bad url inserted in mystile files; next step?

  • I am running most current version of WP with WooCommerce 2.1.2 and have Mystile theme installed and a custom Mystile1 theme that is active.

    I have wordfence security plug in that recently gave me these errors after a scan. It seems something/one got into these files and added a bad URL. It says the file types are not a core, theme or plug in file? Wordfence gives me the option of deleting these files.

    Before I thought of doing that, I viewed the file within Wordfence copied all the text and pasted into a word file and did a search for https://bit.ly/ but nothing came up. Are these files needed?

    This is the message for 4 files below

    File contains suspected malware URL: /home6/chromeho/public_html/wp-content/themes/mystile/functions/admin-functions.php
    Filename: wp-content/themes/mystile/functions/admin-functions.php
    Bad URL: https://bit.ly/
    File type: Not a core, theme or plugin file.
    Issue first detected: 1 hour 30 mins ago.
    Severity: Critical
    Status New
    View the file. Delete this file (can’t be undone).
    Select for bulk delete
    Resolve: I have fixed this issue Ignore until the file changes. Always ignore this file.
    This file contains a suspected malware URL listed on Google’s list of malware sites. Wordfence decodes base64 when scanning files so the URL may not be visible if you view this file. The URL is: https://bit.ly/ – More info available at Google Safe Browsing diagnostic page.

    File contains suspected malware URL: /home6/chromeho/public_html/wp-content/themes/mystile/functions/functions-changelog.txt

    File contains suspected malware URL: /home6/chromeho/public_html/wp-content/themes/mystile1/functions/admin-functions.php

    File contains suspected malware URL: /home6/chromeho/public_html/wp-content/themes/mystile1/functions/functions-changelog.txt

    What should be my next step?

    https://www.ads-software.com/plugins/woocommerce/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter tangerine3

    (@tangerine3)

    so i checked all four files on my hosting server and only two files have the supposedly bad url code https://bit.ly/.

    * File contains suspected malware URL: /home6/chromeho/public_html/wp-content/themes/mystile/functions/admin-functions.php
    and
    * File contains suspected malware URL: /home6/chromeho/public_html/wp-content/themes/mystile1/functions/admin-functions.php

    I went back through all my backup files for these two files as far as January 2014 and they all have this url in them. This is where it is listed (see bold italic line). Does anyone know if this is normal code? Throughout the file there is reference to bitly but only as in a url form once.

    /*-----------------------------------------------------------------------------------*/
/* Woo URL shortener */
/*-----------------------------------------------------------------------------------*/
function woo_short_url($url) {
$service = get_option( 'woo_url_shorten' );
$bitlyapilogin = get_option( 'woo_bitly_api_login' );;
$bitlyapikey = get_option( 'woo_bitly_api_key' );;
if (isset($service)) {
switch ($service)
{
case 'TinyURL':
$shorturl = getTinyUrl($url);
break;
case 'Bit.ly':
if (isset($bitlyapilogin) && isset($bitlyapikey) && ($bitlyapilogin != '') && ($bitlyapikey != '')) {
$shorturl = make_bitly_url($url,$bitlyapilogin,$bitlyapikey,'json' );
}
else {
$shorturl = getTinyUrl($url);
}
break;
case 'Off':
$shorturl = $url;
break;
default:
$shorturl = $url;
break;
else {
$shorturl = $url;
}
return $shorturl;
}
//TinyURL
function getTinyUrl($url) {
$tinyurl = file_get_contents_curl( "https://tinyurl.com/api-create.php?url=".$url);
return $tinyurl;
}
//Bit.ly
function make_bitly_url($url,$login,$appkey,$format = 'xml',$version = '2.0.1')
{
//create the URL
$bitly = 'https://api.bit.ly/shorten?version='.$version.'&longUrl='.urlencode($url).'&login='.$login.'&apiKey='.$appkey.'&format='.$format;
//get the url
//could also use cURL here
$response = file_get_contents_curl($bitly);
//parse depending on desired format
if(strtolower($format) == 'json')
{
$json = @json_decode($response,true);
return $json['results'][$url]['shortUrl'];
}
else //xml
{
$xml = simplexml_load_string($response);
<strong>return 'https://bit.ly/'.$xml->results->nodeKeyVal->hash;</strong><em>
}
}
//Alternative CURL function
function file_get_contents_curl($url) {
if ( $url == '' || $url == null ) { return ''; }
$data = '';
$response = wp_remote_get( $url );
if ( is_wp_error( $response ) ) {
$data  = $url;
} else {
$data = $response['body'];
}
return $data;
} // End file_get_contents_curl()
// Checks for presence of the cURL extension.
function _iscurlinstalled() {
if  (in_array  ( 'curl', get_loaded_extensions())) {
if (function_exists( 'curl_init')) {
return true;
} else {
return false;
}
}
else{
if (function_exists( 'curl_init')) {
return true;
} else {
return false;
    Thread Starter tangerine3

    (@tangerine3)

    just did another wordfence scan and the errors were gone???

    Thread Starter tangerine3

    (@tangerine3)

    the correct answer for me to what I thought was a problem would have been that the code: https://bit.ly/ is used to shorten long urls and it was not a threat at all.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘bad url inserted in mystile files; next step?’ is closed to new replies.