Viagra, Cialis hack

Does Google Webmaster Tools show that the site is still infected?

Can you show me some of evidence of infection so that I can help you determine the source of the problem?

Eli thanks for reply.

Google webmaster does not show anything special regarding infection.

But here is evidence of infection:

https://webcache.googleusercontent.com/search?q=cache:jKwnhIdIgiwJ:www.outdoorunlimited.nl/verhuur/+&cd=1&hl=en&ct=clnk (viagra link in footer)

https://webcache.googleusercontent.com/search?q=cache:O321D9oGiPkJ:www.outdoorunlimited.nl/verhuur/attracties/+&cd=6&hl=en&ct=clnk
(pfizer viagra 50 mg online link on right side)

https://webcache.googleusercontent.com/search?q=cache:oG_FBZu9p6sJ:www.outdoorunlimited.nl/sitemap/+&cd=20&hl=en&ct=clnk

(legal online viagra link near Exclusief link)
And they are probably more pages (but not on every page)

Through webmastertools when i chose fetch and render as Google i can see 2 examples. One is how Google see page (with hack link) and another one how visitors see it and it is without hacking link.

I have also through your excellent plugin found a 3-4 more infected files (suspec and it like to me as infection) but if i clean that files
then Google got unfinished redirection while visitor just see usually page.

This is for example sure infection public_html/wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/Storage/updater.php
(suspect files):

[ Malware code redacted, please do not post that in these forums ]

And they are 3-4 more but when i clean that files then Google have unfinished redirection.

@sharoncreech Please do not post that code here. If you need to share with the author the consider using pastebin.com and post the link instead.

https://webcache.googleusercontent.com/search?q=cache:jKwnhIdIgiwJ:www.outdoorunlimited.nl/verhuur/+&cd=1&hl=en&ct=clnk (viagra link in footer)

https://webcache.googleusercontent.com/search?q=cache:O321D9oGiPkJ:www.outdoorunlimited.nl/verhuur/attracties/+&cd=6&hl=en&ct=clnk
(pfizer viagra 50 mg online link on right side)

https://webcache.googleusercontent.com/search?q=cache:oG_FBZu9p6sJ:www.outdoorunlimited.nl/sitemap/+&cd=20&hl=en&ct=clnk

These were all cached by Google on March 7th and before.

Do you have any examples of the malicious link showing on pages that were cached after your fixed the Known Threats?

Eli,

That’s are same infected pages. I have show you cache because to see it you must fake your user agent from default to Googlebot 2.1.

Take a look…

If you are using Mozilla for example then install this add-ons:
https://chrispederick.com/work/user-agent-switcher/

Switch then your user agent to Search Robots – Googlebot 2.1

Go to https://www.outdoorunlimited.nl/sitemap/ for example and you will see there somewhere link to Cialis or Viagra (this time it showed on another place below link Beroepsonderwijs)

Then switch again to your defaults user agent and you will see clean page.

Your plugin is great but unfortunately it did not cleaned up completely website from viagra and cialis hack.

Finally.

I have found issue!!!

They was inside map theme-compat another map .temp

And inside were several files “0a13bd065ac3891143624e9662a1b249′
with code such as:
“.”

etc….

It was main problem. I’m glad that i have found it but not sure what to tell you for your definition to search.

Maybe all maps and file which starts with .
If there is for example .temp of .function.php then it is for sure something wrong.

And more information. They add inside wp-includes/pomo
mo.php on line 12:

require_once dirname(__FILE__) . ‘/configuration.php’;

It is not integral file from WordPress. Inside configuration they made
this:
https://pastebin.com/HYtsGvc9

Maybe it will be useful to you for making new definition and better Anit-Malware plugin.

Thank you again.

ps

Definition where any files with .filename.php or .folder will be suspected, maybe checking for comparation between integral file and scanned files and maybe you can find something useful from
https://pastebin.com/HYtsGvc9

which is actually puur php code used for hacking.

Eli,

If you are interested i have all files which definition did not detected or they gave suspect status.

I can send you via email if you like.

Let me know it.

Cheers,
Sharon

Yes please send me any infected files you have that were not detected by my current definitions and I will add them to my definition updates.

eli AT gotmls DOT net

Just send to you.

Thanks for those files you sent to me. I added the new threats to my definition update.

I also used the user-agent-switcher to Switch my user agent to Googlebot 2.1 and I don’t see those malicious link in the source code.

Can you please confirm that you have gotten rid of the infection.