Rudy64

Same issue here–I’ve added my Associates ID and enabled link converter in Tools but nothing is working.

All I want the plugin to do is add “?tag=myaffiliateid-20” to the end of URLs. I don’t need any other features. Is there a way to do only this?

So how was this resolved? The code posted above does NOTHING.

On one blog, I get three duplicates. On another, the number varies: five, twelve (!), seven (twice), etc. Other sites, it varies also.

I will have to deactivate this since there doesn’t seem to be a fix for this as of yet. I cannot spend my days deleting multiple posts.

@scottolson_byram ! Long time no see! ?? Another Pair buddy from 1997 here. And this is a “me, too” post for a broken WP 4.1 visual editor, and have spent the afternoon removing all of those emergency fixes. All are working fine now.

Actually my error was around line 700 in the theme. I made a similar fix as follow.

Original:

function ttfmake_backcompat_action() {
	$action = 'ttf' . current_action();
	do_action_ref_array( $action, func_get_args() );
}

New:

function ttfmake_backcompat_action() {
	$action = 'ttf' . current_action();
	$args = func_get_args();
	do_action_ref_array( $action, $args );
}

The prior fix shown above was already in place. I changed this bit of code, and the theme is back to working perfectly.

I don’t think this so-called “designer” we used has any idea how much extra work he has created for me.

I thought I had scanned everything, yet I had to keep this theme in place since the designer directly modified the files in the theme, vs. doing it the proper way by putting modifications into a child theme.

Today I found another issue. I clicked one of the links in the menu bar, and I got redirected to a totally unrelated video on YouTube (Justin Beiber tripping while playing basketball–a video title that attracts viewers in other words). This video, of course, is “monetized” and plagued with ads. Now I don’t know if this is in the theme, or in yet another plugin which is tainted! (This menu link normally points to a “glossary” which is populated by a plugin.) Yet a second time I click the link, it goes to the proper destination. This behavior reminds me of how clever our “genericstts” exploit was–it would only appear when logged out.

Needless to say, I am at the point of scrapping the entire project and starting over. The only thing usable is the logo this guy made. I can redesign it similarly.

I personally know better than to installed nulled scripts, but ended up having this mess made by a third party dumped in my lap anyways…

@jeroenverhoef, our theme was from ThemeForest also, but the problem we had is that the designer we supposedly trusted had downloaded the theme and the bad plugin from a site that distributes nulled scripts, rather than doing the professional thing and paying for them. (I do not want to post that URL publicly.)

Personally I don’t like this theme (or anything from ThemeForest for that matter), but the site owner liked the layout of it and the features.

If you do find the plugin or theme is infected with this, please report it. If the plugin came through www.ads-software.com, there must be a way to report it so others do not get affected.

Our site was not yet live, and security is very strict (we protect the wp-admin directory with both password and IP restrictions), so we were not compromised. Still, I have reset everyone’s password to be safe, and I can easily restore from an old backup since we only have half a dozen posts ready for the preview.

Yes, it is a serious exploit.

I would say that based on this discussion, two things are in common:

1) The exploit has showed up in different plugins and/or themes, not any single one;

2) Many of these were from illegally obtained “nulled” scripts, for which I have to say, if you steal software, you deserve what you get. As a former coder myself, I think those who use pirated, stolen software are as low on the food chain as those who null and distribute them to begin with. Sorry. Theft of intellectual property totally rubs me the wrong way.

There are ways the exploit can be injected into plugins or themes that come through official channels, as I found one plugin listed above which is now removed from the WP plugin repository (the support thread remains, but the plugin is no longer listed). It is rare, but it can happen. I always try to download either through the WP system, or directly from the publisher’s site. And yes, my clients pay if a license is needed for the product. That’s non-negotiable with me.

In my case, it was a nulled script. Someone had recommended we use this designer, who I think did this as a freebie favor for our site owner. The exploit turned up when the site quit loading (waiting for the non-responsive genericstts.com site to load). That was my clue something was wrong, but I didn’t see how wrong it was until investigating further. Turns out this designer not only used at least one nulled plugin (Coming Soon Pro), he also used a nulled version of the Bolid theme by ThemeForest. Both were obtained from a directory that links to nulled WordPress themes and plugins.

So, in our case, this was put on our server without our knowledge, thinking we could trust this hack. He had no clue: he did not know his way around a typical WP installation. He bitched about our multisite setup being “some strange way you have this set up”, and the only way he knew to get a theme and plugins up was to upload the complete directory from his computer. Needless to say, he’s persona non grata.

I posted this simply as a warning to be careful when subcontracting or accepting the unknown work of others. Pirated (nulled) software is illegal, which opens the site owner up for all sorts of legal liabilities. And the exploit could have compromised our server and data integrity. Using this nulled garbage is a recipe for trouble.

