The scan is manual right now. I am working on a cron mechanism now but it will take some fancy engineering to get it to work with a multi-threaded scan engine like mine.
As for the failure to patch that wp-login.php file, I can only tell you that it is not supposed to do that. It is rare that my plugin ever fails to fix a file and it has nearly always been because of non-standard permissions on the file in question. Basically, if WP cannot modify the file (like when it upgrades or repairs) then my plugin cannot modify the file either.
It should not turn green unless it was able to fix the file, so I don’t know what to make of that one. If you want to email me your WP Admin login I would be happy to take a look at it and give you a better answer.
Lisa,
Thanks for sending me your login info (also, thanks for making a donation, that really help me keep this project going!)
I found the backdoor in alot.php along with hundreds of HTML files in the /public_html/swollen/ directory. I suspect that whole swollen directory was plated there using that alot.php file, this file is self updating and self replicating and it’s linked to by all those HTML files.
I have added this new threat to my definition updates so you can now remove the threat using my plugin but I would suggest just deleting that whole “swollen” folder via FTP.
You should also delete that backup file made by BackupBuddy and then make a new backup of you site without that infected folder.
Aloha, Eli
I sure can. If you email me your WP Admin login I will take a look at those Potential Threats for you. If I find anything malicious on you site I will add it to my definition update so it can be automatically removed.
That’s great Roger. Thanks for donating again too. Let me know if either of your sites get re-infected and I’ll pop in and take a look.
Thanks Roger,
First, if both sucuri and my plugin are coming up with no known threats then I would suspect this is a new type of infection. I would love to get into your WP Admin and see what I can find. If I can look at the infected files I can add them to my definition update so they can be identified and removed automatically.
It was a great idea to change all those passwords but if the hacker is still able to plant files on your server then they are probably using a backdoor or a server vulnerability that has not been found yet. Maybe I can find this too and stop the reinfection of your site.
You can reply directly to my email to send login credentials (don’t post them on the forum 
) and I’ll let you know what I find.
Aloha, Eli
Thanks for the login info. I am all done with the scan now. It was very slow and took several hours to complete because there are over 27000 sud-directories full of cache files in the w3tc folder and you do not even have that plugin installed. I suggest you delete the whole w3tc folder inside wp-content (you need to do this via FTP). Just delete the w3tc folder inside wp-content, but not the wp-content folder itself. This will allow the Complete Scan to finish in minutes instead of hours.
I’m all done on your site if you want to change your password, or let me know if you need more help with anything.
Aloha, Eli
Reply directly to my email address (not on the forum).
I would like to help you get to the bottom of this. I would guess that this is due to malware interference that is causing JavaScript errors. The best way for me to help you with this is for you to email me your WP Admin login.
Thanks for sending me all the login info for your server. I discovered two new threats that had infected all your themes, these were causing the 500 errors on your site. I was able to add these new threats to my definition update and my plugin has now removed them from 36 files on your site that were found to be infected.
Your site loads fine now and is no longer flagged as infected by sucuri. Please let me know if there is anything else you need.
Aloha, Eli
I put that warning in my plugin because a lot of malicious code I find adds malicious content to the infected site by hijacking the output buffer. There are legitimate uses for adding a callback function to the output handler, but ZM5j2q0shf_callback sounds malicious to me.
If my plugin is not finding the malicious code I can look for it for you. This may be a new threat that is not yet in my definitions.
It was in post 2336. I could see the malicious javascript redirect in plain text entered into the post content area.
Because this is the second time you have gotten infected with the same code, and you have already changed your password, I would suspect that this hacker has got another means of infecting your site. Is this a shared hosting account? Do you have any other sites on this server? It is possible that this hacker is using a vulnerability on another site to infect your DB directly.
It looks as though koumbit.net has disabled you site for now. I suspect they are aware of your infection and have probably contacted you about clearing it up. If you can get them to re-enable the site I can help you clean it up again and see if I can figure out how this hack is getting in.
Thanks for the login. I Checkout your site and it all looks fine. None of those Potential Threat are malicious and I don’t see those ads on your website. It may be your PC that is infected and causing your browser to display ads on websites where there really are none.
Can you send me a screenshot of the ads you are seeing?
Also, try viewing your site from another computer to see if the ads show up there.
Did you download the latest definition updates?
Potential Threats are usually not malicious, especially .js files. The Automatic Fix button is for Known Threats (in red).
If my plugin does not find and fix the threat that is causing these ads to show up on your site then I can look for the malicious code myself. Just email me a WP Admin login for your site and I’ll take a look.
Well I found it right away because it was not hidden in the code at all, it was actually inserted into a post in plain text. I removed it manually. I didn’t see any other issues on your site.
Let me know if you need more help.
You can email me directly: eli AT gotmls DOT net
