Code lines appeared under every page

[idogan]

#620375

Hi

A code line appeared under pages today, or may be I noticed today
Line is this
if (preg_match(‘/bot|crawl|curl|dataprovider|search|get|spider|find|java|majesticsEO|google|yahoo|teoma|contaxe|yandex|libwww-perl|facebookexternalhit/i’, $_SERVER[‘HTTP_USER_AGENT’])) { echo ”; } ?>

So what is this and how I can correct it
I checked both safariş and google chrome both same.
This line visible on the chrome android mobile also

Thanks

[marklchaves]

#620430

Hello,

Is this all the code that shows up? It’d be great to see the rest of the code if possible. Did you check your console or error logs to see if there is more information or at least some hint of what PHP file is doing this? Did you check to see if your site is set to be on DEBUG mode i.e., WP_DEBUG set to true?

This code snippet is checking if the HTTP entity (agent) that is requesting your page is in this list.

bot|crawl|curl|dataprovider|search|get|spider|find|java|majesticsEO|google|yahoo|teoma|contaxe|yandex|libwww-perl|facebookexternalhit

If the agent (page requestor) is in the list, then the code snippet prints out a

";

Presumably to properly close out another line of code.

Unless someone on this forum has experienced this issue before, this is basically all we’re going to know from this one small snippet of code.

[idogan]

#620447

Hi
Thank you for reply

Yes that is the only codes showed up

Here is the my web site.
I appreciate if you check yourself

https://dribrahimdogan.com

thanks

[marklchaves]

#620487

Hello,

Thanks for the link. I think you should report this issue to your hosting provider as soon as possible. I believe your site may have contracted some sort of malware.

Please ask them to view the source on your homepage and then search for “preg_match”. You can also send them a copy of this screen capture from your homepage source code.

https://www.dropbox.com/s/7nuvi5h6fr8kqqu/dribrahimdogan-com-footer-source.png?dl=0

Best of luck with this.

[idogan]

#620526

Hi

I worked 2-3 hours and find out that footer.php of Avada theme has these lines.
There was redirection to some adult websites
Quttera plugin helped me to find out which file is more suspicious.
Than I downloaded original avada theme end replaced footer php
Than problem looks solved, I hope

Thank you very much

[marklchaves]

#620542

Excellent news, @idogan! Well done. Thanks for sharing your solution. Good to know about Quttera.

I’d still report this if you haven’t yet. Other’s on your hosting platform may be affected. Also, when I searched around for this code snippet, nothing really relevant came up. It would be nice for a security expert to analyse and document an official report/warning for others. Just my two cents.

Best of luck,
mark

[Author]

Posts