Skip to content Skip to sidebar Skip to footer
Home / Javascript / Wordpress

How Do I To Figure Out Where Inserted (possibly Malicious) Javascript Code Is Coming From

Post a Comment
Suddenly I have noticed that all my pages contain some unexpected JavaScript code. I don't check every day the source code. but today I need to debug something and then I see this

Solution 1:

You try a couple things since Wordpress uses the Hooks to call respective parts. You could output them all and search for something related to this in the footer section.

A.

-- functions.php --

functionlist_hooked_functions($tag=false){
 global$wp_filter;
 if ($tag) {
  $hook[$tag]=$wp_filter[$tag];
  if (!is_array($hook[$tag])) {
  trigger_error("Nothing found for '$tag' hook", E_USER_WARNING);
  return;
  }
 }
 else {
  $hook=$wp_filter;
  ksort($hook);
 }
 echo'<pre>';
 foreach($hookas$tag => $priority){
  echo"<br />&gt;&gt;&gt;&gt;&gt;\t<strong>$tag</strong><br />";
  ksort($priority);
  foreach($priorityas$priority => $function){
  echo$priority;
  foreach($functionas$name => $properties) echo"\t$name<br />";
  }
 }
 echo'</pre>';
 return;
}

list_hooked_functions();

I assume since its JS that it will hook unto the wp_print_footer_scripts sequence. Which you can then go up the chain of calls and filter the specific function outputting the script.

https://developer.wordpress.org/reference/

To understand the structure of the functions involved.

B.

Another thing is that if the hacker managed to get access unto the Database maybe searching for the related script mention in the Database could be it. (though i doubt)

C.

See if you use any vulnerable code in your theme such as an incorperated gallery plugin inside the theme (which doesnt get updated) contrary to those installed via the Admin panel.

To be noted: often they will use a base64 string which they will then call the decode on in the process thus you wont be able to find the JS code as plain text.

RevSlider had a vulnerability not too long ago.

D.

Use a security plugin such as wordfence which can scan your files for suspicious code.

https://wordpress.org/plugins/wordfence

Once you find and removed the malicious code please make sure to change your passwords

--- Additional Information ---

There seems to be a lot going on in the wordpress realm and it pretty much affects a lot if you are using the Wordpress Comment Box.

Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed. (27 April 2015)

Source : http://klikki.fi/adv/wordpress2.html

-- Please let us know if you get any lead with any of the above.

You may like these posts

Post a Comment for "How Do I To Figure Out Where Inserted (possibly Malicious) Javascript Code Is Coming From"