Weird visitorTracker code suddenly on my site

There is a file in your plugins directory you should take a look at. /wp-content/plugins/main_configs/users.php There’s a suspect (won’t display in my browser due to corruption) .jpg file located there as well. See if any of that looks at all familiar, or if it looks completely like it doesn’t belong there.

Here’s the decoded script. I obfuscated your URL’s with xxxx-xxxxx in the pastebin file.

https://pastebin.com/U62RDeWK

I have a client with a similar issue, except the script and “image” is located in wp-includes/SimplePie/Net/common_configs. If you change the .jpg to .txt,you should see something like this without the backticks

Thanks for the responses.

This is a site which I haven’t created myself but I’ve been running it for over a year now. Just took a look at the main_configs/ dir and there indeed is two files. I have no idea what those files are.

ClaytonJames how did you decode that script? Do you have any idea what that script does? and what I’m really interested is that why and how that code suddenly got into those three files?

I just ran it through a base64 decoder. Without anything more than just a casual look at things, my first guess would be that if you didn’t install any plugins to track visitors, or manually add any code to any files, then you should assume you’ve had an intrusion. My second guess would be that the two files might work to redirect visitors to unwanted destinations or inject other code. That’s just a guess, but it’s the usual goal for that sort of thing.

Some additional info that might help if you find out it actually is the result of an intrusion: ..carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

One of my clients had the same intrusion. Has anyone found the specific back door that allowed this?

One of our sites has been hit with this as well. Noticed some weird stuff going on with missing braces a day ago, today I found a bunch of files that have:
<!–visitorTracker–><?php @ob_start();@ini_set(“display_errors”,0);@error_reporting(0);echo base64_decode(averylongstring);

Also, it looks like it created a few dozen randomly named files that are duplicates of some of the php files in the theme.

Looks like an intrusion, but no idea what would have caused it.

I had the same issue. I removed the offending files (had about 150 of them starting with tetqwqsad…..) into a badfiles directory. I replaced wp-blog-header.php and .htaccess. That brought the site back up. Still not sure how it infected our site. Even SiteLock didn’t detect it.

This has happened to several of my sites on two different shared hosts. Some sites were even completely up to date core files, plugins, and themes. Some were indexed in search engines and some were not. I use iThemes security on all of my sites and I have most of them set to autoupdate everything.

I’m not sure where the vulnerability is, but it is very annoying. The injected code was mostly wrapped in this comment /*visitorTracker*/ if you don’t have a complete backup of your website it can take awhile to find and destroy all of the add files and fix all of the modified files.

Here’s what I used to track down the files that were added and modified:

• Site Protection
• AntiVirus or Theme Authenticity Checker

If you have more than one theme installed then I would suggest using the “Theme Authenticity Checker” plugin. The Site protection plugin is very good, but you do need to be on a newer version of WP. It will list all of the core files that have been changed and where in the file the corrupt code has been added. If your site has this virus then your themes been modified, if you’re using a twenty-something theme delete the whole thing and install a new version, otherwise it’s probably just in your header.php and foot.php files just search for /*visitorTracker*/

Here is a list of plugins that were not up to date on one of my sites that have had reported vulnerabilities:

iThemes Security 3.0-4.6.12 – Stored Cross-Site Scripting (XSS) (fixed in 4.6.13)
MainWP Child <= 2.0.9.1 – Authentication Bypass (fixed in 2.0.9.2)
WordPress SEO by Yoast <= 2.1.1 – Authenticated Stored DOM XSS (fixed in 2.2)

I added the following plugins as well to track any changes made to files from now on. Hopefully the next time it happens I’ll have a better idea of where the vulnerability is.

• WP Changes Tracker
• WordFence

Same here … took down one of our sites. I noticed several files had changed around 2:39AM this morning. It overwrote header.php in every single theme directory and produced those tetqwd files that Sue mentioned. I’ve restored all of my themes from backups along with plugins … slowly but surely it’s starting to look like a site again but I’d really like to know how this happened.

I have the exact same story. I was lucky because my site went down and that’s how I first noticed this code. There was a small coding error so my whole site showed an error code. It happened around 2:30AM. I replaced the header and footer.php codes in theme folder and wp-blog-header.php. And my site was back up. Then the next day, around the same time as day before same happened again. Those files where replaced with files including that VisitorTracker code. Then I went through all the files on my site and also found out the tetqwd… files and files in /main_configs/ dir and removed them and now site has stayed intact.

Of course it would be very nice to know what happened. How did this happen. Also does anybody know what that code actually does or tries to do?

Same thing happened here…files changed around 1pm today. Modified theme files with visitorTracker code in Header and Footer. Created a folder called /temp_data/ along with image file and user.php.

Was able to restore from a backup and also changed file permissions for now until better solution is found. Hopefully someone can figure out how they got in or what is going on. Is the exploit in core wordpress files? Plugins maybe?

Having the same issue on my site. I removed the tetqwqsad files and the /*visitorTracker*/ code that was inserted into all of the .js files, but much of the site is broken – i.e. an event countdown clock is not working now. ??

Any suggestions as to what can be done? This is pretty devastating.

There’s information here that should help you through some steps you may not have thought of yet: Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

One of our client sites was hit with this issue today. Contacting our hosting provider, upon first glance, they observed strange traffic connecting to the Flexslider jquery library and plugin called custom-facebook-feed. I removed and deleted the facebook plugin and I updated the flexslider js file from version 2.1 to 2.5 to see if this makes a difference. Are any of your existing sites that have been affected running either of these?

Does anyone know if the 4.3.1 update did anything for this issue?