Support » Plugin: Anti-Malware Security and Brute-Force Firewall » rogueads.unwanted_ads

Viewing 8 replies - 1 through 8 (of 8 total)
  • Hi, anyone can help me please?

    @bigbabol1981 Hi. Do you run ads on your website? There’s an ad using the following styling:

    <img style="width: 0; height: 0; display: none; visibility: hidden;

    This is what is causing the warning.

    Plugin Author Eli

    (@scheeeli)

    Hi @bigbabol1981,
    rogueads.unwanted_ads is a Sucuri thing. They have detected ads or metrics from from reddogdangerous[.]com and they are flagging these as “bad”. Have you included these hidden images in your site for metric purposes? if not then maybe they were part of your theme or a plugin you added. I see some references in the header and also some in the first fusion-flip-box column on your home page. If you did not add these and you are not sure why they are there or feel that they were put there maliciously then I can help you locate the original source code and remove them.

    Hi @scheeeli, No I haven’t included hidden images and wasn’t in my plans, so I don’t know why they’re there. Could you help me to locate the source code please?

    Plugin Author Eli

    (@scheeeli)

    Sure, I can help you track this down. Just to be clear, I suspect that this code is coming from a plugin you have installed or else it’s integrated into your theme files. Also, as these images are clearly used for metrics, I am not convinced that this is even a malicious injection.

    I can see that there is a meta tag in your HTML HEAD with the property “og:image” which loads content from reddogdangerous…
    Also, as I said before, I see some hidden images in the first fusion-flip-box column on your home page.

    I realize that this Avada theme you are using is a premium theme which usually costs around $60 to download. So I can’t help but jump to the most likely conclusion which would be that the developer of your site found some pirated/unofficial copy of this theme available from some other source either for free or at a steep discount. Unfortunately, when you download a premium theme from a free download site is it almost always hacked or modified in some way to benefit to the 3rd-party who pirated the original theme. They might add malware or even a back-door, or it might just be a little tracking include which is what I think you got, or I could by completely wrong here and this code might have been added some other way.

    So, first thing would be to check the header.php file in the Theme Editor of your wp-admin to see if that META tag with the reddogdangerous content is hard-coded into that theme file or if it’s being injected dynamically by some other PHP include.

    You can send me the contents of the header.php if you don’t want to post it on this public forum:
    eli AT gotmls DOT net

    Hi Eli, it’s not a pirate copy, I paid 60 bucks for the Avada theme. I will e-mail the header.php

    thanks

    Plugin Author Eli

    (@scheeeli)

    Well that’s good. We can rule out an embeded threat in the installation source then. Now we just need to find out where this injected tracking code is coming from. I can see from the original header.php code that there are just two lines of code that could be used to inject htis meta into the HEAD tag:

    <?php wp_head(); ?>
    
    	<?php
    	/**
    	 * The setting below is not sanitized.
    	 * In order to be able to take advantage of this,
    	 * a user would have to gain access to the database
    	 * in which case this is the least of your worries.
    	 */
    	echo apply_filters( 'avada_space_head', Avada()->settings->get( 'space_head' ) ); // phpcs:ignore WordPress.Security.EscapeOutput
    	?>

    wp_head filters are the most common way to inject extra code into the header but the apply_filters line for the avada_space_head is what troubles me more right now, especially because of how the comment above that line indicates quite clearly that this line can be exploited to execute malicious code if it can be injected into your DB…

    I would suggest starting with the database entry for the Avada Settings with the name “space_head” and see what you find there.

    Hi Eli, I wrote you an e-mail.

    Cheers

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.