Sorry about that, I just fixed it, so It is working now, thanks 
It may be coming in from another account on the server. The best thing to do would be to move your site to a more secure hosting environment. I offer Super Secure Hosting if you are interested, it’s $12/month per site and you will not get reinfected on my server
I see that your site in is a subdirectory on a HostGator shared hosting account. It would be most effective if you could scan the site_root or even the account root. There could be other infected sites on this server that are reinfecting your site. There may also be .htaccess files or cron jobs on your account that will affect all the sites in your account. How many sites do you have on HostGator?
After the fix it loads the wp-admin in that framed window, if the wp-admin loads tht means the WordPress bootstrap was not broken. Theme files are often infected and con sometime be broken when they are hacked (if the hack was done poorly), or when the hack is removed (if the removal was not complete and thorough).
Can you send me the threat that you had to remove yourself? If my plugin could have removed that whole threat when you ran the fix then this would not have happened.
That would be one possible fix but your should ask your host to review permissions on that folder and make it right according to their security needs. Personally I would make it 770 so that “others” could not read or write in that directory, but then you would need to make sure that the apache user is the owner or group owner so that PHP can write (and read) session files.
Yes, you should also run the Complete Scan if you want to make sure your site is completely clean. The Quick Scan only scan the main folders were malware is likely to be found.
I have spent quite some time debugging multiple issues on this test site that you gave me access to. First, I found that some of the rules in your .htaccess files were preventing the rewrite rule in my plugin directory from working properly. After fining a workaround for that problem I found that your server was not able to save and retrieve a session file. The directory where session files are stored has the following permissions: drwx-wx-wt
The plugin will scan all the files in the directory your choose and you can run the Quick Scan on the core files as well, but it will not be as fast as it would if you download the Core Files Definitions, plus it will not find every file modification, only identifiable threats. The Core Files Definitions are available through the Automatic Update feater, which is what you get when you donate $29+, this will a speed up the scans and improve accuracy.
If your sites are offline then the scan will not be working either. Check your server’s error_log files to get more info about those 503 errors or ask your hosting provider why your sites are all offline.
I’m glad your web hosting company responded with a solution and it is working now.
I am posting their response here in case it might help others who have the same problem.
In Plesk, in the WordPress security menu, you activated “wp-content folder security”, which prevents accessing it directly.
I have disabled this.
Aloha, Eli
Thanks for your donation, I’m glad my plugin was helpful in stopping that attack.
I would like to help you resolve error on your server that is causing the “no response” message on the JS/Session test.
If you are willing to send me your wp-admin login then I can debug this issue on your site, other wise please check your browser’s Error Console for JavaScript errors and the error_log files on your server for PHP Errors and let me know what you find.
I am not getting that same result so I think you must have put more code in there from the index.php file. I am trying to debug and isolate the exact conditions that are not being met for the if statement to produce that error you are getting. Would it be possible for you to create an admin login for me so that I can login to this site and debug the code in-place?
If so, You can email the login details dorectly to me: eli AT gotmls.net
Ah, yes. Now try changing the .htaccess file in that directory so that it redirects to test.php instead on index.php and then call up that gotmls.js path in your browser.
That does seem to work as I expected, so I’m not really sure why the rewrite is not working correctly.
The next step would be to put this code in your test.php file:
< ?php
if (preg_match('|(.*?/gotmls\.js\?SESSION=0)|', GOTMLS_script_URI, $match))
print_r(array(GOTMLS_script_URI=>$match));
else
print GOTMLS_script_URI;
?>
Yes, there is no gotmls.js located in that directory, but there is a rewrite rule in the .htaccess file that is in that directory which should allow it to generate dynamic JavaScript content (not “image/gif” content).
Can you test something for me? Can you make a new file called test.php in that same directory and put this code in that file:
REQUEST_URI=
< ?php echo htmlspecialchars($_SERVER["REQUEST_URI"], ENT_QUOTES); ?>
Then call up that file in your browser and tell me what it says?
