Your site loaded for me. I loaded it a few times. However, it seems you’ve disabled the right-click so I couldn’t view the source easily.
Does this happen in multiple browsers?
Oh sorry, I have enable the right click, I forgot it was disabled. Now you can use it. Yes It happens in several browsers, most of the times in mobile devices. First time I realised there was a problem was from an Iphone but when I accessed from the computer everything looked right.
But then one day, testing the speed with pingdom I see in the cascade that there is a jquery.js loaded from wp1a.org that redirects my site to financetimes.co. Even in the screenshot taken when I did the test you can see it’s not my page: http://tools.pingdom.com/fpt/#!/baYVeA/http://jleal.eu (done November 30 at 15:35:54)
I use the inspector mode and sometimes it’s not loaded in the home page, sometimes it’s in some post, it changes. But if I refresh sevral times I can see: 200 GET from wp1a.org and there it is 🙁
I’ve discovered this same issue when trying to convert a site from http to https, I kept finding one unsecure call for the same resource, http://www.wp1a.org/jquery.js. Which, when you load that file, it’s blank.
This resource call seems to shows up randomly. Some pages have it, some don’t. I’ve scanned the entire site looking for where it’s at, and not found it anywhere.
Hi, I’ve solved the problem. The files inffected were related to wpml pluggin
We don’t have that WPML plugin on the site. Did you find the infection encoded in Base64 or? Any details you can share? I’ve scanned the entire site for all variations of encoding, base64, file date changes, etc. Can’t find anything yet.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Clearing up a hacked website is not an easy task that can be resolved by deactivating plugins. Remember not to just focus on the symptom of the hack.
Esmi posted so many useful resources.
