arrow_back Unwanted ads on wordpress site?

Question

Hi all, in General, faced with this problem appears from time to time advertising on a site running wordpress.


browsing the source code I see this :

<div id="mbnr4web" style="z-index: 1000001; transform: translateY(-150px); position: absolute; top: 0px; left: 0px; right: -17px;">
<div id="fbqsr-wrapper" data-type="header" class="fbqsr-mobile" style="z-index: 1000001; height: 150px;">
<div id="fbqsr-popup" class="fbqsr-popup-steady fbqsr-popup-ready">
<div class="mbnr4web">
<div id="fbqsr-button">
<div class="mbnr4web__image-container">
<div class="mbnr4web__image" id="fbqsr-image" style="width: 1200px; background-image: url(&quot;https://tpc.googlesyndication.com/pagead/imgad?id=CICAgKC7iozrBxABGAEyCHAbWsf2bvlL&quot;);">
</div></div></div>
<div id="fbqsr-popup-close" class="mbnr4web__close">
</div></div></div></div></div>

поиск в файле wp-login.php результата не принес


но нашел еще такой код в начале документа :

<!DOCTYPE html>
	<!--[if IE 8]>
		<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="ru-RU">
	<![endif]-->
	<!--[if !(IE 8) ]><!-->
		<html xmlns="http://www.w3.org/1999/xhtml" lang="ru-RU">
	<!--<![endif]-->

при удалении которого реклама появляется чаще , а где-то через пол часа код появляется снова.


Подскажите может кто сталкивался с такой проблемой и поиск в интернете не к чему не привел.

при поиске упоминаний о сайте www.w3.org в корне своего сайта из 46000 файлов нашел в 1000 файлах

Comments

not really , the taste and color of comrades there)

---

Managed to solve the problem? I have the same thing on all sites on joomla 1.5/2.5/3. Hosting nic.ru.
Does not appear regularly, like twice one ip is not shown. Tried with different computers, with different browsers.

---

Nice

Answer 1

this part of the code

<div id="mbnr4web" style="z-index: 1000001; transform: translateY(-150px); position: absolute; top: 0px; left: 0px; right: -17px;">
<div id="fbqsr-wrapper" data-type="header" class="fbqsr-mobile" style="z-index: 1000001; height: 150px;">
<div id="fbqsr-popup" class="fbqsr-popup-steady fbqsr-popup-ready">
<div class="mbnr4web">
<div id="fbqsr-button">
<div class="mbnr4web__image-container">
<div class="mbnr4web__image" id="fbqsr-image" style="width: 1200px; background-image: url(&quot;https://tpc.googlesyndication.com/pagead/imgad?id=CICAgKC7iozrBxABGAEyCHAbWsf2bvlL&quot;);">
</div></div></div>
<div id="fbqsr-popup-close" class="mbnr4web__close">
</div></div></div></div></div>

появляется не всегда отключая плагины и т.п. не могу определить исчез ли код окончательно или нет

и да реклама появляется позже, но из-за не постоянного появления рекламы проследить процесс загрузки скриптов сложнова-то.

и еще искал фрагмент по словосочетаниям fbqsr-popup; mbnr4web и т.д в файлах через notepad++ ,но результата ни какого.

______________________________________________________________________________________________

В общем всем спасибо решением проблемы послужила следующая концепция действий: Переключил сайт на незащищенное соединение, тем самым реклама появилась опять. Через отладчик удалось отследить js ведущий на сайт redhelper.ru

<!-- RedConnect -->
<script id="rhlpscrtg" type="text/javascript" charset="utf-8" async="async"
src="https://web.redhelper.ru/service/main.js?c=blablabla"></script>
<div style="display: none"><a class="rc-copyright" 
href="http://redconnect.ru">Сервис звонка с сайта RedConnect</a></div>
<!--/RedConnect -->

Который я же и сам ставил для обратной связи.
Он же походу создает кучу ненужных каталогов с со своими скриптами, пока не знаю выгружаю бекап)
______________________________________________________________________________________________
Нет, каталогов не обнаружил , судя по всему все подгружает со своих источников

Answer 2

Today, I wrote to tech support Rostelecom, created the application. Called back from tech support and confirmed that now Rostelecom and other providers inserts ad units to the http Protocol and disable this feature for a specific subscriber can not. Said that they recently learned about this as there are many similar complaints.

