Malware on wp site (2 posts)

  1. tansain
    Posted 3 years ago #

    Hi i have a wp site http://www.income4independence.com but google chrome gives sometime malware error and blocks the site specially visiting the page http://www.income4independence.com/vsl1 and http://www.income4independence.com/vsl1-97 i have added the site in google webmasters tool and it is not giving any malware error, i have done scan on Sucuri http://sitecheck.sucuri.net/results/www.income4independence.com and it is also giving clean sign but on unmask parasite http://www.UnmaskParasites.com/security-report/?page=www.income4independence.com/vsl1/ it gives some time specious hidden links and scrips:

    External References

    - http://www.1shoppingcart.com safe? - displaying 1 of 1
    hidden link - http://www.1shoppingcart.com/SecureCart/SecureCart.aspx?mid=697E24FC-7389-47A5-A803-82DE4FFE645F&pid=26f70dbd299a42669e2014efcdf7d3ed&bn=1
    - ajax.googleapis.com safe? - displaying 1 of 1
    <Script> link - http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js?ver=1.3.2
    - s.gravatar.com safe? - displaying 1 of 1
    <Script> link - http://s.gravatar.com/js/gprofiles.js?ver=2012Augaa
    - s0.wp.com safe? - displaying 1 of 1
    <Script> link - http://s0.wp.com/wp-content/js/devicepx-jetpack.js?ver=201235
    - stats.wordpress.com safe? - displaying 1 of 1
    <Script> link - http://stats.wordpress.com/e-201235.js
    - static.ak.fbcdn.net safe? - displaying 1 of 1
    <Script> link - http://static.ak.fbcdn.net/connect.php/js/FB.Share
    Suspicious Inline Scripts

    Obfuscated script
    var playerhost = (("https:" == document.location.protocol) ? "https://regn.s3.amazonaws.com/ezs3js/...
    Long suspicious script
    if(typeof jQuery=='undefined'){var head=document.getElementsByTagName('head')[0];var scr

    i don't know how to fix this? im using optimize theme and have not found any suspecious obfuscated script in theme files. if i go for new installation, how can i use the same theme?

  2. redleg-too
    Posted 3 years ago #

    ?? Unfortunately the page is hacked. There is a block of (somewhat) obfuscated script being inserted into the page. When I check the code being returned by a request for the page right after this line of code (which is a legitimate line)

    <img src="http:// ad . retargeter . com /seg?add=394782&t=2" width="1" height="1" />

    there is some script being inserted, the script starts with

    <script type='text/javascript'>var fsiwuk= "Eri"
    "hat"+"e" +""+ "s" ;var xzz1bpx3o

    I say somewhat obfuscated because most of the lines are like this

    (""+"src" ,""+"h"+""+""+ "t" +""+"tp"+""+":/"+""+""+ "/w" +

    They have broken up http:// by adding it togeter with +

    From where it appears in the page it looks like possibly it is in your footer?? I suggest you start by checking there. It is alos possiblr the hackers would use some obfuscated php code to write the script, use something like

    eval(base64_decode(' then a long string os seemingly random characters.

    You can see the entire block of script as it is appearing in the page here


Topic Closed

This topic has been closed to new replies.

About this Topic