How to recognise a script injection

Is there a sure-fire way to recognise a script injection on a site that’s on a local server, and remove it?

Probably not a sure-fire way. If you can duplicate it, you have something to work with. Otherwise you probably need one or more scanners/analyzers.

https://www.google.com/search?q=scan+script+injection

Is it even possible to get a script injection on a local site?

Of course. A local server is still a server, but being local the only danger is from people with access to your local network. You can’t hack a local server without first hacking into the local area network, and presumably you have a router/firewall in the way.

Yes there’s firewall.
So I think it’s internal not external.
The situation is that a certain plugin attempts to connect to an outside location. It’s JavaScript related. When I disable JavaScript in the browser it seems it doesn’t do it.
But when JavaScript is ON, (even when I’ve removed all instances of the code that produces the call) it connects to that location upon page load.

even when I’ve removed all instances of the code that produces the call

Then you didn’t remove all of the code.

If something is intentionally connecting to the outside then it could suck in bad code.

What is the plugin? Why does it worry you?

Also, did the code on your local site come from code online? If it did you could have imported an infection.

It’s the “Tippy” tool-tip plugin because the JavaScript with url it pointed was produced under every instance of the tooltip in my posts and when I disabled javascript the behaviour was gone.
As soon as JavaScript is enabled and the plugin is active the behaviour persists – despite the fact that I’e removed it under posts using the tool tip.
I also notice that my kitchen zink has disappeared.
Where else could the code have been inserted?

I basically don’t like the idea. It worries me because it looks malicious.
The url it points to is: https://in.admedia.com/ and it looks suspicious.

a google search for the produced code also reveals unwholesome things.

As soon as JavaScript is enabled and the plugin is active the behaviour persists – despite the fact that I’e removed it under posts using the tool tip.

It is probably inserting its Javascript on every page in case its happens to be needed. Just guessing.

It sounds like the plugin is either malicious, very badly coded, or you have a hacked copy of it. I don’t really see any complaints about the plugin. That is a plus, and assuming this is the plugin, I also don’t see anything squirelly in the code. so I thinking there is something wrong with your copy. Have you tried using a fresh copy?

I’m downloading it now.
Would it help if I post the JavaScript associated with the problem here?

I have already rummaged its code for a trace of the JavaScript I found on my posts but found nothing.
Would it be visibly “hacked” or should I just replace its files with mine and not attempt to look for anything funny?

I have already rummaged its code for a trace of the JavaScript I found on my posts but found nothing.

If the problem persists with the clean copy then the plugin isn’t the problem.

Yes, it would be visibly hacked– probably some eval code.

You never responded to this:

Also, did the code on your local site come from code online? If it did you could have imported an infection.

What do you mean:

did the code on your local site come from code online?

How do I confirm this?
All I know is it points to a url from which it draws information and sends to.
I don’t remember authorising it and it looks suspicious.

Any more ideas on this?

Has the code that you are running on your local server ever been online? Any of the code? Your theme? Some plugins? The whole thing? Did you download an existing site from a publicly accessible server and install it on your local server?

Or… did you install to your local server from fresh, clean files?

No, the site was local forever.

Ok. That is strange.

What other plugins do you have and what theme?

Using a twenty-eleven child theme.
Plugins:
BackWPup
Post Types Order
WP Gallery custom links
WP Photo album Plus

Don’t you think we could demystify the code if I post it here?