Malicious code removal

finelinecreative · December 1, 2022, 8:20pm

C5.6.4.0 PHP7.1
I have had some malicious code injected into one of my sites (encouraging download of a media player and I can’t seem to remove it using the editor.
I get the following message:

“aID”:“57”,“arHandle”:“text”,“cID”:“132”,“error”:false,“bID”:“244”} We will support it soon! Click 2k/4k to download videos first. Pro $ 2.99 / month 1000+ embedded vimeo player sites supported Support video downloading in more resolutions e.g. 4k, 2k, 1080p, etc. Support for downloading private videos Support for extracting audio Unlimited downloads Simple, one click to download Get

Any ideas how to clean this out?

thanks

ConcreteOwl · December 1, 2022, 9:54pm

You could try searching the database for part of that string of text to see where the injection has been made and go from there.

ConcreteOwl · December 1, 2022, 10:03pm

If the editor cannot delete it, could be its an HTML block, just a thought.

finelinecreative · December 2, 2022, 2:16am

Yeah I checked my php templates and all looks as I had them. Extra code has introduced new styles which I cant see on the server. Not sure how they are being served? Doesnt look like a package clash or javascript problem.

ConcreteOwl · December 2, 2022, 5:42am

Can you share the domain address so I can take a look at the problem?

finelinecreative · December 4, 2022, 7:09pm

Website is www.kairotorua.nz

It is this and appears in each block:

<div id="popupMenu"></div>
<div id="backMask" class="backMask">
<div id="pop" class="pop">
<div id="notice" class="notice">
<div id="notice_in" class="notice_in">
<div class="notice_in_svg">&nbsp;</div>
<div id="notice_in_span" class="notice_in_span"><span>We will support it soon! Click</span> <span id="external_ffmpeg" class="external_ffmpeg">2k/4k</span> <span>to download videos first.</span></div>
</div>
</div>
<div id="dialog" class="dialog">
<div id="dialog_close" class="dialog_close">&nbsp;</div>
<div id="dialog_in" class="dialog_in">
<div id="pro" class="pro"><span>Pro</span></div>
<div class="dialog_line">&nbsp;</div>
<div id="feature_explain" class="feature_explain"><span id="fee" class="fee"> <span>$ 2.99</span> <span> / month</span> </span>
<div id="feature_list" class="feature_list">
<ul id="feature_list_ul">
<li><span>1000+ embedded vimeo player sites supported</span></li>
<li><span>Support video downloading in more resolutions e.g. 4k, 2k, 1080p, etc.</span></li>
<li><span>Support for downloading private videos</span></li>
<li><span>Support for extracting audio</span></li>
<li><span>Unlimited downloads</span></li>
<li><span>Simple, one click to download</span></li>
</ul>
</div>
</div>
<button id="dialog_get" class="dialog_get">Get</button></div>
</div>
</div>
</div>

ConcreteOwl · December 4, 2022, 8:28pm

Have you looked at your theme templates to see if this somehow been hardcoded into them.

finelinecreative · December 4, 2022, 11:48pm

SOLVED Turned out to be an unused addon so I removed it and can delete extra code without error message.