Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)
  • karimisaid

    (@karimisaid)

    Extra things I’ve done, after deleting the ccode.php plugging, was to search all the database for its scripts and leftovers.

    But before I search the database, I added the malicious plugging ccode back and activated it,to do my testings with website infected and pluggin showing bad adds.

    To see the ads, I switched to a different network (4g,or a different WiFi), then used a different browsers (as cookies of prev. Used browser tell the ccode pluggin that you’re the admin who used the same network before). I used the browser of ES explorer in my phone. And search for my website on Google (because this ccode plugging shows bad ads only to visitors who access your website through a search engine, such as Google, yahoo. Etc).
    Now I know that the ads are there.
    I used a different pc to access the website and see the ads on a desktop browser.
    Then right click the homepage and choose source code. A new page will show with all the code of what’s displayed on the page, including the bad ads.
    I then go back to the homepage tab, click on one of the ads and make note of the website it takes me to (casino, vondo,.xyz etc). I check in the source code tab in chrome and find that those websites are there, in chrome ctrl F (search) the page for vondo, word in the add, website of ads, etc.

    Now I now that those ads lead to .xyz ad websites, etc.

    Then i go to phpmyadmin in mysql (host cpanel), back up my database, then search the database for the words found in the links I saw in the source code or when I click on the ads.
    The results come with the different tables where those words are mentioned. Within there scripts telling the ads to show, what should happen when an ad is clicked (redirection to links we saw before, auto, or manual, etc). I deleted those scripts. And whatever had to the with the ccode. Including the words ccode itself.

    After that, I deleted, on my own risk, some scripts known to be used as backdoor. They include the following php functions
    base64
    str_rot13
    gzuncompress
    eval
    exec
    system
    assert
    stripslashes

    So I searched the database for those functions, then read to see if there is anything suspected within the them, like redirection to websites I don’t know, usually Eastern european sites, etc.

    After all that, changed passwords etc.

    Not completely done.
    You’ll have to remove its entries from mysql database.
    Scan for keywords of websites it advertises on your site. Scan also for know malware keywords to remove the scripts which may regenerate the malware again..

    Thread Starter karimisaid

    (@karimisaid)

    Okay

    Hi guys

    The same is happening to me.

    This (wp-content/plugins/ccode.php) actually has a very bad code in it.
    In my case the url it contacts is http://www.vomndo.xyz/update.php

    What it does is show bad ad pop ups. I didn’t see it mor like two month, WHY? Because:

    1. I had a s**ty security plug in.

    2. Because the code is set to hide pop up ads from Admins and logged in users. Luckily, it only shows bad ads if the visitor accessed the website from a search engine (google, yahoo, etc.). So, not many of my website visitors saw the forced ads as I usually share the link to exams,doc files in SCN (fb). and the website is merely 3 months old. Not well indexed by search engines.

    That’s the bad thing about it. Everything seems good to you (as an admin or logged in user, it also uses your browser cookies to reognize you, and not show you ads and forcing visitors to accept to get notifications of such immoral ads.

    Havinbg discovered the ads, the second challenge was to find the malicious code. I wouldn’t have done it without wordfence.

    I deleted the ccode.php file (it’s actually a pluging hidden from the dashboard of plugings, but still found in the plugins directory (not in a folder). When I deleted it using file manager, I refreshed the plugins dashboard and a there was a wp message saying something like ccode.php plugin isn’t active as it was deleted.. or so. I also found it in phpmyadmin database after searching for ccode.php in the tables. There was a match listed under wp_options active_plugins.

    I’m a begginer, at trouble shooting.. Is there a way to determine if there is an injector of this code/plugin, to avoid it coming back.
    I really don’t want to keep checking my website logged out and from different devices through search enjines.
    I hope word spreads about this malicious code, as many wouldn’t realize that their website promotes bad ads, etc.
    Thanks from Marrakech

Viewing 4 replies - 1 through 4 (of 4 total)