Malware Scan ccode.php

@andy786 No sorry, not here, because this a plugin for which I am the author, and I clearly don’t want to link SEOs and search engines to this kind of malware. The plugin has been nulled and can be downloaded from the web where this malware has been injected in various areas. We needed to perform a git compare to find all the suspicious code that have been added, and the code was hidden in multiple files to make sure that if the user finds one suspicious file, some others will still exist. We made an update to protect our users and inform them that they have malware injected on their site if we detect it.

Just check my profile, replies created section, and you’ll find the name of the plugin, but please, don’t post the plugin name on this page.

Regards.

This script is in the malware code, so that is related with with ccode.php.

The way I have solved it after having deleted the infected files is, creating a blank ccode.php file

At least so far it has worked for me, I hope the tip will serve you.

Extra things I’ve done, after deleting the ccode.php plugging, was to search all the database for its scripts and leftovers.

But before I search the database, I added the malicious plugging ccode back and activated it,to do my testings with website infected and pluggin showing bad adds.

To see the ads, I switched to a different network (4g,or a different WiFi), then used a different browsers (as cookies of prev. Used browser tell the ccode pluggin that you’re the admin who used the same network before). I used the browser of ES explorer in my phone. And search for my website on Google (because this ccode plugging shows bad ads only to visitors who access your website through a search engine, such as Google, yahoo. Etc).
Now I know that the ads are there.
I used a different pc to access the website and see the ads on a desktop browser.
Then right click the homepage and choose source code. A new page will show with all the code of what’s displayed on the page, including the bad ads.
I then go back to the homepage tab, click on one of the ads and make note of the website it takes me to (casino, vondo,.xyz etc). I check in the source code tab in chrome and find that those websites are there, in chrome ctrl F (search) the page for vondo, word in the add, website of ads, etc.

Now I now that those ads lead to .xyz ad websites, etc.

Then i go to phpmyadmin in mysql (host cpanel), back up my database, then search the database for the words found in the links I saw in the source code or when I click on the ads.
The results come with the different tables where those words are mentioned. Within there scripts telling the ads to show, what should happen when an ad is clicked (redirection to links we saw before, auto, or manual, etc). I deleted those scripts. And whatever had to the with the ccode. Including the words ccode itself.

After that, I deleted, on my own risk, some scripts known to be used as backdoor. They include the following php functions
base64
str_rot13
gzuncompress
eval
exec
system
assert
stripslashes

So I searched the database for those functions, then read to see if there is anything suspected within the them, like redirection to websites I don’t know, usually Eastern european sites, etc.

After all that, changed passwords etc.