I’m getting an error with the WordPress page REMOVED, it seems that the website 2zz3.gq
is being “injected” into the request but I’m not really sure when or how.
When I try to load the page on Chrome I see a “The site ahead contains malware” error:
But I see no error on Firefox or other browsers. How can I solve this issue?
So far I have tried:
- Running WordFence Plugin for Malware removal (no infections found)
- Running Sucuri Security Plugin (also no threats found)
- I blocked incoming request from the website
2zz3.gq
(apparently a server from Russia) but the error still appears on Chrome.
Could please someone give me some advice on this issue?
Is the plugin disabled now?
Check the source of your site to see if it has been modified in any way.
Easiest might be to restore a backup to ensure you don’t miss any malicious changes.
WARNING
This is malicious code. I’ve put it on here for explanation purposes, but I’d recommend that you DO NOT execute this
It’s not as bad as a link that someone might accidentally click, and I figure this warning should suffice for anyone who decides that pasting this into their JS console seems like a good idea…
I see the following
packed
code block when Icurl
your site.which translates to
Note the line
which actually constructs the
2***.gq
url. 1If you don’t have a
stat01
cookie set, it loadsstat.php
from there (presumably malicious JS source) and executes it usingeval
.In the process of making the request, it also sends up some user data (for metrics, loading proper exploit code, or something else?), including the current hostname and the useragent of the user’s browser.
Note that, should this fail, it also falls back on loading a URL at another domain
l2***.ga/counter.php
1 in aniframe
.1 link purposely broken, see source if you’re interested