4 {{ upvoteCount | shortNum }}
4 {{ upvoteCount | shortNum }}

Help: Malicious Code on My Site

by rimam1
3 replies
Hey guys,

My site was hacked a few weeks ago, thankfully I've been able to recover it from backup, but if you do "site:thescienceofgettingripped.com" in Google, you see this:



Then I ran a scan on my site using SiteLock and this is what it returned:

Page URL: How to Burn Fat, Build Muscle, & Get Ripped - Proven Diet & Workout Tricks to Burn Fat & Build Muscle - FAST

Note Info: External link found in javascript : http://cdn.ywxi.net/js/1.js found on sample pages( http://www.thescienceofgettingripped..._1s_a_4o4.html ). The javascript executed starts with : window._wpemojiSettings = {"baseUrl":"http:\/\

Description: We have detected external urls after executing javascript found on your pages. Hackers may attempt to hide malicious content by encoding or obfuscating javascript using code functions such as explode or eval. It is also common for 3rd party software/application providers to obfuscate their javascript to attempt to protect their source code.

Action:Check the url to make sure it is something you recognize and are ok with the potential of your traffic being sent there. You can find the URL location of the javascript executing the external link in the detection report output.

I'm not a programmer and don't know how to clean this up.

Can you please tell me what I need to do within Cpanel to get rid of this javascript?

Thanks in advance!
Raza
#code #malicious #site
  • Profile picture of the author David V
    The "http://cdn.ywxi.net/js/1.js" part I don't recognize, but the "window._wpemojiSettings = {"baseUrl":"http:\/\" is part of the new (4.2+) WordPress stupid emoji's.

    Code:
    <script type="text/javascript">
            window._wpemojiSettings = {"baseUrl":"http://s.w.org/images/core/emoji/72x72/","ext":".png","source":{"concatemoji":"http://www.thescienceofgettingripped.com/wp-includes/js/wp-emoji-release.min.js?ver=4.2.2" } };
            !function(a,b,c){function d(a){var c=b.createElement("canvas"),d=c.getContext&&c.getContext("2d");return d&&d.fillText?(d.textBaseline="top",d.font="600 32px Arial","flag"===a?(d.fillText(String.fromCharCode(55356,56812,55356,56807),0,0),c.toDataURL().length>3e3):(d.fillText(String.fromCharCode(55357,56835),0,0),0!==d.getImageData(16,16,1,1).data[0])):!1}function e(a){var c=b.createElement("script");c.src=a,c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c)}var f,g;c.supports={simple:d("simple"),flag:d("flag")},c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.simple&&c.supports.flag||(g=function(){c.readyCallback()},b.addEventListener?(b.addEventListener("DOMContentLoaded",g,!1),a.addEventListener("load",g,!1)):(a.attachEvent("onload",g),b.attachEvent("onreadystatechange",function(){"complete"===b.readyState&&c.readyCallback()})),f=c.source||{},f.concatemoji?e(f.concatemoji):f.wpemoji&&f.twemoji&&(e(f.twemoji),e(f.wpemoji)))}(window,document,window._wpemojiSettings);
        </script>
    What or how they hacked it I can't say. You'll need to have someone dig through the code. Scans are fine but don't catch everything.

    Note: The new emoji junk script can be filtered out (turned off) by using a small code snippet in your functions or use a plugin.

    Here's the code snippet

    and

    Here's the plugin

    This is not going to solve any hack problem.
    However, if they are hacking into the emoji's, you may stop it from executing while you find the issue.
    {{ DiscussionBoard.errors[10145985].message }}
  • Profile picture of the author samntly
    If I remember correctly Google has a web based tool where you can submit your website to be reconsidered. I think it's called Website Reconsideration Request but you may want to google it again just to make sure.
    Signature

    Need A PHP Programmer That You Can Count On, That's Professional, Experienced in working with small and large clients. Reach me on skype at "Netlyte" or visit me at http://www.LCCWebDesign.com

    {{ DiscussionBoard.errors[10145996].message }}
  • Profile picture of the author KHR
    I am also Facing the same Issue But my site was not hacked any more. I am Not Find that Code How can I fix this?

    Category: Suspicious content

    Page URL: https://www.epenisbook.com/increase-...size-revealed/

    Note Info: External link found in javascript : https://platform.twitter.com/widgets.js found on sample pages( https://www.epenisbook.com/increase-...size-revealed/,
    https://www.epenisbook.com/increase-...size-revealed/,
    https://www.epenisbook.com/increase-...ize-naturally/,
    https://www.epenisbook.com/increase-...ize-naturally/ ).
    The javascript executed starts with : window._wpemojiSettings =
    {"baseUrl":"https:\/ This link is to a very well known site so it is probably nothing to worry about.

    Description: We have detected external URLs after executing javascript found on your pages. Hackers may attempt to hide malicious content by encoding or obfuscating javascript using code functions such as explode or eval. It is also common for 3rd party software/application providers to obfuscate their javascript to attempt to protect their source code.

    Action: Check the URL to make sure it is something you recognize and are ok with the potential of your traffic being sent there. You can find the URL location of the javascript executing the external link in the detection report output.
    {{ DiscussionBoard.errors[10295597].message }}

Trending Topics