Malware Redirection code
-
A customer of mines wordpress site has been hacked with redirect code being instered on the home page which redirects users to spam sites. When viewing the page with developer tools i have managed to locate the code thats being inserted , however iam struggling to work out where this code is being pulled from so i can remove it. Im not sure if its a javascript or php file however searching for that snippet of code in all the wordpress files is not producing any search results.
Below is a portion of the page source which includes the malware redirct code which starts at the
<div class="container-wrap"> code: <div id="mobile-menu"> <div class="container"> <ul> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home current-menu-item page_item page-item-5 current_page_item menu-item-112"><a href="https://dummywebsite.com/">HOME</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-111"><a href="https://dummywebsite.com/store/">OUR STORE</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-110"><a href="https://dummywebsite.com/specials/">SPECIALS</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-19"><a href="https://dummywebsite.com/contact/">CONTACT</a></li> <li id="mobile-search"> <form action="https://dummywebsite.com" method="GET"> <input type="text" name="s" value="" placeholder="Search.." /> </form> </li> </ul> </div> </div> <strong><div class="container-wrap"> <div class="container main-content"> <div class="row"> <p><meta http-equiv="refresh" content="0; URL=https://wirej4dsmwjx.gyumriserverns.info"> </p> </div><!--/row--> </div><!--/container--> </div></strong> <hr /> <div id="footer" role="contentinfo"> <!-- If you'd like to support WordPress, having the "powered by" link somewhere on your blog is the best way; it's our only promotion or advertising. --> <p> is proudly powered by <a href="https://www.ads-software.com/">WordPress</a> </p> </div> </div> <!-- Gorgeous design by Michael Heilemann - https://binarybonsai.com/ --> <script type='text/javascript' src='https://dummywebsite.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9' id='regenerator-runtime-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0' id='wp-polyfill-js'></script> <script type='text/javascript' id='contact-form-7-js-extra'> /* <![CDATA[ */ var wpcf7 = {"api":{"root":"https:\/\/suelawlerinteriors.com.au\/wp-json\/","namespace":"contact-form-7\/v1"}}; /* ]]> */ </script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6.1' id='contact-form-7-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/superfish.js?ver=1.4.8' id='superfish-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-includes/js/imagesloaded.min.js?ver=4.1.4' id='imagesloaded-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/easing.js?ver=1.3' id='easing-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/respond.js?ver=1.1' id='respond-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/swipe.min.js?ver=1.6' id='touchSwipe-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/nicescroll.js?ver=3.1' id='nicescroll-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/sticky.js?ver=1.0' id='sticky-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/prettyPhoto.js?ver=3.1.5' id='prettyPhoto-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/flexslider.min.js?ver=2.1' id='flexslider-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/isotope.min.js?ver=1.5.25' id='isotope-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/carouFredSel.min.js?ver=6.2' id='carouFredSel-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/appear.js?ver=1.0' id='appear-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/orbit.js?ver=1.4' id='orbit-js'></script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/js/init.js?ver=1.0' id='nectarFrontend-js'></script> <script type='text/javascript' id='nectar-love-js-extra'> /* <![CDATA[ */ var nectarLove = {"ajaxurl":"https:\/\/dummywebsite.com\/wp-admin\/admin-ajax.php"}; /* ]]> */ </script> <script type='text/javascript' src='https://dummywebsite.com/wp-content/themes/salient/nectar/love/js/nectar-love.js?ver=1.0' id='nectar-love-js'></script> </body> </html>
Viewing 2 replies - 1 through 2 (of 2 total)
-
It probably is encoded and you probably need to search for
base64_decodeHowever to clean a hack website is not as easy as finding some code and often there can be many backdoors etc.
Have read of this advice https://www.ads-software.com/support/article/faq-my-site-was-hacked/
Viewing 2 replies - 1 through 2 (of 2 total)
- The topic ‘Malware Redirection code’ is closed to new replies.