Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • December 11, 2015 at 12:17 am #550775
    YomStar

    Our developers have located an extremely obscure virus injected into our website and seem to think it has come through the theme.

    The code is injected just after the body tag within the enfold-child header file.

    In almost all browsers this is perfectly fine. The offending code is not present and not causing concerns, however in older versions of IE (So far they have discovered the bug in IE7 and IE8, and confirmed it is not present in IE EDGE) a very malicious code appears and attempts to install viruses and other unwanted material on the client machine.

    Additionally the code only appears to show up after clearing the cache and cookies of the browser before attempting to load the url.

    Link displays this error very clearly.

    The code itself appears to change each time the page loads, making the methods I would usually use to locate the offending code ineffective.

    Additionally, I have attempted, with our limited PHP knowledge, to dump out the contents of the GTM plugin code to ensure it is not the source of the infection and it appears to be clean.

    Our developer is currently working on the theory that the body content is being buffered, and then modified before being rendered to the browser, allowing it to check for IE

    December 12, 2015 at 12:45 pm #551429
    Ismael

    Hey YomStar!

    Thank you for using Enfold.

    In almost all browsers this is perfectly fine. The offending code is not present and not causing concerns, however in older versions of IE (So far they have discovered the bug in IE7 and IE8, and confirmed it is not present in IE EDGE) a very malicious code appears and attempts to install viruses and other unwanted material on the client machine.

    What happens exactly when you visit the site on IE7 (note: this browser is not supported by the theme)? I’m not sure if that’s possible but for security reasons, we didn’t visit the site. Could you please provide an example of the malicious code? It’s also possible that a third party plugin is causing this issue. Please deactivate all plugins then test the site again.

    Regards,
    Ismael

    January 11, 2016 at 7:40 am #562945
    YomStar

    Hi Ishmael,

    We had the site cleaned by sucuri.com and haven’t had any further issues so far.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • The topic ‘Virus’ is closed to new replies.