Thread Starter
aages
(@aages)
@clarus-dignus
SELECT post_title FROM wpek_posts WHERE post_title = “404testpage4525d2fdc” resulted in 0.
Better Search & Replace did not find anything − = 0 for all.
Will spend some time to look into:
SELECT post_title FROM wpek_posts
Bye the way, all error pages that Securi is finding are identical.
If I cannot solve this happenings myself or with Support assistance I will most likely close down the site for good as it is a charity none commercial site and the site depends on me and how much I can use of own resources to keep it up, however I am very grateful for all assistance you have given.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
Thread Starter
aages
(@aages)
Finally – I found!!!!
After nearly 7 days of sleepless nights and with a lot, a lot of assistance here I found the script :
“Known javascript malware: malware.injection?100
eval(function(p,a,c,k,e,d…… ( see previous posts for complete file)” – it was added in the footer.php so far down that I did not even check it all when I had a look on it earlier. I found it using search in Kate opening my backed up files.
…and now Sucuri is giving a clean “status” and now I will try to make it more secure.
At the end a great experience and a lot of learning – THANKS AGAIN ALL!
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
Excellent. Well done finding it.
Periodically check your site with Sucuri over the next few weeks just in case.
Is the “eval(function(p,a,c,k,e,d)” only in the malicious script?? Or can there be legitimate uses of that in my files? I will be able to find sections that include that code, but I don’t want to delete it if it is meant to be there.
Thread Starter
aages
(@aages)
Look at my earlier past link: https://radio-alanya.no/Securi_results.txt
I found the script in the the Theme Footer – footer.php.
Check it out but it was far below at the very end of the file – and I deleted it – result – clean and site working like new.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
-
This reply was modified 3 years, 2 months ago by
aages.
@carotelfer
eval(function(p,a,c,k,e,d){...})
isn’t necessarily malicious, though it can be. It decompresses compressed and obscured JavaScript.
When you encounter it, copy and paste it here to unpack it and see what it’s doing:
https://matthewfl.com/unPacker.html
If you encounter it in your files or database tables, you could contact the respective theme/plugin author and confirm whether or not it’s supposed to be there. For theme/plugin files, you can just download the files and compare them to your installed files.
@aages
Using the unpacker, I unpacked the JavaScript malware that Sucuri found on your site.
It matches the JavaScript malware addressed in this Sucuri article published this month:
https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html
The malware is always injected into the active theme’s footer.php file, and contains obfuscated JavaScript after a long series of empty lines, no doubt trying to stay hidden.
Thread Starter
aages
(@aages)
However I cleaned out my problems with removing this script in my footer.php and nothing else had to be done – the pop-up gone and clean results from Sucuri
-
This reply was modified 3 years, 2 months ago by
aages.