“Known javascript malware: malware.injection?184” — Sucuri SiteCheck Finding Explained

Finding details

Sucuri label	Known javascript malware: malware.injection?184
Malicious domains	gamblersrules[.]com (doorway) · counter.yadro[.]ru (tracking)
Type	Encoded JavaScript injection / SEO cloaking doorway (casino spam)
Common injection points	Active theme functions.php; wp_options rows (wp_custom_filters, wp_custom_range, home_links_custom_*, MD5-named rows)
Detection source	Sucuri SiteCheck (remote scanner)
Severity	Critical
First observed	June 2026

What this finding means

SiteCheck raises malware.injection?184 when it sees a <script src="data:text/javascript;base64,…"> tag served in your page source. The script is the payload itself, base64-encoded so signatures and casual eyeballing miss it. Decoded, the loader does three things: it pings a LiveInternet counter at counter.yadro[.]ru, it removes the visible page body with document.getElementsByTagName('body')[0].remove(), and it writes in a remote script from gamblersrules[.]com (iidoors.js or csnen.js) that paints over the page with casino/gambling content.

The script tag is not stored in your post content. It is printed by a block injected into your active theme’s functions.php, which reads its configuration out of the database. In the cleanup this advisory is based on, the loader assembled its settings from several wp_options rows and only injected the spam when it decided the visitor was worth targeting.

That decision is why most owners are confused. The malware fetches Google’s published crawler IP ranges from gstatic.com/ipranges/goog.txt, caches them, and serves cloaked casino doorways to those ranges while staying quiet for normal visitors and logged-in admins. It also forces an index, follow robots meta and neutralizes Yoast via the wpseo_googlebot and wpseo_bingbot filters. The result: your in-dashboard scanner says “clean,” Google indexes gambling pages on your domain, and you only learn about it from a remote scanner like SiteCheck or a manual rankings drop.

How to identify it on your site

Start at the theme layer. The injector wraps itself in a fixed signature comment, so a single grep across wp-content usually surfaces it (the hash is the marker this variant used):

grep -rn "6c2027dc28bf553116aa7b82ba48a5a8" wp-content/
grep -rn "data:text/javascript;base64" wp-content/themes/

 

Confirm the cloaking behavior in the same file. Legitimate themes do not fetch Google’s IP ranges or disable search-engine output filters:

grep -rn "gstatic.com/ipranges/goog.txt" wp-content/themes/
grep -rEn "wpseo_googlebot|wpseo_bingbot|wpseo_robots" wp-content/themes/

Then go to the database, because removing the code without the options leaves a live payload that simply re-prints once the block is restored. This is the exact query used to locate every malicious row at once — the named options plus any 32-character MD5-style option (the malware keys one option to md5(sha1(your-host))):

SELECT * FROM wp_options
WHERE option_name = 'wp_custom_filters'
OR option_name = 'wp_custom_range'
OR option_name LIKE 'home_links_custom_%'
OR (LENGTH(option_name) = 32 AND option_name REGEXP '^[a-f0-9]+$');

 

Finally, fingerprint the front end. View source as a normal visitor and as Googlebot (e.g. with a crawler user-agent and the URL Inspection live test) and compare. Watch for forced indexing meta, and for fake sitemap routes the malware registers as feeds, such as /?feed=xmlsitemap19 or sitemap19.xml resolving to a list of spam URLs.

 

Related variants and indicators

• Doorway domain & files: gamblersrules[.]com/iidoors.js, gamblersrules[.]com/csnen.js
• Tracking pixel: counter.yadro[.]ru/hit;iidoors
• functions.php signature: /* 6c2027dc28bf553116aa7b82ba48a5a8 */ wrapping the injected block
• Malicious option rows: wp_custom_filters, wp_custom_range, home_links_custom_0–home_links_custom_9, MD5-named rows
• Client behavior: document.getElementsByTagName('body')[0].remove() followed by document.write() of a remote script
• Cloaking source: https://www.gstatic.com/ipranges/goog.txt cached locally for crawler-IP matching
• SEO-filter abuse: wpseo_robots, wpseo_googlebot, wpseo_bingbot forced to __return_false
• Config markers: type=CASINO, language=AU, route=csnen.js, lirucounter=csnen
• Hidden wrappers: offscreen CSS such as position:absolute; left:-5000px or display:none holding gambling text

Removal summary

Keep these tight and do them in order. This is a checklist, not a tutorial — the full walkthrough is linked below.

1. Take a full backup (files and database) before changing anything.
2. Open the active theme’s functions.php and remove the entire block between the two /* 6c2027dc… */ markers; compare against a clean copy of the same theme version.
3. Run the SQL query above and DELETE the malicious rows (wp_custom_filters, wp_custom_range, home_links_custom_*, the MD5-named rows).
4. Find and trash the hidden spam posts published under the fake author IDs, then delete those bogus author accounts.
5. Flush rewrite rules and object cache, then re-scan with SiteCheck and confirm the fake sitemap feeds now return 404.
6. Rotate all credentials and update the theme/plugins, then find and close the entry point — or it returns.

For the complete removal process, including how the payload is reconstructed from the database, see the WordPress database malware guide and the breakdown in decoding JavaScript redirect malware. If you’d rather not touch the database yourself, see the WordPress malware removal service or hire me for a done-for-you cleanup.

When to call for help

If your scanner reports a clean site but Google still shows gambling pages, or the injection reappears after you delete the functions.php code, the database rows or a second backdoor are still live — and cloaking malware is built specifically to survive half-measures. Across 4,500+ site cleanups I’ve traced this exact pattern repeatedly; a similar case is documented in the WordPress cloaking malware removal case study. If you’re stuck, get a professional to verify both the file and database layers and confirm the entry point is closed.

Frequently asked questions

Why does my scanner say my site is clean but it still shows casino spam?

Because this malware cloaks. It serves spam only to Google’s crawler IP ranges and stays quiet for logged-in admins and ordinary visitors, so dashboard plugins see nothing. A remote scanner like Sucuri SiteCheck, or Google’s URL Inspection live test, will reveal the injection your in-site scanner misses.

Is malware.injection?184 a false positive?

Rarely. A genuine false positive looks like a legitimate vendor’s challenge script (for example a Cloudflare bot-management file). The ?184 signature here is a base64 data: URI that removes your page body and loads a third-party doorway — that is not legitimate behavior and should be treated as a real compromise.

Where is the malware.injection?184 code located in WordPress?

The loader lives in your active theme’s functions.php, wrapped in a signature comment. Its configuration and the spam itself sit in wp_options rows and in posts attributed to fake author accounts. You must clean both layers; deleting only the file leaves a payload that regenerates.

How did my WordPress site get this casino doorway malware?

The usual entry points are a nulled or outdated theme or plugin with a known vulnerability, or stolen admin/FTP/hosting credentials. Until that hole is found and closed, re-cleaning is temporary. Audit recently modified files, review user accounts, and rotate every credential after removal.

Will Google remove the gambling pages once I clean the site?

Once the injection is gone and the fake sitemaps 404, request reindexing in Search Console and submit a removal for the spam URLs. De-indexing takes time, so monitor coverage reports for several weeks and confirm no new casino URLs appear, which would indicate the malware survived.

---

Last updated: June 2026 by MD Pabel, WordPress Security Specialist — 4,500+ sites cleaned.