How to recognise a script injection

Don’t you think we could demystify the code if I post it here?

You don’t know where the problem code is, do you?

If you got WordPress from this website, it is clean. The issue has to be one of the plugins or your theme. Or, your computer. Have you checked your computer for a virus?

No, I know exactly where the code is because I could see it and remove it but where it Originates from is the concern. Do you know JavaScript?

WP is clean. We’ve already established it’s a plugin haven’t we?
My computer is also clean.

We’ve already established it’s a plugin haven’t we?

No. We haven’t. About all we’ve established is that you installed a clean WordPress and that the code for the plugin you originally thought to be at fault looks fine. And I suspect that this isn’t strictly speaking a script injection.

Find a page where this is happening, and paste the entire browser page source to the pastebin.

Here’s the line that was mysteriously produced below each instance of the Tippy:

<script type="text/javascript" src="https://in.admedia.com/?id=ODorNiU"></script>

Posting the rest in a sec.

Pastebin is not operational now.
How’s that for now – does it shed any light on the matter?

The problem is that the string “admedia” is nowhere in the Tippy plugin code (that I can find), nor is there anything else suspicious. That is why I want the whole page. I am hoping there is clue in there.

I cannot get the pasting right, sorry.
It doesn’t embed correctly. How should I do it?

View Source, select all, copy to the pastebin, should do it. The pastebin is build for pasting code. It should be fairly simple.

[ Way too many lines of code moderated, that’s just way too much. For that many lines of code please use pastebin.com instead. ]

Forum rules limit inline code to ten lines or less. That is why I specified the pastebin.

That is being inserted into your post body– inside the ‘entry-content’ div. That suggest that there is filter on the_content or save_post or maybe a few other filters. You need to find a way to search your entire code base for ‘admedia’. I don’t know if you are on windows or mac. If you are on Linux, best case :), or a Mac you can open a terminal and use grep.

I used the pastebin.
Thanks for getting back.
Can you be a bit more specific please? I don’t know where to start now.
I’m on windows, WAMP.

Look I don’t expect a quick primer or anything, just point me in the right direction in case you happen to know what tools/techniques I can use.
I can accept that my case won’t be solved here but the truth is I’m too deep into it now.
Any advice is much appreciated.
Thanks.

I’d use this: https://gnuwin32.sourceforge.net/packages/grep.htm

This one is graphic-er-ie but they ask you to pay and register: https://www.wingrep.com/

Your case can be solved here but you are going to have to find where that bad code is. Grep is the easiest way to do that. I use it 100 times a day.

Once you get one of those working look for ‘admedia’, ‘eval’, ‘base64_decode’, ‘gzinflate’. Hopefully one of those will hit.

The combination ‘eval(gzinflate(base64_decode(‘ is especially promising. For example, eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA=='))); from a site that will let you de-obfuscate that and see what it actually does.

Can I simply delete the findings or does one have to be knowledgeable? –
I don’t want to break anything…

There are valid uses for all of those functions so I’d suggest you post what you find and let me take a look before you delete anything.