Google informed me that my WordPress site contained a Malicious script in the template (google found it on a custom error page).
After some digging I finally was able to get a page to trigger my WebShield so that i could inspect the HTML.
The following script was pressent in the header.
[Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]
Now that I could see the script I was able to determine the line of HTML code in the header file that was generating/returning the script to be discplayed....
To my suprise the line was:
<?php wp_head(); ?>
before and after this line are links to stylesheets which also appear before and after the offending Jscript code in the error page...
My question is simple... though the answer may be complex.
How can i find the source of the offending code?
I've run Scanner_2.6.php whihc returns a list of all files in the WP directory with Base64_Decode, Eval, Longtext, EMBED or IFRAME.
There does not appear to be anything out of place.
I have now also updated the WP install to the latest version and replaced all WP files.. so it is possible that I have overridden the source... only a new virus warning will reveal the truth.
Any help finding the script generating the offending code would be very helpful.