Comments

While I and several clients is turned off!

Answer 3

A similar problem, I have the same Rostelecom, but I sin on Google Chrome as in other browsers, the ads won't show.


Somebody knew how to solve the problem?

Comments

After long correspondences with Rostelecom and presentation of evidence, the problem went away. Banners not 2 days.

---

Here is the solution from Kaspersky:
The behavior of the scripts from the resource p.analytic.host is recognized as an Adware (+ loadable banners from ssp.analytic.host). What is Adware: https://www.kaspersky.ru/resource-center/threats/adware
THEREFORE, Kaspersky said RESOURCES have BEEN ADDED TO the DATABASE AS an ADWARE.

Please enable the antivirus settings option: settings --> Advanced --> Threats and exclusions --> install marker opposite point "to Find other programs that can be used to harm the computer or personal data" https://support.kaspersky.ru/13639 .

---

I 100% definitely figured out that the problem is not in sites. Antivirus company Revizium checked the websites and did an expert opinion. SITES CLEAN!!! For (webga webga ). I understand the browser can be one kind. I have this infection is seen in all except Google Chrome. Foreign experts point to Google AdWords. But damn Internet from other providers, nothing climbs!!! ROSTELECOM SILENT IGNORE.

---

Read the comments, call Rostelecom.

Answer 4

Now available painted two months ago on this issue:
https://vk.com/x733337x?w=wall13108281_8116

Answer 5

The problem is. div id="mbnr4web" stupid is embedded before /body. Internet via Tele2, an ancient browser Chrome, Ubuntu system! The website in-house, but with a built-in bootsrap and Fontana CDN's. Oh, can I still check good.

Answer 6

The issue has been resolved in my case. Discovered the chain, which causes the appearance of ads with id="mbnr4web", resources, pictures and content: mobilebanner.ru news.truth.delivery.
The script loads the beloved bootstrap.min.js that loads the script p.mobilebanner.ru/ad/base.js and off we go to ship shit.
Check your templates, if there is this script, try to throw it out and see if the problem is gone.

Comments

correction! viral content turned out to be embedded in a particular script, and embedded it Megano! there are more nuances disassembled https://kirkizh.ru/2017/07/megafno-2/

Answer 7

Same garbage. At work off the Internet, came home to work (and at home Rostelecom). And away we go. Iron 100% pure, trouble is clearly on the side of Rostelecom.

Comments

Here is the solution from Kaspersky:
The behavior of the scripts from the resource p.analytic.host is recognized as an Adware (+ loadable banners from ssp.analytic.host). What is Adware: https://www.kaspersky.ru/resource-center/threats/adware
THEREFORE, Kaspersky said RESOURCES have BEEN ADDED TO the DATABASE AS an ADWARE.

Please enable the antivirus settings option: settings --> Advanced --> Threats and exclusions --> install marker opposite point "to Find other programs that can be used to harm the computer or personal data" https://support.kaspersky.ru/13639 .

Answer 8

Hello! Decided anyone this problem? I want to inform you that this problem not only on WP but also on all the CMS, I have the same pain in the three sites of Joomla. Emerges periodically, especially after cleaning the browser cache. Interestingly earlier in the mainframe climbs anything, is out exclusively on the smartphone and only on the Yandex browser when using WI-FI network. Thought smart infected, reset all to factory settings, didn't help. The next thought that the router is infected, because if you disable wifi and use mobile Internet, nothing is popping up. Dropped the router to factory settings, reprogrammed, reconfigured and what do you think the effect is zero, all popping up. Tried via wifi at work via another ISP and lo and behold!!! Nothing and no ads or banners. Silence and tranquility. 100% computer, smartphone and websites is clean, tested 5 antivirus. The conclusion is this: the Is and all this stuff is not manifested through the network of other providers, as well it is not and when using the mobile Internet. Emerges only through the network provider ROSTELECOM. I absolutely agree with the conclusions givi_san. Think the network of Rostelecom that is not so!!! What I safely, they reported, waiting for a response for 5 day. Anyone have any thoughts? Share.
------------------------------------------------------------------------------
I 100% definitely figured out that the problem is not in sites. Antivirus company Revizium checked the websites and did an expert opinion. SITES CLEAN!!! For (webga webga ). I understand the browser can be one kind. I have this infection is seen in all except Google Chrome. Foreign experts point to Google AdWords. But damn Internet from other providers, nothing climbs!!! Rostelecom is silent not responding.
I did a log analysis and website found a suspicious IP, and did a ban via htaccess. Now I have the pictures disappeared and the place under the banner and the code is still loaded from the outside.



