Malware appears when Types is activated

This thread is resolved. Here is a description of the problem and solution.

Problem: When Types is active, I see several malware scripts appear in the network activity on my site, as well as in webpagetest.org tests. The following domains appear in the asset list:
- tags.bluekai.com
- match.adsrvr.org
- aa.agkn.com
- dis.us.criteo.com
- bcp.crwdcntrl.net

Solution: In this case, it appears a Trip Advisor widget was responsible for these requests. The widget only appeared when Types was active, so it seemed as though Types was responsible for the malware.

This support ticket is created 6 years, 8 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

No supporters are available to work today on Toolset forum. Feel free to create tickets and we will handle it as soon as we are online. Thank you for your understanding.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
8:00 – 12:00	8:00 – 12:00	8:00 – 12:00	8:00 – 12:00	8:00 – 12:00	-	-
13:00 – 17:00	13:00 – 17:00	13:00 – 17:00	13:00 – 17:00	13:00 – 17:00	-	-

Supporter timezone: America/New_York (GMT-04:00)

Tagged: Types plugin

This topic contains 3 replies, has 2 voices.

Last updated by BD 6 years, 8 months ago.

Assisted by: Christian Cox.

Author

Posts

February 23, 2018 at 11:23 am #618991

I have been testing a website on hidden link - and the details page show the following malware links being requested:

tags.bluekai.com
match.adsrvr.org
aa.agkn.com
dis.us.criteo.com
bcp.crwdcntrl.net

See the results here:
hidden link

If I disable Types, the malware disappears from the results. I have deleted and reinstalled types (both by uploading and direct installation). I have deleted the entire site and reinstalled it from an earlier version (Duplicator) and then reinstalled Types but they still appear. Have you any advice? Thanks.

February 25, 2018 at 5:34 pm #619489

Christian Cox

Hi, I'm not able to reproduce this locally when I install the site from your Duplicator clone. Are there any steps I need to take to get these malware scripts to appear in my local clone? If not, I need to be able to see the error taking place. The login credentials you provided do not seem to work for me - can you check the password? If it's okay with you, I will temporarily activate Types so I can see how the scripts are added to the page, then deactivate it again. Most likely there is some content added to a post or custom field that contains the malicious code.

February 27, 2018 at 9:48 am #619953

February 27, 2018 at 5:46 pm #620219

Christian Cox

It seems to be related to the social 4 widgets at the bottom of the page, added by the includes/socialpanels.php file. I have created a backup of that file, then deleted the contents of the file in your child theme, purged all caches, and rerun the webpagetest.org test:
hidden link

None of the domains you noted can be found now in the waterfall, so it seems that these files are being loaded by one or more of these widgets. Can you confirm? If you need me to replace the original file contents let me know. Feel free to add or remove widget contents from this file as needed during your testing, and be sure to purge caches when you make changes.

February 27, 2018 at 6:12 pm #620227

Hi Christian, I can't thank you enough for identifying this for me - it looks like the Tripadvisor widget was causing the problem and not Types... I'm sorry to have pointed you in the wrong direction. Now that I know where the issue is I can sort out the issue. Much appreciated, Nick