Hi,
there are many blogs infected with this code.
If you serach on Google for “1301851861911781711021861911821711311041861711901861171”. You can find some pages.
These code hides this Element (<div class=slider_wrapper_en>”).
It will extract following text:
<styletype="text/css">.slider_wrapper_en{position:absolute;clip:rect(480px,auto,auto,480px);}</style>
My problem is that my header.php is not changed if I have a look to the file, but if I open my page the script was inserted. So, where is it stored?
Is “slider_wrapper_en” a hint? Because I have installed Sliding Door theme.
Stefan
@beyerste: As per the Forum Welcome, please post your own topic. Posting in an existing topic prevents us from being able to track issues by topic. Added to which, your problem – despite any similarity in symptoms – is likely to be completely different.
Did somebody checked that issue?
Looks like malware, but no entry in mysql or php files. Any idea ?
Regards
David
What do you mean “somebody”? The recommended resources for hacked sites are posted right above your post.
@ WPyogi thanx for the great help…
For all others, this code is added by plugin Facebook / quiknotes, the directory name of the plugin is quiknotes. The plugin is not available anymore on ww.wp.xz.cn.
So delete/deactivate the plugin and check your system as WPyogi mentioned before.
Thread Starter
edyzen
(@edyzen)
WPyogi
Thanks for your suggestion, that is very useful
For the record, the plugin mentioned by switch2mac, Facebook/quiknotes, is most likely not the culprit here. I just came across this hack on another site not utilizing that plugin.
As advised by the links provided by WPyogi, it’s probably best to do a clean install. No telling how or where that malicious code has been inserted, and odds are it’ll be faster for you to re-install WordPress and your site files than it will be to manually check every file in your WordPress directory only to miss something and have the malware show up again.
Thanks for this discussion, removing Facebook/quiknotes solved the javascript injection in one of my sites.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Removing the malicious code may resolve the symptom of the hack, but it does not resolve the hacker’s ability to inject malicious code to your website.
@andrew, it solved the problem for now. I checked the complete code/database, the rest is clean.
I will move to site to a different provider with a clean WP and plugin install soon.
