Finding malicious script on my webserver with grep

Question

Got a malicious script on my WordPress site, randomly appearing and disappearing in my source code as

<script src="www.71wp.org/jquery.min.js></script>

I have custom designed footer.php file, I figured out that the script is getting echoed into the footer somehow, because if I delete from my footer, that's the only script that I have there then the malicious script won't appear anymore.

I have been using this to find the source of the virus, and so far no success. find . -name ".php" -exec grep "base64" '{}' \; -print &> b64-detections.txt find . -name ".php" -exec grep "eval" '{}' \; -print &> eval-detections.txt

Anyone might have any ideas how I can locate this script?

I will suggest you run a scan of all your wordpress files by installing this plugin Sucuri Security it will give you detailed report of malicious code in any file on your wordpress — Piyush Patil, Aug 29 '16 at 17:03

score 1 · Answer 1 · answered Aug 24 '16 at 20:19

1

Hye

I also tried with :

eval()
base64_decode()
String.fromCharCode

I have a SSH access if needed

Which plugins do you used. The hack is coming only on the mobile version

Tks

answered Aug 24 '16 at 20:19

Yves Denan

31
5

score 1 · Answer 2 · answered Aug 29 '16 at 17:01

This is what exactly happening in your case

https://blog.sucuri.net/2015/05/fake-jquery-scripts-in-nulled-wordpress-pugins.html

You need to search this function all over your wordpress

function wp_func_jquery() {}

Code inside this function varies with different sites but the function name remains same in all site. It is commonly found in functions.php, footer.php or in any plugin file. It mostly comes through nulled or pirated plugins.

Finding malicious script on my webserver with grep

2 Answers2