I'm breaking my head for 2 days with this one, and would appreciate some extra thoughts.
These links are found in wp-content/cache/wp-rocket .html files only, while they are not present on the actual real-time pages.
I have tried searching in all files various strings: -9999, thewpclub, sorry_function. I searched through the database, but could not find anything at all.
WordFence & Sucuri are not finding any weird script within the files.
This was the closest problem someone had:
Malicious text appears in all pages and posts. How do I get rid of it?
<a href="https://www.thewpclub.net">Premium WordPress Themes Download</a></div><div style="position:absolute; top:0; left:-9999px;"><a href="https://www.themeslide.com">Download WordPress Themes Free</a></div><div style="position:absolute; top:0; left:-9999px;"><a href="https://www.script-stack.com">Download WordPress Themes</a></div><div style="position:absolute; top:0; left:-9999px;"><a href="https://www.thememazing.com">Premium WordPress Themes Download</a></div><div style="position:absolute; top:0; left:-9999px;"><a href="https://www.onlinefreecourse.net">free download udemy paid course</a></div><div style="position:absolute; top:0; left:-9999px;"><a href="https://www.frendx.com/firmware/">download xiomi firmware</a></div><div style="position:absolute; top:0; left:-9999px;"><a href="https://www.themebanks.com">Download WordPress Themes Free</a></div><div style="position:absolute; top:0; left:-9999px;"><a href="https://downloadtutorials.net">udemy free download</a></div></div></div></div>
Alright, I managed to solve it.
I know that "one size fits all" is not the case with malware. I asked for extra thoughts as someone might have a hint how to approach it as I'm well informed and capable of dealing with these situations through the years.
After numerous failed attempts to search various strings, trying to encode few words in hex and search those, searching through plugins etc. i inspected the cached .html
file and noticed that these links were hidden under WooCommerce delivery-info
div.
I then searched delivery-info string through all the WP files & I got around 50 hits. I found a suspicious line that one of the developers added, which was calling delivery-info
div together with $content
string.
I then searched $content
string through all the plugins with numerous hits. After searching for a while I finally found the script that was causing it. It was hidden in WPBakery - js-composer/include/inc.php file which should not have existed. One of the lines from the file:
$abc1 = '' . $divclass . '<a href="'.sanitize_context_zero("aHR0cHM6Ly93d3cudGhld3BjbHViLm5ldA==").'">' . $array[array_rand($array) ] . '</a></div>';
I deleted that file & then searched inc.php
with a hit in js-composer.php
calling for it.