Wordpress Unexpected error on each Pangolin page

Had my website suspended due to over spamming, which provider says is due to the following error popup on the bottom of every Pangolin page: appears to be Wordpress orientated however error doesn’t appear on wordpress Blog page. Have reloaded WP templates, cleared backlight template cache and hard refreshed pages but can’t seem to clear error or know where to start looking to fix… the plugin folder in question (/kfijtur/) is not on the server anywhere or in the folder specified.

www.wantedimages.com.au

Any thoughts?

Is your Backlight installation up to date?
What version of php is your site running on?
(you can check by going to Backlight > Admin > Special Links > PHP info

I would go to the Update Modules page in Backlight Admin and reinstall all modules. This will hopefully fix any corrupted/infected files you might have.

I would also disable whatever plugin that is, plugins/kfijtur.

Hi Rod, running PHP Version 7.4.33 with a build date of Apr 25 2023 22:53:01.

Hi Daniel, yeah tried that first but still have error.

Hi Matthew, I have no idea what that plugin is either, there is no reference to be found on the server or in anything within LR itself.

Hmm… Do you see this path or the file_put_contents() command in /index.php? If not, I would search for the term kfijtur in your backlight directory to see if a file in there is infected. You could as well send @Ben your ftp and backlight login and ask if he could have a look. To do this, hover the cursor over @Ben’s name and click on Message.

Appears that my public_html index.php had been injected with some “extra” code. A restore prior to last change (2 days ago) has corrected the problem. The error log made reference to the ‘kfijtur’ folder and two other php files, while there was no code showing ‘kfijtur’ in the index.php there was code with the other 2 associated php files.

Injected code was inserted before line 3 (below) of the Backlight index.php:
define(‘BACKLIGHT_DIRECTORY’, ‘backlight’);

Thanks for all your thoughts on possible solutions, sometimes the solution is in the weirdest spot…

2 Likes

Great that you have found the source of the issue! Now I’m wondering how they got a hold of this file… The least you can do is changing the password for your site. I would look at your wordpress plugins and disable all that you don’t need and check that the once you use are current.