Title: Malware Injection
Last modified: August 30, 2016

---

# Malware Injection

 *  [rcriche](https://wordpress.org/support/users/rcriche/)
 * (@rcriche)
 * [10 years, 7 months ago](https://wordpress.org/support/topic/malware-injection/)
 * Hi guys,
 * google is identifying possible malware injection in the code.
 * `<script type='text/javascript' src='http://projetoescoladerock.com.br/wp-content/
   plugins/portfolio-gallery/js/portfolio-all.js'>`
 * And it has blocked the site. I did not find any visible problem in the file in
   question. Could check please?
 * Page portfolio-all.js
 *     ```
       // SET THIS VARIABLE FOR DELAY, 1000 = 1 SECOND
       var delayLength = 4000;
   
       function doMove(panelWidth, tooFar) {
       	var leftValue = jQuery("#mover").css("left");
   
       	// Fix for IE
       	if (leftValue == "auto") { leftValue = 0; };
   
       	var movement = parseFloat(leftValue, 10) - panelWidth;
   
       	if (movement == tooFar) {
       		jQuery(".slide img").animate({
       			"top": -200
       		}, function() {
       			jQuery("#mover").animate({
       				"left": 0
       			}, function() {
       				jQuery(".slide img").animate({
       					"top": 20
       				});
       			});
       		});
       	}
       	else {
       		jQuery(".slide img").animate({
       			"top": -200
       		}, function() {
       			jQuery("#mover").animate({
       				"left": movement
       			}, function() {
       				jQuery(".slide img").animate({
       					"top": 20
       				});
       			});
       		});
       	}
       }
   
       jQuery(function(){
   
           var $slide1 = jQuery("#slide-1");
   
       	var panelWidth = $slide1.css("width");
       	var panelPaddingLeft = $slide1.css("paddingLeft");
       	var panelPaddingRight = $slide1.css("paddingRight");
   
       	panelWidth = parseFloat(panelWidth, 10);
       	panelPaddingLeft = parseFloat(panelPaddingLeft, 10);
       	panelPaddingRight = parseFloat(panelPaddingRight, 10);
   
       	panelWidth = panelWidth + panelPaddingLeft + panelPaddingRight;
   
       	var numPanels = jQuery(".slide").length;
       	var tooFar = -(panelWidth * numPanels);
       	var totalMoverwidth = numPanels * panelWidth;
       	jQuery("#mover").css("width", totalMoverwidth);
   
       	jQuery("#slider").append('<a href="#" id="slider-stopper">Stop</a>');
   
       	sliderIntervalID = setInterval(function(){
       		doMove(panelWidth, tooFar);
       	}, delayLength);
   
       	jQuery("#slider-stopper").click(function(){
       		if (jQuery(this).text() == "Stop") {
       			clearInterval(sliderIntervalID);
       		 	jQuery(this).text("Start");
       		}
       		else {
       			sliderIntervalID = setInterval(function(){
       				doMove(panelWidth, tooFar);
       			}, delayLength);
       		 	jQuery(this).text("Stop");
       		}
   
       	});
   
       });
       ```
   
 * [https://wordpress.org/plugins/portfolio-gallery/](https://wordpress.org/plugins/portfolio-gallery/)

Viewing 7 replies - 1 through 7 (of 7 total)

 *  [support-huge-it](https://wordpress.org/support/users/support-huge-it/)
 * (@support-huge-it)
 * [10 years, 7 months ago](https://wordpress.org/support/topic/malware-injection/#post-6598088)
 * Thank you we will check this.
 *  Thread Starter [rcriche](https://wordpress.org/support/users/rcriche/)
 * (@rcriche)
 * [10 years, 7 months ago](https://wordpress.org/support/topic/malware-injection/#post-6598112)
 * Guys,
 * another file maybe have problem too, according to google: jquery.hugeitmicro.
   min.js
 *  [hawthorne](https://wordpress.org/support/users/hawthorne/)
 * (@hawthorne)
 * [10 years, 6 months ago](https://wordpress.org/support/topic/malware-injection/#post-6598290)
 * Is there an update on this?
 *  [Dan](https://wordpress.org/support/users/securitydan/)
 * (@securitydan)
 * [10 years, 6 months ago](https://wordpress.org/support/topic/malware-injection/#post-6598291)
 * Hi,
 * I used Online CURL to grab the contents of the Javascript file (portfolio-all.
   js) you mentioned above. The first line of this file includes the malicious obfuscated
   code. The code appears to be related to the recent [VisitorTracker campaign](https://blog.sucuri.net/2015/09/wordpress-malware-active-visitortracker-campaign.html)
   highlighted by Sucuri. If a browser is vulnerable and successfully goes through
   the infection chain, the re-direction goes to this malicious domain (dgdsgweewtew.
