If you send me your WP Admin I can take a look at it for you. You can email info directly to me: eli AT gotmls DOT net
Thanks for sending me your login. The public_html directory is the root of your site and there were some new threats found there. I added them to my definition update and moved them to the quarantine along with the rest of another threat that was fond on the last scan. There were no Known Threats on the USER directory above public_html so I think you are ok there.
Please let me know if there is anything else.
What site is this for?
If you want to send me the WP Admin login I will look at it for you. You can email me directly: eli AT gotmls DOT net
I have upgraded the scan depth on your account. Download the new Definition Update and you should be able to scan these other sites in the www directory.
Let me know if this works for you or if you need any more help.
Thanks for sending me this code. Unfortunately the character-set got altered when you posted it to the forum. Can you send me the original infected file?
You can email me directly with attachments to: eli AT gotmls DOT net
It may be that your webserver does not have permission to write to that file or the file could be read only by some other means. Can you email me directly with your WP Admin login so I can take a look at it, determine the cause, and find a suitable workaround for you?
Don’t worry about press-this, it’s a core file that is safe, it’s just shows up in the Potential Threats because it uses an eval method that some hacker use to hide their malicious code. I have not added it to my global whitelist for WP 3.9 yet but you can whitelist it.
As for the Complete Scan “freezing”, there could be a number of reasons for this. Did the similar forum topic not an answer that worked for you?
If it is staying on 0% and endlessly “Preparing” directories but the directories keep changing then you probably have a recursive symlink in your scan path. The easy work-around for this is to set your Scan Depth to a positive number (like 6 or 8).
If the directories that it is preparing do not change than it is getting stuck on something. If it’s always getting stuck on the same directory you could try adding that one to the list of folders to skip to see if it will go on.
Aloha, Eli
It all depends on what causes the high CPU usage. Assuming it is web-server related you should check the raw access logs. The access logs will show you what what pages users are loading and how frequently. If you see a lot of POST entries on the wp-login.php page, then my plugin can certainly help.
Try running a Quick Scan from the admin menu and give it at lease 90 seconds to see if it’s really stuck or just slow. If the Quick Scan doesn’t finish then try the Complete Scan from the Scan Setting page after changing the scan depth from -1 to 1, this should at least bring up the wp-login.php file and allow you to apply my brute-force patch.
Good luck, and let me know if you need any more help.
The scan is manual right now. I am working on a cron mechanism now but it will take some fancy engineering to get it to work with a multi-threaded scan engine like mine.
As for the failure to patch that wp-login.php file, I can only tell you that it is not supposed to do that. It is rare that my plugin ever fails to fix a file and it has nearly always been because of non-standard permissions on the file in question. Basically, if WP cannot modify the file (like when it upgrades or repairs) then my plugin cannot modify the file either.
It should not turn green unless it was able to fix the file, so I don’t know what to make of that one. If you want to email me your WP Admin login I would be happy to take a look at it and give you a better answer.
Lisa,
Thanks for sending me your login info (also, thanks for making a donation, that really help me keep this project going!)
I found the backdoor in alot.php along with hundreds of HTML files in the /public_html/swollen/ directory. I suspect that whole swollen directory was plated there using that alot.php file, this file is self updating and self replicating and it’s linked to by all those HTML files.
I have added this new threat to my definition updates so you can now remove the threat using my plugin but I would suggest just deleting that whole “swollen” folder via FTP.
You should also delete that backup file made by BackupBuddy and then make a new backup of you site without that infected folder.
Aloha, Eli
I sure can. If you email me your WP Admin login I will take a look at those Potential Threats for you. If I find anything malicious on you site I will add it to my definition update so it can be automatically removed.
That’s great Roger. Thanks for donating again too. Let me know if either of your sites get re-infected and I’ll pop in and take a look.
Thanks Roger,
First, if both sucuri and my plugin are coming up with no known threats then I would suspect this is a new type of infection. I would love to get into your WP Admin and see what I can find. If I can look at the infected files I can add them to my definition update so they can be identified and removed automatically.
It was a great idea to change all those passwords but if the hacker is still able to plant files on your server then they are probably using a backdoor or a server vulnerability that has not been found yet. Maybe I can find this too and stop the reinfection of your site.
You can reply directly to my email to send login credentials (don’t post them on the forum 
) and I’ll let you know what I find.
Aloha, Eli
Thanks for the login info. I am all done with the scan now. It was very slow and took several hours to complete because there are over 27000 sud-directories full of cache files in the w3tc folder and you do not even have that plugin installed. I suggest you delete the whole w3tc folder inside wp-content (you need to do this via FTP). Just delete the w3tc folder inside wp-content, but not the wp-content folder itself. This will allow the Complete Scan to finish in minutes instead of hours.
I’m all done on your site if you want to change your password, or let me know if you need more help with anything.
Aloha, Eli
Reply directly to my email address (not on the forum).