Hello!!! After long correspondences with Rostelecom and presentation of evidence, the problem went away. Banners not 2 days. But Rostelecom does not recognize the problem, but the fact is, after correspondence banners no 2 days no computers no mobile. The evidence provided including from this website. Convinced that the problem is global. Thank you all!!! Especially givi_san givi_san for the right tip!!!

Comments

Rostelecom, Krasnoyarsk, appear exactly the same banners from the top of the website NVIDIA, banks,pharmacy, etc in a circle one and same, code is the same as what I wrote above, there is always at different times in the morning, afternoon and evening, not long and disappears. Tested on two computers each in three different browsers Opera,chrome,Yandex browser, of antivirus KIS 2019, computers are pure 100%. When it starts you can try to go to any sites where the http Protocol is all about this is from the top, https everything is fine no advertising. If shipping a website for example via proxies - vpn, there will be no ads. It is logical to conclude that this provider is Rostelecom, this garbage is engaged in replacing, inserting the html code and gives your modified user.

---

Have the same problem. Provider Rostelecom. I noticed that my ads appear only in adminco sites. Basically Bitrix. Can the people behind this is to collect passwords ?

---

After long correspondences with Rostelecom and presentation of evidence, the problem went away. Banners not 2 days.

---

I, too, at Rostelecom this infection. Now it was gone, probably cleaned at home. But if that topic bookmarked and will poke his nose.

---

Me with Rostelecom 3 times came to confirm that the problem they have. In the end, I came with my new modem and the laptop, stuck the fiber and banners climb! At the end of the regional office check your switch and server to be infected. In General the problem they decided, no more banners. So Dolby Rostelecom. You can tell them that in Irkutsk with this problem managed, they can call in Irkutsk and ask how.

Answer 9

It

<!DOCTYPE html>
  <!--[if IE 8]>
    <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="ru-RU">
  <![endif]-->
  <!--[if !(IE 8) ]><!-->
    <html xmlns="http://www.w3.org/1999/xhtml" lang="ru-RU">
  <!--<![endif]-->

Вообще мимо кассы. Безобидный код.

Если рекламу вставляет не ваш хостинг, тогда Для начала отключите плагины: проверьте. Если осталось — поменяйте тему. Осталось — переустановите ВП.
Так вы сможете определить что именно вызывает проблему.

Если тема ваша, кастомная, тогда ищите в файлах темы.

Определив что вызывает проблему начните с поисков механизма.

Если беда с плагином — переустановите его. Если проблема осталась — свяжитесь с разработчиком и временно отключите. Если проблема с темой — действия аналогичные.

Вредоносный код приходит с сервера? Если так, ищите любые хуки которые вызываются в этом месте. Реклама появляется позже? Посмотрите в отладчике какие скрипты у вас загружаются. Что их вызывает. Поищите и попробуйте отключить их.

Не забудьте сбросить все пароли пользователя WP, базы данных и FTP

Comments

Here is the solution from Kaspersky:
The behavior of the scripts from the resource p.analytic.host is recognized as an Adware (+ loadable banners from ssp.analytic.host). What is Adware: https://www.kaspersky.ru/resource-center/threats/adware
THEREFORE, Kaspersky said RESOURCES have BEEN ADDED TO the DATABASE AS an ADWARE.

Please enable the antivirus settings option: settings --> Advanced --> Threats and exclusions --> install marker opposite point "to Find other programs that can be used to harm the computer or personal data" https://support.kaspersky.ru/13639 .

Answer 10

Next version of WP has not been upgraded/leaky WP pluginsWordPress was the CMS break open in 2018

Updated
I propose to put to the directories and files WP code to set permissions to read-only.

Comments

foxtai , updated my answer above.

---

advertising appears most often when you come to the phone, opens as a popunder, but then a couple of days ago managed to catch at the entrance to the admin PC

---

It is just not in WordPress, I have this virus on the website under the control of OcStore (Opencart) and unlike the author redhelper is not installed. So I doubt that the author of the case of callback service. The problem is deeper, while I, the solution is not found.

---

he was doing 3 years ago , hosting hostia

---

foxtai and install WP on hosting who does?

---

this is not the solution to all updated