<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">
Nov 15, 2024 6:34:04 PM
Ahmad Azizan Idris
Ahmad Azizan Idris
Malware Analyst | Malware Processing Team

Getting Google Ads Disapproved with ‘Compromised Site’? This Common WordPress Plugin Could Be One of the Culprits

IM_disapprovedHaving a safe website to advertise and visit is one of the policies that website owners should adhere to when running ad campaigns with Google Ads. 'Compromise Website' is one of the policies that will cause an ads campaign on a website to be disapproved. This essentially means that the website has been hacked or compromised somehow, making it unsafe for users.

In this post, we’ll explore the malicious code injection on Wordpress websites to redirect users to spam websites. Even though this specific malicious code was discovered several months ago, it is still actively being used, and could become one of the reasons why website owner’s ad campaigns were disapproved.

We’ve attended such cases where website owners reported Google ads disapproval due to policy violation of ‘Compromise Website’ and it was related to the compromise issue discussed below.

 

Google Ad Campaigns Disapproved

When getting an ad campaign disapproved, most website owners will encounter warnings on their Google Ads dashboard, and usually, it doesn’t have detailed information on what content was detected on the website:

In some cases, additional details might be provided by Google Ads representatives during the feedback of the first appeal to re-review the policy violation. In this case, they’ve disapproved the ad due to a suspicious URL found on the website:

 

We’re able to confirm the suspicious URL found to the redirect destination when cross-checking with tools such as WebCheck:

Malicious PHP Code placed inside the WPCode plugin

WPCode plugin has unfortunately become one of the go-to plugins for the attackers to aid on malicious activity on compromised websites, specifically malicious code injection. In most cases, attackers insert malicious JavaScript code into a plugin similar to WPCode to inject the code onto the website, which would be visible within the website's view-source. 

 

However, in this particular case, we noticed the inserted code was malicious PHP code, which will rendered and not visible on website’s view-source, and making it harder to trace externally:

 

For this malicious PHP code injection, there are three main structures that the attackers have crafted to operate on the compromised websites effectively:

 

1) The first structure tries to hide the visibility of WPCode installation and discovery from WordPress admin users through the code as below:

   2) In the second structure, they include a backdoor mechanism to the code with base64 encoded cookie value to change the              attacker’s-controlled domain possibly, and to create a backdoor WordPress admin account:

 

3) The ultimate purpose of this injection is to redirect the unsuspecting target user to a malicious URL, where the malicious URLs will be fetched from the TXT record of dynamically generated subdomains of the attacker’s-controlled domain, which in this case is webdmonitor[.]io, and executed through the wp_redirect()’s WordPress API function:

Imunify360 Insights

Based on correlated data from our logs, we found that these types of infections are still actively being used, where our scanner detected the malicious code within compromised websites:

  • May 2024: 6,100 websites
  • June 2024: 6,583 websites
  • July 2024: 20,194 websites
  • August 2024: 20,967 websites
  • September 2024: 23,623 websites
  • October 2024: 25,228 websites
  • November 2024 (until Nov 14): 19,302 websites

 

List of malicious domain attackers use for these type of infection:

  • webdmonitor[.]io (registered on Oct 7, 2024, and found to be used on October 2024)
  • cndatalos[.]com (registered on Aug 19, 2024, and found to be used on October 2024)
  • cdn-routing[.]com (registered on Jul 8, 2024, and found to be used from July until October 2024)
  • logs-web[.]com (registered on Apr 23, 2024, and found to be used around May until July 2024)
  • airlogs[.]net (registered on Apr 23, 2024, and found to be used on May 2024)
  • data-cheklo[.]world (registered on Nov 08, 2024, and currently being used in the wild)

 

 

Self-mitigation of this malicious code injection

When remediating these types of infections, we’ll need to check whether or not the plugin WPCode was installed on the WordPress installation. If you’re a server administrator and have SSH access to the server, you may run commands such as:

 

find /home/<user>/ -type d -name 'insert-headers-and-footers'

 

Or if we’re paranoid that the plugin directory might be changed:

 

find /home/<user> -type f -name ‘ihaf.php’

 

Or if you’re a website owner, you may check within your cPanel’s File Manager inside directory wp-content/plugins

Once we’ve confirmed that WPCode is installed, we may login into the website’s wp-admin dashboard. As mentioned earlier, the first part of the malicious code that we’re discussing tries to hide the WPCode plugin from being discovered inside the wp-admin dashboard. In this case, we may access the plugin panel directory with a sample URL below:

 

https://<infected-website>.com/wp-admin/admin.php?page=wpcode

 

This malicious code is usually injected within “Untitled Snippet”. To remediate this, you may remove this entry, or straightaway uninstall the plugin from the Plugins page.

To recall the second part of the malicious code, you may also be required to review the WordPress administrator accounts and remove any unknown administrator accounts that could aid as a backdoor to re-infect your website. 

It is also recommended to reset the password for known Wordpress accounts, and database credentials inside wp-config.php file as post-remediation procedures, and to make sure all outdated Wordpress, plugins and themes are updated to minimize security risks and re-infection.

 

Conclusion

When compromise issues on a website are remediated and considered safe for users to visit, the Google ads team needs to review the appeal once it has been made. If they are on the same page, the ads should then be re-enabled.

 

The infection discussed in this article only covers a small percentage of the wide variety of reasons Google ads are disapproved, but it is worth discussing since it is still actively being used in the wild. It is always recommended to add layers of protection to your server and website to shield you from compromise issues and newer and complex infections.

 


Websites protected by Imunify360 should be safe from such malicious infections and others. If needed, our experienced analysts are always here to address your malware or security concerns. 

