Adware being inserted into site

  • Hello. I have a wordpress website. I cant disclose here due to privacy reasons. Over the last few days popadware is being inserted into it.

    Basically a js file is being redirected to adware code. Eg file mydomain.com/wp-content/plugins/example/somefile.js is being redirected to adwaredomain.com/mydomain.com/wp-content/plugins/example/somefile.js

    Here are the things Ive tried – Deleteting and reinstalling fresh plugins, themes, wp-content,wp-admin, wp-includes folders. Also replaced all other wp files with fresh ones from latest. Ive installed various antimalware scanners and wordfence. I also have cloudflare WAF.

    Ive also check. But there seems to be no suspicious logins on the webserver or SSH. Ive tried to use a new database prefix and fresh install. But the redirect still remains. I cannot remove it. Anyone have any idea what could be comprimised? Im bit new so Ive tried all I know.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Anonymous User 9588789

    (@anonymized-9588789)

    Eg file mydomain.com/wp-content/plugins/example/somefile.js is being redirected to adwaredomain.com/mydomain.com/wp-content/plugins/example/somefile.js

    If possible, publicly post the .js file so we can see what exactly is happening in that file.

    • This reply was modified 1 year, 4 months ago by Anonymous User 9588789.
    Thread Starter audacity45

    (@audacity45)

    It extended that files code and adding a popunder ad code to it. Ex if my js files contains login code. It keeps the same code and just adds some more popads code to it. Likely popcash ads. Whats weird is i cant understand how are they redirecting. I checked the database. Fresh install all files. Still cant seem to remove it.

    Anonymous User 9588789

    (@anonymized-9588789)

    What plugin is it? You will need to provide the JS code and ideally all of the plugin files for someone to help.

    Anonymous User 9588789

    (@anonymized-9588789)

    A simpler solution would be to just remove the plugin containing that JS file and find another plugin with the same functionality.

    Thread Starter audacity45

    (@audacity45)

    I did that.Deleted redirecting js plugin. But few days later a different file of different plugin being redirected. Same code. So maybe the server is comprimised? But I check logins and none there. Its a openlitespeed server. No suspicious logins on there either.

    Anonymous User 9588789

    (@anonymized-9588789)

    This is most likely related to a compromised server / web host. You can determine that for sure by installing the same site somewhere else and see if you get the same problem.

    Thread Starter audacity45

    (@audacity45)

    Yeah but like how is it possible to redirect? Im not seeing anything in the plugin or theme. Do you have any idea where such code might be placed.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Adware being inserted into site’ is closed to new replies.