Thanks for the login. I Checkout your site and it all looks fine. None of those Potential Threat are malicious and I don’t see those ads on your website. It may be your PC that is infected and causing your browser to display ads on websites where there really are none.
Can you send me a screenshot of the ads you are seeing?
Also, try viewing your site from another computer to see if the ads show up there.
Did you download the latest definition updates?
Potential Threats are usually not malicious, especially .js files. The Automatic Fix button is for Known Threats (in red).
If my plugin does not find and fix the threat that is causing these ads to show up on your site then I can look for the malicious code myself. Just email me a WP Admin login for your site and I’ll take a look.
Well I found it right away because it was not hidden in the code at all, it was actually inserted into a post in plain text. I removed it manually. I didn’t see any other issues on your site.
Let me know if you need more help.
You can email me directly: eli AT gotmls DOT net
This looks like a type of infection that is not in my definitions yet. I can see it on your home page but cannot tell where it is coming from.
If you send me your WP Admin login I’d love to track this down for you and add it to my definition update so that it can be automatically removed.
Ryan,
If you quarantined the threat in the header than you probably got the bad guy already. Your site looks clean to me.
If you have any reason to believe your site is still infected then send me your login info and I’ll take a look.
Aloha, Eli
Thanks for the heads-up!
Wordfence is a great plugin but we all have trouble determining nature of suspicious code from time to time 
Anyway, I have fixed this in my newest release so that file should not be flagged any more if you have upgraded it.
Thanks again for pointing this out and please let me know if there’s anything else.
Aloha, Eli
Hey Chris,
Thanks for sending me you login info. I just ran a Quick Scan on your themes and it found the malicious ‘b_goes’ function used to handle output buffers. This code was added to the functions.php file in all 7 of your themes. I applied the Automatic Fix which successfully removed the malicious code from all 7 infected files and now this site is clean.
This type of infection usually gets in from a vulnerability on another site on the same shared hosting server. Most shared hosting plans have no cross contamination security at all such that a single site’s weakness can be exploited by hackers to infect other sites on your account and sometimes even other accounts on the same server.
I am running a Complete Scan now on all the sites in the html directory. There are a lot of sites in this account so it looks like it will take about an hour to Scan them all but it has already found and fixed infected files on another site. I will follow-up with you directly via email when the scan is complete.
The sucuri.net scan results are cached, so it will not automatically update to reflect the changes you have made to your site. The “Force a Re-scan” link is at the bottom of the scan results, just above the heading “Scan Another Site”.
The backdoor was probably used to infect all your themes, but I can’t be sure how that plugin file got a back door in it.
You should remove all those threats and the click the small link on securi to “Force Re-scan” just to make sure we got them all.
Let me know if you find more problems that you need help with.
Aloha, Eli
This looks like an old threat. I’m surprised my plugin did not find it. Have you downloaded the latest Definition Updates?
If you want me to take a look at this for you I’ll need you to send me your WP Admin login. You email me directly: eli AT gotmls DOT net
Aloha, Eli
If the Anti-Malware Setting page still says “Your Installation Key is not yet Registered” then there should also be a pre-filled registration form below that message. The key and the Site URL must match this info exactly so it is best to use this pre-filled form when registering your site. Please try using this form and let me know what happens.
If it still does not work you can email me directly with your WP Admin login info for your site and I will check it out for you.
It looks like you got that last one fixed too. Sucuri caches their results, so you have to click “force re-scan” on securi.net to see that the issue has actually been fixed.
Aloha Todd,
I think you may have already cleared up the threat on this site. sucury actually caches the scan results so if you click on the link on sucuri.net to “Force a Re-scan” then I think you will see that it is clean.
If you have other sites that are infected with this threat and it was not detected by my plugin then I would love the opportunity to look at one of your infected sites before you fix it so that I can add this new threat to my definition update. If you are willing to give me a WP Admin login to one of your infected sites then I will do this right away so that you can update my plugin and use it to clean all your other sites automatically.
Mahalo, Eli
Bill,
It is true that my plugin currently only scans the filesystem and not the database content. My plugin specializes in removing virus like threat from PHP scripts that users cannot find or remove on their own.
Content defacement is a different animal and generally fairly easy for the user to find and correct. It is also not as common nor as dangerous. The more important question is: how did they modify the page content in your database in the first place. I understand that you are faced with fixing many pages and I think that you could accomplish this fairly quickly with an SQL statement that uses the REPLACE function to remove the malicious injection from every page at once. But you also don’t want to do a bunch of work cleaning it up only to have it get his again. You should be looking for the security hole that let that injection in too.
Aloha, Eli