This just shows that even using grep, the code was obfuscated so we would not find it. What I may do (when I’m back from my travels in a couple of weeks) is write a regular expression that would find the words “include” or “require” referencing popular non-text files such as .png, .jpg, .pdf, etc. in the same statement, and use that with grep as a security tool. With this theme and plugins the designer installed, I cannot trust anything, and I find he sourced our theme from a nulled script source as well.

Anyone who uses nulled scripts deserves this, in my opinion. But when a third party, supposedly a professional, installs this in an otherwise legitimate setting such as ours, it opens us up to both severe server vulnerabilities and legal liabilities for running stolen software.

@deniz87: that plugin no longer exists. Go to that page you linked to, and click on “Description”. It was probably removed for having that vulnerability injected into it.

Found it!

Gosh dang it! That hack of a “designer” used a nulled plugin on our site. The plugin is called “Coming Soon Pro” and sure enough, at the very bottom of the file, I found this:

<?php include (‘images/social.png’); ?>

And sure enough, social.png is a PHP file full of a confusing array of function names and Base64-obfuscated code.

Now I don’t trust anything this designer did, and I’m going to do a more intense search.

I don’t know what’s worse. A professional coder who knowingly installs nulled scripts, or a clueless amateur design hack who has no clue about server security and the respect of copyright!

Props to @mreee and @delraycomputers . And everyone else who chipped in. Thanks much!!

Hmmm…great stuff!

This concerns me though. Read through the StackOverflow link that @delraycomputers posted above. One of the comments reads thus:

>> This is what happens when you are using nulled themes… Actually the social.png is a php script which finds all records in servers database table and sends them to a specific host, so they can access your server. – kachar Jun 3 at 11:46 <<

If I find out that this so-called designer used a “nulled” theme, there will be some fireworks this evening. And I will say that anyone using a nulled theme deserves as much!! Paying for intellectual property is the right thing to do; using nulled scripts and themes only robs professionals like me who do it (or used to do it) for a living.

Thanks everyone–I am going to search for that myself and see what I can find. You’ve all given me some clues as to what to look for. Back shortly!

No idea here as of yet. Now when I reload the site, same thing happens: the code does not come back. But we have a major preview coming up (we already missed one deadline because of this effing script), and we cannot afford to have advertisers see our site be down because some rogue site is analyzing our traffic patterns.

I just tried the domain link again, and now the server returns a “500” error. See, this is exactly what will happen if some rogue plugin or theme references this script and site, and the server is down or malfunctioning.

The fact that the code is not in a text-based file within wp-content anywhere, nor do any of my themes and plugins mention this in their licensing, privacy policies and/or terms of service, I am personally considering this script and site to be malicious. If it weren’t malicious, why would it only appear occasionally, and why would it be cloaked to where I cannot find it? Whoever is inserting this needs to prove to US that it is not malicious, and also give us the ability to disable it. My security senses are on red alert with this one–I am not going to blindly assume it is not doing anything bad. It as yet hasn’t even proven to do anything good!

So, I’m still searching…I’ll report back if/when I find anything.

We can’t assume it isn’t harmful either–I’d be slacking in my responsibilities if I did so. Why cloak it in the code, then, if it’s not doing something it shouldn’t? What is there to hide that is so important we not find out where this script tag comes from? (I did a grep on <script …> tags also during my investigation and that also came up empty–no reference to this domain or the JS file it accesses in any other <script> tags.)

While I can understand CloudFlare being used (we tried it, but they have poor reliability for high-volume sites), why protect the WHOIS information if you’re a legitimate business? If privacy on a home address is an issue, get a P.O. Box like other companies do.

I think one thing really bothering me beyond this is that the site owner and his “marketing” person insisted I use this designer, and the person is a rank amateur working with WordPress. Couldn’t use multisite properly, installed dicey plugins, left things a mess, and the only way he could figure out how to create a site was to upload an entire WP install to the directory–had NO CLUE that you simply install the theme directory. This is the level of ineptitude I’m dealing with. And then after booting him from the server, I find this rogue domain being accessed.

It has not been a good week. ??

Using grep is much faster on the server, scans all files in one pass and catches everything via regex pattern matching. That domain is nowhere to be found in any of the code. Why is it being cloaked as it is? Or in other words, what are they hiding, and why do they feel a need to hide it?

And why should I trust a script from a site that claims to be “generic stats and CDN”? I don’t; I can’t, not as a server admin and security professional. What’s to say they are not collecting all of the information sent in a typical HTTP request? Why should a third party such as that be privy to exactly who visits our site?

Even if this were legit, the site owner cannot afford to have the entire site stalled because that server is unreliable.

I do plan on getting to the bottom of this.