It may also have added an obfuscated script to the functions.php file

  • Ben

    (@blawjungchicago)


    4 months, 4 weeks ago

    Hi, as part of the recent compromise I received a message that included this:

    “It may also have added an obfuscated script to the functions.php file of your themes with the function name “add_footer_script”. This has not been removed automatically and will require manual removal.”

    What are next steps regarding this part? Just want to make sure I’ve done everything I’m supposed to.

Viewing 3 replies - 1 through 3 (of 3 total)

  • You’ll need to manually check the functions.php file in the theme (usually under wp-content/themes/yourtheme/functions.php and remove the suspicious code, such as with a file manager in the hosting control panel or by using FTP.

    The injected code will look like this at the top of the functions.php file:

    if (!function_exists('add_footer_script')) {
    function add_footer_script() {
    	update_option('my_admin_init_function_run', 'yes');
    	echo '<script>eval(......);</script>';
    }
    $has_run = get_option('my_admin_init_function_run');
    if ($has_run !== 'yes') {
    	add_action('wp_footer', 'add_footer_script');
    }
    }

    Looks like it adds the script to any file in the theme that has functions in the filename. I’d recommend restoring a backup of the themes folder or searching the folder for “my_admin_init_function_run” to remove that code.

    Thread Starter Ben

    (@blawjungchicago)

    Thanks, I reinstalled a clean version of the theme and deleted all other themes. Should that cover it?

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.