thinkupverification-js – JS/Agent.SIB trojan

Same issue here but with the Minamaze Pro theme from the same provider.

I found a few more sites using their themes that have the same issue.

https://aaanz.info/ – https://alante.quarternotesys.com/

I also found this in the theme readme.txt.

= 1.9.10

- Fixed:?? WooCommerce v3.5.1 compatible.

- Removed: Fallback verification script re-enabled as false positive reports issue resolved.

= 1.9.3

- Fixed:?? WooCommerce v3.4.2 compatible.

- Removed: Fallback verification script disabled due to false positive reports.

= 1.8.5

- New:???? Theme option added to disable page intro.

- New:???? Header image when assigned from theme options panel outputs image alt text.

- Fixed:?? Main header font family settings now also apply to sticky header.

- Updated: Fallback verification script improved.

= 1.7.1

- New:???? License verification script added to improve theme security.

I found a temporary fix.

• Copy the below code into a text editor
• Save the file as block-verification.php
• Upload to WP Plugins directory
• Activate the plugin in WP Admin

The plugin blocks dropboxusercontent links and thinkupverification scripts

<?php
/**

Plugin Name: Block External Scripts and Connections

Description: Blocks specified scripts, network connections, and references to external domains on both frontend and backend.

Version: 1.2

Author: Your Name
*/

if (!defined('ABSPATH')) {
exit; // Exit if accessed directly.
}

class BlockExternalScripts {

public function __construct() {
    // Block scripts on the frontend.
    add_action('wp_enqueue_scripts', [$this, 'block_scripts'], 9999);

    // Block scripts in the backend.
    add_action('admin_enqueue_scripts', [$this, 'block_scripts'], 9999);

    // Block external HTTP requests for all requests.
    add_filter('http_request_host_is_external', [$this, 'block_external_requests'], 10, 3);

    // Disable DNS prefetching for specified domains on frontend.
    add_filter('wp_resource_hints', [$this, 'remove_dns_prefetch'], 10, 2);

    // Filter database content output on both frontend and backend.
    add_filter('the_content', [$this, 'filter_database_content']);
    add_filter('the_excerpt', [$this, 'filter_database_content']);
    add_filter('widget_text', [$this, 'filter_database_content']);
    add_filter('editor_content', [$this, 'filter_database_content'], 10); // For the block editor.
    add_filter('admin_post_thumbnail_html', [$this, 'filter_database_content']); // Featured image HTML.

    // Block themes from referencing the domains.
    add_action('after_setup_theme', [$this, 'block_theme_references']);
}

/**
 * Block specific scripts from being enqueued.
 */
public function block_scripts() {
    wp_dequeue_script('thinkupverification-js');
    wp_deregister_script('thinkupverification-js');

    wp_dequeue_script('thinkupverification');
    wp_deregister_script('thinkupverification');
}

/**
 * Block external HTTP requests to specific domains.
 *
 * @param bool $is_external Whether the host is external.
 * @param string $host The hostname.
 * @param string $url The full URL.
 * @return bool False if the request should be blocked.
 */
public function block_external_requests($is_external, $host, $url) {
    $blocked_domains = [
        'dl.dropboxusercontent.com',
        'dropboxusercontent.com'
    ];

    if (in_array($host, $blocked_domains, true)) {
        return false;
    }

    return $is_external;
}

/**
 * Remove DNS prefetching for blocked domains.
 *
 * @param array $urls Array of resource hints.
 * @param string $relation_type The type of relation (e.g., 'dns-prefetch').
 * @return array Filtered resource hints.
 */
public function remove_dns_prefetch($urls, $relation_type) {
    if ('dns-prefetch' === $relation_type) {
        $blocked_domains = [
            'dl.dropboxusercontent.com',
            'dropboxusercontent.com'
        ];

        foreach ($blocked_domains as $domain) {
            $prefetch_url = '//' . $domain;
            $key = array_search($prefetch_url, $urls);
            if (false !== $key) {
                unset($urls[$key]);
            }
        }
    }

    return $urls;
}

/**
 * Filter content from the database to remove references to blocked domains.
 *
 * @param string $content The post content or widget text.
 * @return string Filtered content.
 */
public function filter_database_content($content) {
    $blocked_domains = [
        'dl.dropboxusercontent.com',
        'dropboxusercontent.com'
    ];

    foreach ($blocked_domains as $domain) {
        $content = str_replace($domain, '[blocked]', $content);
    }

    return $content;
}

/**
 * Block themes from referencing blocked domains.
 */
public function block_theme_references() {
    add_filter('theme_mod_header_image', [$this, 'block_theme_mod_references']);
    add_filter('theme_mod_background_image', [$this, 'block_theme_mod_references']);
}

/**
 * Remove blocked domain references from theme mods.
 *
 * @param string $url The URL of the theme mod.
 * @return string Filtered URL.
 */
public function block_theme_mod_references($url) {
    $blocked_domains = [
        'dl.dropboxusercontent.com',
        'dropboxusercontent.com'
    ];

    foreach ($blocked_domains as $domain) {
        if (strpos($url, $domain) !== false) {
            return ''; // Remove the reference entirely.
        }
    }

    return $url;
}

}

new BlockExternalScripts();

I got some feedback from the ThinkUPThemes support team. They verified that this is intended behavior and not nefarious…

“It’s not malicious script. It’s a verification script. You can remove with the help of this knowledge base article: https://www.thinkupthemes.com/docs/remove-fallback-verification-script/ “

I implemented this in my sub-theme functions.php file as suggested and it works perfectly. Less involved than a plugin-based solution.