WordPress.org

Support

Support » How-To and Troubleshooting » How to recognise a script injection

How to recognise a script injection

  • insurgenesis
    Member

    @insurgenesis

    Is there a sure-fire way to recognise a script injection on a site that’s on a local server, and remove it?
    Is it even possible to get a script injection on a local site?

Viewing 15 replies - 1 through 15 (of 45 total)
  • Is there a sure-fire way to recognise a script injection on a site that’s on a local server, and remove it?

    Probably not a sure-fire way. If you can duplicate it, you have something to work with. Otherwise you probably need one or more scanners/analyzers.

    http://www.google.com/search?q=scan+script+injection

    Is it even possible to get a script injection on a local site?

    Of course. A local server is still a server, but being local the only danger is from people with access to your local network. You can’t hack a local server without first hacking into the local area network, and presumably you have a router/firewall in the way.

    insurgenesis
    Member

    @insurgenesis

    Yes there’s firewall.
    So I think it’s internal not external.
    The situation is that a certain plugin attempts to connect to an outside location. It’s JavaScript related. When I disable JavaScript in the browser it seems it doesn’t do it.
    But when JavaScript is ON, (even when I’ve removed all instances of the code that produces the call) it connects to that location upon page load.

    even when I’ve removed all instances of the code that produces the call

    Then you didn’t remove all of the code.

    If something is intentionally connecting to the outside then it could suck in bad code.

    What is the plugin? Why does it worry you?

    Also, did the code on your local site come from code online? If it did you could have imported an infection.

    insurgenesis
    Member

    @insurgenesis

    It’s the “Tippy” tool-tip plugin because the JavaScript with url it pointed was produced under every instance of the tooltip in my posts and when I disabled javascript the behaviour was gone.
    As soon as JavaScript is enabled and the plugin is active the behaviour persists – despite the fact that I’e removed it under posts using the tool tip.
    I also notice that my kitchen zink has disappeared.
    Where else could the code have been inserted?

    I basically don’t like the idea. It worries me because it looks malicious.
    The url it points to is: http://in.admedia.com/ and it looks suspicious.

    insurgenesis
    Member

    @insurgenesis

    a google search for the produced code also reveals unwholesome things.

    As soon as JavaScript is enabled and the plugin is active the behaviour persists – despite the fact that I’e removed it under posts using the tool tip.

    It is probably inserting its Javascript on every page in case its happens to be needed. Just guessing.

    It sounds like the plugin is either malicious, very badly coded, or you have a hacked copy of it. I don’t really see any complaints about the plugin. That is a plus, and assuming this is the plugin, I also don’t see anything squirelly in the code. so I thinking there is something wrong with your copy. Have you tried using a fresh copy?

    insurgenesis
    Member

    @insurgenesis

    I’m downloading it now.
    Would it help if I post the JavaScript associated with the problem here?

    insurgenesis
    Member

    @insurgenesis

    I have already rummaged its code for a trace of the JavaScript I found on my posts but found nothing.
    Would it be visibly “hacked” or should I just replace its files with mine and not attempt to look for anything funny?

    I have already rummaged its code for a trace of the JavaScript I found on my posts but found nothing.

    If the problem persists with the clean copy then the plugin isn’t the problem.

    Yes, it would be visibly hacked– probably some eval code.

    You never responded to this:

    Also, did the code on your local site come from code online? If it did you could have imported an infection.

    insurgenesis
    Member

    @insurgenesis

    What do you mean:

    did the code on your local site come from code online?

    How do I confirm this?
    All I know is it points to a url from which it draws information and sends to.
    I don’t remember authorising it and it looks suspicious.

    insurgenesis
    Member

    @insurgenesis

    Any more ideas on this?

    Has the code that you are running on your local server ever been online? Any of the code? Your theme? Some plugins? The whole thing? Did you download an existing site from a publicly accessible server and install it on your local server?

    Or… did you install to your local server from fresh, clean files?

    insurgenesis
    Member

    @insurgenesis

    No, the site was local forever.

    Ok. That is strange.

    What other plugins do you have and what theme?

    insurgenesis
    Member

    @insurgenesis

    Using a twenty-eleven child theme.
    Plugins:
    BackWPup
    Post Types Order
    WP Gallery custom links
    WP Photo album Plus

    Don’t you think we could demystify the code if I post it here?

Viewing 15 replies - 1 through 15 (of 45 total)
  • The topic ‘How to recognise a script injection’ is closed to new replies.