Is this malicious scripting?

(@threepeaksolutions)

On multiple settings pages for plugins on my site (all plugins updated to latest and dll’d from wordpress repository), where there is a field to enter custom or additional HTML/code, I am finding code pre entered that is something like the following:

<script src="//s3.amazonaws.com/js-cache/xxx.js" type="text/javascript"></script><script src="http:///?key=xxx&uid=5851x" type="text/javascript"></script><script src="http:///api?key=xxx&uid=xxx&format=arrjs&r=xxx" type="text/javascript"></script><script src="http://ext/xxx.js?sid=51824_5851_&title=gd_18_12&blocks[]=02aed" type="text/javascript"></script>

<script src="//s3.amazonaws.com/js-cache/xxx.js" type="text/javascript"></script><script src="http:///?key=xxx&uid=5851x" type="text/javascript"></script><script src="http:///api?key=xxx&uid=5851x&format=arrjs&r=xxx" type="text/javascript"></script><script src="http://ext/xxx.js?sid=51824_5851_&title=gd_18_12&blocks[]=02aed" type="text/javascript"></script>

<script src="//s3.amazonaws.com/js-cache/xxx.js" type="text/javascript"></script>

<script src="http:///?key=xxx&uid=5851x" type="text/javascript"></script><script src="http:///api?key=xxx&uid=xxx&format=arrjs&r=xxx" type="text/javascript"></script><script src="http://ext/xxx.js?sid=xxx&title=gd_18_12&blocks[]=02aed" type="text/javascript"></script>

I realize this should be obvious, but I cannot figure out if any of those are legit vs malicious. Some of them are seen in multiple plugins, but site scans aren’t returning malware. I also did not put that content in, so I’m not sure if it’s normal. I should mention that I think a previous person had tried to do a find and replace when there actually was two bad JS links showing up, but I think they may have only searched for the domain and then blanked it, which could explain some of the links with the triple forward slash (///). I’m just taking over managing this site.

This topic was modified 6 years ago by Steven Stern (sterndata).
This topic was modified 6 years ago by Steven Stern (sterndata).

Viewing 5 replies - 1 through 5 (of 5 total)

Stef
(@serafinnyc)

6 years ago
For the most part everything looks legit. Can you post a link to your URL? But that is hard to say without seeing your url.
- This reply was modified 6 years ago by Stef.
Thread Starter ThreePeakSolutions
(@threepeaksolutions)

6 years ago

Sure, and sorry, oops. Thought I already had. It’s Burrardviewcoop.com

Thread Starter ThreePeakSolutions
(@threepeaksolutions)

6 years ago

If you scroll over, it’s more some of the ones with reference to API keys and ext/xxx.js because they seem like the domain is cut out which could be a result of the attempted actions of the previous person. And the fact that multiple unrelated plugins have many of these same scripts listed in the additional or custom HTML part that I did not input. No idea if that is common though

Stef
(@serafinnyc)

6 years ago

Great, thanks. So I’m thinking this is a directory issue with either your server or one of your plugins using an external file. The permissions are off somewhere. It’s possible, I’m not positive. Can you please contact your host and then show them a screenshot.

Thanks Steve for cleaning that up too. Much easier to see.

Stef
(@serafinnyc)

6 years ago

I don’t know why I forgot to say you have a ton of errors on your site. The key issue is probably because Google requires all maps have a legit API key now. You’re most likely using an expired key.

Other than that you have a lot of errors that need to be looked at.

View post on imgur.com

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Is this malicious scripting?’ is closed to new replies.

Is this malicious scripting?

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics