Malicious Code Adwords

rafaellmrs
(@rafaellmrs)

6 years, 3 months ago

Everytime that I try to create an ad in google adwords, I get my add disapproved because google says that my site have a malicious code. I already cleaned my site but it keeps saying that have some malware(I think), searching here in the forum I saw some tips about wcd-temp.php, wp-post, wp-vcd.

Google Adwords show me that my site redirects to this links:
https://deloton.com/apu.php?zoneid=1505696,

https://go.mobisla.com/notice.php?p=1505697&interactive=1&pushup=1,

https://go.oclasrv.com/apu.php?zoneid=1505696,

https://mobpushup.com/notice.php?p=1505697&interactive=1&pushup=1

Someone can tell me where they usually hide or help me how to deal with thos

The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)

Moderator t-p
(@t-p)

6 years, 3 months ago

Sucuri scan indicates clean site:
https://sitecheck.sucuri.net/results/www.biancolab.com.br

You may want to implement some (if not all) of the recommended security measures.

AlanLarson
(@alanlarson)

6 years, 3 months ago

You might need to clear your browser and start with security there. Make sure you don’t have spyware, or that your IP hasn’t been blacklisted or hacked.

ChrisOrange
(@chrisorange)

5 years, 11 months ago

Hey Rafaellmrs

I don’t have a solution either 🙁 But we are dealing with the EXACT same thing. Even the same links show up on our Google adwords.

We have scanned our site on:

1. https://sitecheck.sucuri.net/
2. Anti-Malware Security and Brute-Force Firewall (WordPress plugin)
3. Google Safe Browsing
4. Google Search Console
5. WP Manage Security

And it comes back clean. But adwords says it’s still an issue. We even set up another adwords account, and still the same error.

From the research I have done, It seems it has something to do with these files:

wp-feed.php: contains a list of IP addresses
wp-vcd.php: contains a compressed malicious installation program
class.wp.php: contains SQL injections and cross-site scripting
post.php: contains the reference to wp-vcd.php
wp-tmp.php

Scan your site for those, and remove them. Install this plugin https://wordpress.org/support/plugin/gotmls/ and then run a scan, it should pick them up.

Our problem is that these files keep being injected into the site, and we cant find out why.

I know this post doesnt provide a solution. But atleast it sheds some light on the issue.
martimarti91
(@martimarti91)

5 years, 11 months ago
Hello everyone,
Google ad-words stopped my ads because they send me an email stating that there is malware in it. Here is what the specialist said:

“I got your account reviewed and the most recent system scan detected that your website https://www.mdance.us/ is affected by Malware due to which ads have been disapproved.

How to Fix it?
I would request you to run a sweep on your website and remove the Malware, so that we can get the website approved for Advertising through AdWords. I understand this might seem trivial, however, it would help tremendously if you could take this to your web master/developer and have either these malicious elements removed or replaced since they’re causing your website to get pulled up.

For your convenience, I am sharing the affected link that needs be cleaned from the Website:

mobisla.com
mobpushup.com
NOTE: PLEASE DO NOT CLICK ON THE LINK AS IT MAY AFFECT YOUR COMPUTER.”

Started researching and I installed the following plugins:
– wordfence
– anti-malware scan from GOTMLS.NET

Wordefence result:
Critical Problems:

* WordPress core file modified: wp-includes/post.php

* File appears to be malicious: wp-content/themes/twentyfifteen/functions.php

* File appears to be malicious: wp-content/themes/twentyseventeen/functions.php

* File appears to be malicious: wp-content/themes/twentyseventeen-child/functions.php

* File appears to be malicious: wp-content/themes/twentysixteen/functions.php

* File appears to be malicious: wp-includes/post.php

* File appears to be malicious: wp-includes/wp-tmp.php

* File appears to be malicious: wp-includes/wp-vcd.php

Warnings:

* Unknown file in WordPress core: wp-includes/wp-feed.php

* Unknown file in WordPress core: wp-includes/wp-tmp.php

* Unknown file in WordPress core: wp-includes/wp-vcd.php

Anti-Malware Scan result:
Potential Threats
* NOTE: These are probably not malicious scripts (but it’s a good place to start looking IF your site is infected and no Known Threats were found).

?…/public_html/mdesire/wp-admin/includes/class-pclzip.php
?…/public_html/mdesire/wp-content/plugins/woocommerce-pdf-invoices-packing-slips/vendor/dompdf/dompdf/src/PhpEvaluator.php
?…/public_html/mdesire/wp-content/plugins/woocommerce-pdf-invoices-packing-slips/vendor/sabberworm/php-css-parser/lib/Sabberworm/CSS/CSSList/CSSBlockList.php
?…/public_html/mdesire/wp-includes/js/json2.js
?…/public_html/mdesire/wp-includes/js/json2.min.js
?…/public_html/mdesire/wp-includes/js/tw-sack.js
?…/public_html/mdesire/wp-includes/js/tw-sack.min.js
?…/public_html/mdesire/wp-includes/js/jquery/jquery.form.min.js
?…/public_html/mdesire/wp-includes/js/jquery/jquery.schedule.js
?…/public_html/mdesire/wp-includes/js/tinymce/tiny_mce_popup.js
?…/public_html/wp-admin/includes/class-pclzip.php
?…/public_html/wp-content/plugins/wordfence/js/jquery-ui-timepicker-addon.js
?…/public_html/wp-content/plugins/wordfence/js/jquery.dataTables.min.js
?…/public_html/wp-content/plugins/wordpress-seo-premium-master/js/dist/jquery.tablesorter.min.js
?…/public_html/wp-includes/js/json2.js
?…/public_html/wp-includes/js/json2.min.js
?…/public_html/wp-includes/js/tw-sack.js
?…/public_html/wp-includes/js/tw-sack.min.js
?…/public_html/wp-includes/js/jquery/jquery.form.min.js
?…/public_html/wp-includes/js/jquery/jquery.schedule.js
?…/public_html/wp-includes/js/tinymce/tiny_mce_popup.js

Sucuri result:
No Malware Found
Our scanner didn’t detected any malware
Site is not Blacklisted
9 Blacklists checked
22 URLs Scanned
Pages scanned: 8
Javascript files scanned: 14
Other files: 0
Our automated scan did not detect malware on your site. If you still believe that your site has been hacked, sign up for a complete scan, manual audit, and guaranteed malware removal.
Website Malware & Security
No malware detected by scan (Low Risk)
No injected spam detected (Low Risk)
No defacements detected (Low Risk)
Website Firewall not detected (Add protection)
No internal server errors detected (Low Risk)
Website Blacklist Status
Domain clean by Google Safe Browsing
Domain clean by Norton Safe Web
Domain clean on PhishTank
Domain clean on the Opera browser
Domain clean by SiteAdvisor
Domain clean by the Sucuri Malware Labs
Domain clean on SpamHaus DBL
Domain clean on Yandex (via Sophos)
Domain clean by ESET

I have my entire website downloaded via SublimeText. I am currently trying to search for the problem but I can’t. I am trying to locate those 2 website but no luck so far.

Thanks in advance!

Update 5/9/2018
I actively searched for the files which were described in the post above mine. Found exact same files, with exact same described content. Deleting them now and will report back what happens. Still no luck on finding those 2 websites that GoogleAdwords representitive gave me.
- This reply was modified 5 years, 11 months ago by martimarti91.
Moderator t-p
(@t-p)

5 years, 11 months ago

@martimarti91,

If the troubleshooting already posted made no difference for you, then, as per the Forum Welcome, please post your own topic. A lot more people will see your post this way. That way you stand a good chance of getting the assistance you want.