Malware Script generated by WP_HEAD() in Header File

  • Google informed me that my WordPress site contained a Malicious script in the template (google found it on a custom error page).

    After some digging I finally was able to get a page to trigger my WebShield so that i could inspect the HTML.

    The following script was pressent in the header.

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    Now that I could see the script I was able to determine the line of HTML code in the header file that was generating/returning the script to be discplayed….

    To my suprise the line was:

    <?php wp_head(); ?>

    before and after this line are links to stylesheets which also appear before and after the offending Jscript code in the error page…

    However, to make things more interesting, the javascript appears only SOMETIMES… usually on first visit to the website… then it does not reapear for some time. Cleaning Tempinetfiles and cookies has no impact.

    My question is simple… though the answer may be complex.

    How can i find the source of the offending code?

    I’ve run Scanner_2.6.php whihc returns a list of all files in the WP directory with Base64_Decode, Eval, Longtext, EMBED or IFRAME.

    There does not appear to be anything out of place.

    I have now also updated the WP install to the latest version and replaced all WP files.. so it is possible that I have overridden the source… only a new virus warning will reveal the truth.

    Any help finding the script generating the offending code would be very helpful.

Viewing 4 replies - 16 through 19 (of 19 total)

  • Hmm. We just updated to 3.3.2 on May 2nd. And the malware isn’t in the code before the update. I don’t know how/when it got in there. But it produces the almost the same JS as yours:

    https://pastebin.com/574ym0sC

    it also appears to add a cookie named “lonly”

    Thread Starter ScreenName

    (@screenname)

    I would suggest the vulnerability in the server or WP is still present in the latest version. Allowing the hacker access. I upgraded AFTER notice of the virus (May 30).

    I run 5 websites. I did not upgrade them all… instead I upgraded only 1, then resubmited them all to google for a health review.

    Within hours all sites were listed as “clean”… but with 48 hours I had a new notice from google regarding TWO of the 4 sites not updated to WP 3.2.2.

    Since then I have updated these sites and resubmitted for Google HealthCheck.

    I’ll need ot take a good look at how the hacker gained access to prevent this happening again. I’ll post anything I find that might be useful for others.

    Thread Starter ScreenName

    (@screenname)

    Update: Its been 4 days since my last post. All sites are clean… no reports from google or site users otherwise.

    It would appear the malware code was injected into a WP_Include file, thus the update to 3.2.2 has over written the hacked file. If you are running 3.2.2 already you might try copying a fesh seto f WP include files ot your WP_Includes directory…

    As for “how” this attack happened, I am unsure – and we may never know… so for now I am tightening all security on the server to protect us as best as possible. I suggest other WP users do the same.

    Thank you to the community – especially those listed above for all your help and support.

Viewing 4 replies - 16 through 19 (of 19 total)
  • The topic ‘Malware Script generated by WP_HEAD() in Header File’ is closed to new replies.