   cf) hosting an exploit kit. Most likely, they targeted a vulnerability in one
   of your plugins.
 * For mitigation, you can try reviewing the timestamps of each webpage to identify
   which pages were modified recently and delete the exploit code. If you can search
   or grep across the server, you may try the keyword “eval(function(p,a,c,k,e,d)”.
   That is the beginning of the exploit code. It is highly likely there is more 
   than one page that is impacted. Make sure to persistently check through all files
   under the website directory, update plugins and change passwords. I have copied
   the CURL output on the pastebin link as well as some helpful material by WordPress
   to move forward and take back your site.
 * [http://pastebin.com/5pe3WCHF](http://pastebin.com/5pe3WCHF)
    [https://codex.wordpress.org/FAQ_My_site_was_hacked](https://codex.wordpress.org/FAQ_My_site_was_hacked)
 *  [hawthorne](https://wordpress.org/support/users/hawthorne/)
 * (@hawthorne)
 * [10 years, 6 months ago](https://wordpress.org/support/topic/malware-injection/#post-6598292)
 * Thanks, Dan!
    I’m not very familiar with these security issues.
 * Is this a code which was implemented by the plugin writer?
 * I used the search function of krusader (file manager) to search in the files 
   of my website. The result was negative. However, I’m not sure if the search included
   file content.
    Unfortunately I can’t run grep as there is no root access to the
   server.
 *  [Dan](https://wordpress.org/support/users/securitydan/)
 * (@securitydan)
 * [10 years, 6 months ago](https://wordpress.org/support/topic/malware-injection/#post-6598293)
 * Hey Hawthorne,
 * The code was most likely injected into the webpages by a malicious party. It 
   was not written by the plugin writer. They will usually find a vulnerability 
   in a plugin and compromise hundreds of sites at once. Krusader has a search function
   that is very similar to grep. If you go to the General tab on KruSearcher at 
   the bottom where it says “Containing text”, you should be able to enter specific
   text in there and it will perform a content search in the directories you specified.
   The CURL output that I received was based on rcriche’s website. It’s very possible
   there could be a different kind of exploit on your site, so you may need to search
   for a different keyword. I would also recommend downloading a reputable WordPress
   security plugin like Sucuri Security or Anti-Malware by ELI that can scan your
   site and flag malicious files.
 * Here are some helpful links:
 * [http://www.krusader.org/documentation/krusearcher.html](http://www.krusader.org/documentation/krusearcher.html)
   
   [Anti-Malware and Brute-Force Security by ELI](https://wordpress.org/plugins/gotmls/)
   [Sucuri Scanner](https://wordpress.org/plugins/sucuri-scanner/)
 * Hope that helps.
 *  Thread Starter [rcriche](https://wordpress.org/support/users/rcriche/)
 * (@rcriche)
 * [10 years, 6 months ago](https://wordpress.org/support/topic/malware-injection/#post-6598302)
 * Hi Dan,
 * thank you for your post and sugestions…
    I have already another anti-malware,
   I desinstall and install Anti-Malware and Brute-Force by Eli. This plugin show
   me some files with problem and two of this files, marked with “Potential Threats”,
   are: …/portfolio-gallery/admin/portfolios_view.php …/portfolio-gallery/elements/
   jscolor/jscolor.js
 * i deleted all files with Backdoor Scripts and Known Threats ..

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Malware Injection’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/portfolio-gallery_eb4c4e.svg)
 * [Portfolio Gallery - Photo Gallery](https://wordpress.org/plugins/portfolio-gallery/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/portfolio-gallery/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/portfolio-gallery/)
 * [Active Topics](https://wordpress.org/support/plugin/portfolio-gallery/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/portfolio-gallery/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/portfolio-gallery/reviews/)

## Tags

 * [huge it](https://wordpress.org/support/topic-tag/huge-it/)

 * 7 replies
 * 4 participants
 * Last reply from: [rcriche](https://wordpress.org/support/users/rcriche/)
 * Last activity: [10 years, 6 months ago](https://wordpress.org/support/topic/malware-injection/#post-6598302)
 * Status: not resolved