Getting Google Ads Disapproved with ‘Compromised Site’? This Common WordPress Plugin Could Be One of the Culprits

Nov 15, 2024 6:34:04 PM
Ahmad Azizan Idris Ahmad Azizan Idris

IM_disapprovedHaving a safe website to advertise and visit is one of the policies that website owners should adhere to when running ad campaigns with Google Ads. 'Compromise Website' is one of the policies that will cause an ads campaign on a website to be disapproved. This essentially means that the website has been hacked or compromised somehow, making it unsafe for users.

In this post, we’ll explore the malicious code injection on Wordpress websites to redirect users to spam websites. Even though this specific malicious code was discovered several months ago, it is still actively being used, and could become one of the reasons why website owner’s ad campaigns were disapproved.

We’ve attended such cases where website owners reported Google ads disapproval due to policy violation of ‘Compromise Website’ and it was related to the compromise issue discussed below.

 

Google Ad Campaigns Disapproved

When getting an ad campaign disapproved, most website owners will encounter warnings on their Google Ads dashboard, and usually, it doesn’t have detailed information on what content was detected on the website:

In some cases, additional details might be provided by Google Ads representatives during the feedback of the first appeal to re-review the policy violation. In this case, they’ve disapproved the ad due to a suspicious URL found on the website:

 

We’re able to confirm the suspicious URL found to the redirect destination when cross-checking with tools such as WebCheck:

Malicious PHP Code placed inside the WPCode plugin

WPCode plugin has unfortunately become one of the go-to plugins for the attackers to aid on malicious activity on compromised websites, specifically malicious code injection. In most cases, attackers insert malicious JavaScript code into a plugin similar to WPCode to inject the code onto the website, which would be visible within the website's view-source. 

 

However, in this particular case, we noticed the inserted code was malicious PHP code, which will rendered and not visible on website’s view-source, and making it harder to trace externally:

 

For this malicious PHP code injection, there are three main structures that the attackers have crafted to operate on the compromised websites effectively:

 

1) The first structure tries to hide the visibility of WPCode installation and discovery from WordPress admin users through the code as below:

   2) In the second structure, they include a backdoor mechanism to the code with base64 encoded cookie value to change the              attacker’s-controlled domain possibly, and to create a backdoor WordPress admin account:

 

3) The ultimate purpose of this injection is to redirect the unsuspecting target user to a malicious URL, where the malicious URLs will be fetched from the TXT record of dynamically generated subdomains of the attacker’s-controlled domain, which in this case is webdmonitor[.]io, and executed through the wp_redirect()’s WordPress API function:

Imunify360 Insights

Based on correlated data from our logs, we found that these types of infections are still actively being used, where our scanner detected the malicious code within compromised websites:

  • May 2024: 6,100 websites
  • June 2024: 6,583 websites
  • July 2024: 20,194 websites
  • August 2024: 20,967 websites
  • September 2024: 23,623 websites
  • October 2024: 25,228 websites
  • November 2024 (until Nov 14): 19,302 websites

 

List of malicious domain attackers use for these type of infection:

  • webdmonitor[.]io (registered on Oct 7, 2024, and found to be used on October 2024)
  • cndatalos[.]com (registered on Aug 19, 2024, and found to be used on October 2024)
  • cdn-routing[.]com (registered on Jul 8, 2024, and found to be used from July until October 2024)
  • logs-web[.]com (registered on Apr 23, 2024, and found to be used around May until July 2024)
  • airlogs[.]net (registered on Apr 23, 2024, and found to be used on May 2024)
  • data-cheklo[.]world (registered on Nov 08, 2024, and currently being used in the wild)

 

 

Self-mitigation of this malicious code injection

When remediating these types of infections, we’ll need to check whether or not the plugin WPCode was installed on the WordPress installation. If you’re a server administrator and have SSH access to the server, you may run commands such as:

 

find /home/<user>/ -type d -name 'insert-headers-and-footers'

 

Or if we’re paranoid that the plugin directory might be changed:

 

find /home/<user> -type f -name ‘ihaf.php’

 

Or if you’re a website owner, you may check within your cPanel’s File Manager inside directory wp-content/plugins

Once we’ve confirmed that WPCode is installed, we may login into the website’s wp-admin dashboard. As mentioned earlier, the first part of the malicious code that we’re discussing tries to hide the WPCode plugin from being discovered inside the wp-admin dashboard. In this case, we may access the plugin panel directory with a sample URL below:

 

https://<infected-website>.com/wp-admin/admin.php?page=wpcode

 

This malicious code is usually injected within “Untitled Snippet”. To remediate this, you may remove this entry, or straightaway uninstall the plugin from the Plugins page.

To recall the second part of the malicious code, you may also be required to review the WordPress administrator accounts and remove any unknown administrator accounts that could aid as a backdoor to re-infect your website. 

It is also recommended to reset the password for known Wordpress accounts, and database credentials inside wp-config.php file as post-remediation procedures, and to make sure all outdated Wordpress, plugins and themes are updated to minimize security risks and re-infection.

 

Conclusion

When compromise issues on a website are remediated and considered safe for users to visit, the Google ads team needs to review the appeal once it has been made. If they are on the same page, the ads should then be re-enabled.

 

The infection discussed in this article only covers a small percentage of the wide variety of reasons Google ads are disapproved, but it is worth discussing since it is still actively being used in the wild. It is always recommended to add layers of protection to your server and website to shield you from compromise issues and newer and complex infections.

 


Websites protected by Imunify360 should be safe from such malicious infections and others. If needed, our experienced analysts are always here to address your malware or security concerns. 

Subscribe to Imunify security Newsletter
aicpa soc
pci-dss
eu gdpr compliant
© All rights reserved. Imunify360 and CloudLinux Backup are the registered trademarks of CloudLinux Inc.