Andre Dublin

Correction on my last couple posts, I have found it also to be the l10n.js file located at https://sitename.com/wp-includes/js/l10n.js?ver20101110

Here is the malware report https://sucuri.net/malware/malware-entry-mwjs2368

You can see it gets attached to the end of the js file

Interesting enough after scanning my web site without the malicious code with https://sitecheck.sucuri.net/scanner/ ( thanks solagirl thats a great web tool ) it passed. Then when I scanned another one of my infected web sites it failed the test. Note that typekit is also on the website that failed. So if this helps anyone in squashing this problem, typekit might have some type of xss problem.

I’ve had a recent iframe injection attack on my web server. So far I’ve created a backup of my wordpress theme files and database, removed and installed the wordpress cms platform, and I still had the iframe showing up on my site. Eventually I went through my config.php and many other php files that are frequently targeted. Deleted the config-sample.php (as usual) and eventually figured it is a javascript file. The only javascript that is on my website was a typekit script, so when I disabled that the iframe went away. I am still testing the site to see if the malicious code is still present. Does anyone know of typekit having some kind of xss vulnerabilities?