Avada Forums Community Forum Code lines appeared under every page

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • idogan
    Participant
    Post count: 9

    Hi

    A code line appeared under pages today, or may be I noticed today
    Line is this
    if (preg_match(‘/bot|crawl|curl|dataprovider|search|get|spider|find|java|majesticsEO|google|yahoo|teoma|contaxe|yandex|libwww-perl|facebookexternalhit/i’, $_SERVER[‘HTTP_USER_AGENT’])) { echo ”; } ?>

    So what is this and how I can correct it
    I checked both safariş and google chrome both same.
    This line visible on the chrome android mobile also

    Thanks

    marklchaves
    Participant
    Post count: 873

    Hello,

    Is this all the code that shows up? It’d be great to see the rest of the code if possible. Did you check your console or error logs to see if there is more information or at least some hint of what PHP file is doing this? Did you check to see if your site is set to be on DEBUG mode i.e., WP_DEBUG set to true?

    This code snippet is checking if the HTTP entity (agent) that is requesting your page is in this list.

    bot|crawl|curl|dataprovider|search|get|spider|find|java|majesticsEO|google|yahoo|teoma|contaxe|yandex|libwww-perl|facebookexternalhit

    If the agent (page requestor) is in the list, then the code snippet prints out a

    ";

    Presumably to properly close out another line of code.

    Unless someone on this forum has experienced this issue before, this is basically all we’re going to know from this one small snippet of code.

    idogan
    Participant
    Post count: 9

    Hi
    Thank you for reply

    Yes that is the only codes showed up

    Here is the my web site.
    I appreciate if you check yourself

    https://dribrahimdogan.com

    thanks

    marklchaves
    Participant
    Post count: 873

    Hello,

    Thanks for the link. I think you should report this issue to your hosting provider as soon as possible. I believe your site may have contracted some sort of malware.

    Please ask them to view the source on your homepage and then search for “preg_match”. You can also send them a copy of this screen capture from your homepage source code.

    https://www.dropbox.com/s/7nuvi5h6fr8kqqu/dribrahimdogan-com-footer-source.png?dl=0

    Best of luck with this.

    idogan
    Participant
    Post count: 9

    Hi

    I worked 2-3 hours and find out that footer.php of Avada theme has these lines.
    There was redirection to some adult websites
    Quttera plugin helped me to find out which file is more suspicious.
    Than I downloaded original avada theme end replaced footer php
    Than problem looks solved, I hope

    Thank you very much

    marklchaves
    Participant
    Post count: 873

    Excellent news, @idogan! Well done. Thanks for sharing your solution. Good to know about Quttera.

    I’d still report this if you haven’t yet. Other’s on your hosting platform may be affected. Also, when I searched around for this code snippet, nothing really relevant came up. It would be nice for a security expert to analyse and document an official report/warning for others. Just my two cents.

    Best of luck,
    mark

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.