Hidden advertising in functions.php and footer.php
Researched by: Goshko Stanislav
If you noticed that your website has been displaying unauthorized text ads anywhere within its pages such as in the header sections or the area where your social icons are located then, unfortunately, your website has been hacked.
These unauthorized ads may show up on any browser or may be specific to just one, such as Google Chrome. Many codes may even spread malwares as they are usually hidden in JavaScript and iFrame codes.
Hidden codes such as these can affect anyone who visits your website and may even install unwanted toolbars, trackers or malware onto their own computer.
If Google notices your website is doing this then it will block and remove your website from its search results!
In our research we found themes that cause your website to do something you didn’t initially want it to do – advertise and redirect end users back to someone else’s website or even worse spread malware.
The below list is just a small sample of the themes we have uncovered that are not at all what they seem to be and are full of hidden codes the developers don’t want you to know about.
Throughout these themes within the “functions.php” file we discovered various lines of encrypted code. These codes are being used by hackers to hide the actual code from users.
For example, we uncovered the following encoded PHP code:
Simply deleting encrypted codes may not be enough, considering it can have the ability to recover itself and spread elsewhere.
Therefore, to determine what files have been affected we begin by decoding blocks of the PHP code and then we can begin to have a better understanding of what we are dealing with.
Here it is decoded:
After analyzing these two pieces of code it was clear that the code included hidden advertising. Making matters worse the links can redirect your web traffic to sites with worse effects such as spreading malware.
So we wanted to dig further and see what other files we can find that have this ‘unauthorized advertising’ codes – our list of infected themes grew:
The encoded PHP code in hxxps://themes.svn.wordpress.org/tulipbud/1.0/footer.php revealed the following:
And after decoding the PHP code we get:
CONCLUSION
WordPress provides many theme choices ranging from free to paid.
Although the free themes may come inclusive of display advertisements while the paid themes are less likely to have them, yet either version are susceptible to being hacked and display unwanted advertisement and redirect your users to other sites.
Our findings realized that the developers of these codes use a multilayered encryption technique making it extremely difficult to discover and remediate.
Attempting to delete the code base64_decode may not be enough.
So we recommend starting by:
1. Backing up your website before any cleanup action is taken
2. Scan your website to locate the infected files
3. Remove all infected themes + files + plugins
4. Install a default WordPress theme to identify whether the code is still present
This is just a start in your remediation process, although it is very likely that there are some malicious files within your website root, wp-content or even between your WordPress files.
Having malware removal experts investigate and remove the files is highly recommended to ensure a completely clean website.
If your experience such an infection, please feel free to contact us at cWatch Web for a free consultation that will include a complete website scan as well as removal of any found malware.