your case the initial ajax call is working but it returns a black script, so the code to validate your login is not loading at all.
You also have another form of login protection on your login page, I’m not sure if that is interfering but I don’t think so.
I think that there is something else intercepting the ajax calls and prematurely returning a blank response. I would like to help you get to the bottom of this and fix it so you can login again. Would you be willing to send me your FTP login so that I can find the source of the conflict?
Please reply to this email directly, do not post you login information on this forum
Yes, my plugin’s brute-force protection will help even if you change the login URL.
Thanks for sending me that whole file. I have updated the definitions so that threat will be correctly and completely removed in future scans.
I am also working on fixing that bug that caused the revert link to fail for you…
Thanks for reporting this issue. Please send me one of the infected files so that I can see why it failed to clean it and fix this issue.
You can click on the files listed on the scan results to see the contents and highlight the malicious code in those files that will be removed when you click the Automatic Fix button. After you run the Automatic Fix you can view the contents again to see that the malicious code was removed. If you keep checking those files and you find that they are in fact getting reinfected with the same threats sometime after the cleaning then you will need to look for the source of the infection or the security hole that is letting in this threat.
You should check the access_log files on your server to see what activity was taking place at the exact time of the infection (the modified timestamp of the corresponding files).
If there was nothing in your log files for that oresponding time then the infection is likely spreading from another site on the same server, possibly someone else’s site that is not even on your account. Shared hosting account are not sure and are one of the easiest ways for hacker to infect many sites with attack on a single vulnerability on your server.
Did you scan again to make sure that the site is all clean (sometimes the hacked files are timed to come back if the original exploit is still presents)?
Also, make sure you don’t have any caching enabled (cached files might still show old threats that have already been removed).
If you are sure that there are no more threats and no caching then please email me a link to the infected pages so that I can inspect them (please don’t post the link on the forum).
Can you please email me that wp-blog-header.php file as an attachment so that I can see what is going wrong?
