weird text on every page

  • Hi,

    I recently updated the core installation and all plug-ins. Now on every page is a single quote followed by a period ( ‘. ).
    I have looked in each php file’s code for an extra end-quote, as I believe it to be a closing string quote and plus operator. I have found nothing. I suppose it could also be from javascript.

    I see it in the rendered source of each page (see screenshot here: https://creativechristianimagery.com/quotedotvsc.png )
    Here is what visitor sees: ( https://creativechristianimagery.com/quotedotpage.png )

    Based on the screenshots above, can anyone tell me where this sucker is hiding out so i can delete it?

    Much thanks,

    Jennifer

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Disable all plugins and change the theme to twentysixteen. Is the problem gone?

    If so, turn things back on one at a time (start with the theme) until you find what’s causing this.

    Thread Starter madjenja

    (@madjenja)

    It appears to be linked to the theme.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Your theme seems to come from here:

    https://www.wpexplorer.com/

    I didn’t find a support link there, though, so you may want to start digging through the theme, starting with functions.php.

    Thread Starter madjenja

    (@madjenja)

    I found it in the theme folder’s footer.php file.

    $raw = base64_decode($encoded);
    $res = ”;
    for ($i = 0; $i < strlen($raw); $i++) {
    $res .= chr(ord($raw[$i]) ^ ord(‘x’));
    }

    I know this is a trick used by exploits. I removed it (and the loooong encoded variable that came before it, and the ‘. is gone.

    I’m a bit troubled as to why wordpress.com’s premium security scanner didn’t catch this.

    Moderator James Huff

    (@macmanx)

    It’s not *always* a trick used by exploits, it’s just a way to encode data. Because it’s a simple encoding method, it’s often used by exploits, but there are legitimate uses too.

    Regardless though, I recommend contacting the folks at VaultPress (the ones who run the security scanner for the Jetpack Premium plan via WordPress.com) just to get their take on it: https://vaultpress.com/contact/

    To clear up any confusion, WordPress.com and www.ads-software.com are two different entities: https://codex.www.ads-software.com/WordPress_vs_WordPress.com

    Thread Starter madjenja

    (@madjenja)

    I’m guessing it is part of the exploit because:

    1. it placed a single quote and dot on every page of my site.

    2. this particular piece of suspected code was not present one month ago.

    Moderator James Huff

    (@macmanx)

    Possibly, please definitely report it to the people at VaultPress at least. ??

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘weird text on every page’ is closed to new replies.