Title: JavaScript Obfuscation – How to remove it Last modified: August 20, 2016 --- # JavaScript Obfuscation – How to remove it * [Borbotron](https://wordpress.org/support/users/computacion/) * (@computacion) * [14 years ago](https://wordpress.org/support/topic/javascript-obfuscation-how-to-remove-it/) * Well, this seems to be spreading very fast and growing to be one of the top threats this week, check it out: [http://www.avgthreatlabs.com/webthreats/info/javascript-obfuscation/](http://www.avgthreatlabs.com/webthreats/info/javascript-obfuscation/) * AvgThreatLabs.com seems to be the only online scanner to detect it, alongside with Chrome browser and Google’s webmaster tools. * Ok, so here I pasted the malicious code output that you can see while looking at the page source: [http://pastebin.com/2XfbytS4](http://pastebin.com/2XfbytS4) but I still couldn’t find where it’s generated (not in index.php nor header.php, etc. so I’m thinking probably a .js file). * I had more than one infected site, so, I tried upgrading WordPress and the malicious code disappeared from the page, but Chrome and avgthreatlabs still identify the page as infected, I’m still not sure if it’s just that these tools haven’t updated yet or if there’s still an infection. * Any clues, insight or experiences appreciated, so maybe we can find a definitive solution. Viewing 3 replies - 1 through 3 (of 3 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [14 years ago](https://wordpress.org/support/topic/javascript-obfuscation-how-to-remove-it/#post-2788515) * > but I still couldn’t find where it’s generated > … > Any clues, insight or experiences appreciated, so maybe we can find a definitive > solution. * Focusing on the obfuscation is just treating the symptoms and isn’t doing anything for your problem. The problem is that Very Bad People are able to compromise your site. * You need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Additional Resources: [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) [http://www.studiopress.com/tips/wordpress-site-security.htm](http://www.studiopress.com/tips/wordpress-site-security.htm) * Thread Starter [Borbotron](https://wordpress.org/support/users/computacion/) * (@computacion) * [14 years ago](https://wordpress.org/support/topic/javascript-obfuscation-how-to-remove-it/#post-2788520) * Thanks, I know the drill 😉 * I’m just trying to save some time, for me and for others having issues with this particular exploit. If we know where the malicious code is originated maybe we can find where did it came from and try to patch the vulnerability. * I’m still investigating but I’m pretty sure it’s a jquery vulnerability, any contributions appreciated, I’ll keep you updated. * Thread Starter [Borbotron](https://wordpress.org/support/users/computacion/) * (@computacion) * [14 years ago](https://wordpress.org/support/topic/javascript-obfuscation-how-to-remove-it/#post-2788566) * Well, it seems the vulnerability was in timthumb.php and the code was injected in every WordPress install thorough the shared hosting. The malicious code was located inside .php files in the wp-includes folder and sometimes also in the( current) theme folder, so basically you should upgrade or re-install core files, themes and plugins (just in case) before securing your site again, hope it helps if anyone goes through the same. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘JavaScript Obfuscation – How to remove it’ is closed to new replies. ## Tags * [infection](https://wordpress.org/support/topic-tag/infection/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 2 participants * Last reply from: [Borbotron](https://wordpress.org/support/users/computacion/) * Last activity: [14 years ago](https://wordpress.org/support/topic/javascript-obfuscation-how-to-remove-it/#post-2788566) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics