Saturday 17 July 2021

Wordpress infection

I inherited a WordPress site for a company. That company submitted adverts to Google which referenced the Website.

Infrequently, Google would reject the advert saying the Website had malicious code on it would reference URLs such as:


The site was submitted to various scanners but I could not find the problem.

Eventually the problem was found because the site encountered an issue and a Wordpress email described the problem.

 Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.

In this case, WordPress caught an error with one of your plugins, Monetization Code plugin.

WordPress version 5.7.2
Current theme: H-Code Child (version 1.1)
Current plugin: Monetization Code plugin (version 1.0)
PHP version 7.3.12

An error of type E_PARSE was caused in line 89 of the file /var/www/wp-content/plugins/mplugin.php. Error message: syntax error, unexpected end of file

The last part indicated the file in question mplugin.php.

You also neeed to check the database.

 SELECT * FROM `wp_options` WHERE (CONVERT(`option_name` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`option_value` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`autoload` USING utf8mb4) LIKE '%ad_code%') LIMIT 50


The wp-content\plugins\admin_ips.txt file contains a list of administrator IPs - when the Website is called from these IPs the ad code is hidden, to stop you discovering it.


No comments:

Post a Comment