Malware on wp site

tansain
(@tansain)

11 years, 7 months ago

Hi i have a wp site http://www.income4independence.com but google chrome gives sometime malware error and blocks the site specially visiting the page http://www.income4independence.com/vsl1 and http://www.income4independence.com/vsl1-97 i have added the site in google webmasters tool and it is not giving any malware error, i have done scan on Sucuri http://sitecheck.sucuri.net/results/www.income4independence.com and it is also giving clean sign but on unmask parasite http://www.UnmaskParasites.com/security-report/?page=www.income4independence.com/vsl1/ it gives some time specious hidden links and scrips:

External References

– http://www.1shoppingcart.com safe? – displaying 1 of 1
hidden link – http://www.1shoppingcart.com/SecureCart/SecureCart.aspx?mid=697E24FC-7389-47A5-A803-82DE4FFE645F&pid=26f70dbd299a42669e2014efcdf7d3ed&bn=1
– ajax.googleapis.com safe? – displaying 1 of 1
<Script> link – http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js?ver=1.3.2
– s.gravatar.com safe? – displaying 1 of 1
<Script> link – http://s.gravatar.com/js/gprofiles.js?ver=2012Augaa
– s0.wp.com safe? – displaying 1 of 1
<Script> link – http://s0.wp.com/wp-content/js/devicepx-jetpack.js?ver=201235
– stats.wordpress.com safe? – displaying 1 of 1
<Script> link – http://stats.wordpress.com/e-201235.js
– static.ak.fbcdn.net safe? – displaying 1 of 1
<Script> link – http://static.ak.fbcdn.net/connect.php/js/FB.Share
Suspicious Inline Scripts

Obfuscated script
var playerhost = ((“https:” == document.location.protocol) ? “https://regn.s3.amazonaws.com/ezs3js/…
Long suspicious script
if(typeof jQuery==’undefined’){var head=document.getElementsByTagName(‘head’)[0];var scr

i don’t know how to fix this? im using optimize theme and have not found any suspecious obfuscated script in theme files. if i go for new installation, how can i use the same theme?

Viewing 1 replies (of 1 total)

redleg-too
(@redleg-too)

11 years, 7 months ago

?? Unfortunately the page is hacked. There is a block of (somewhat) obfuscated script being inserted into the page. When I check the code being returned by a request for the page right after this line of code (which is a legitimate line)

<img src=”http:// ad . retargeter . com /seg?add=394782&t=2″ width=”1″ height=”1″ />

there is some script being inserted, the script starts with

<script type=’text/javascript’>var fsiwuk= “Eri”
+””+”da”+””+
“hat”+”e” +””+ “s” ;var xzz1bpx3o

I say somewhat obfuscated because most of the lines are like this

(“”+”src” ,””+”h”+””+””+ “t” +””+”tp”+””+”:/”+””+””+ “/w” +

They have broken up http:// by adding it togeter with +

From where it appears in the page it looks like possibly it is in your footer?? I suggest you start by checking there. It is alos possiblr the hackers would use some obfuscated php code to write the script, use something like

eval(base64_decode(‘ then a long string os seemingly random characters.

You can see the entire block of script as it is appearing in the page here

http://pastebin.com/3dEaGbLn

Viewing 1 replies (of 1 total)

The topic ‘Malware on wp site’ is closed to new replies.

Malware on wp site

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics