1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How Do I Remove Malicious Code In /js/jquery

Discussion in 'Web Design' started by ArtVandelay, Jul 16, 2013.

  1. ArtVandelay

    ArtVandelay Power Member

    Joined:
    Jan 15, 2013
    Messages:
    568
    Likes Received:
    392
    A theme I'd like to use is implanted with lots of 'eval' code. I was able to remove almost all of it by using the theme editor, but there are five more strings of bad code in my theme located in the following three places:

    wp-content/themes/Marijuanna/js/jquery.form.js

    Code:
    async:false,dataType:"script"}):c.globalEval(b.text||b.textContent||b.innerHTML||""
    

    wp-content/themes/Marijuanna/js/jquery-latest.pack.js

    Code:
    p;f.indexOf("javascript")>=0)c.globalEval(a);return a},param:function(a,b){function d(i,o
    
    wp-content/themes/Marijuanna/js/jquery-1.4.4.min.js

    Code:
    async:false,dataType:"script"}):c.globalEval(b.text||b.textContent||b.innerHTML||""
    p;e.indexOf("javascript")>=0)c.globalEval(a);return a}});
    
    How do remove this? Is it safe to remove the entire pages or should they just be carefully edited?

    P.S. - I found 'web design' to be the most general section to post in regarding this issue, since I don't know enough about it to know where else to put it :) Sorry if I'm in the wrong section
     
  2. ArtVandelay

    ArtVandelay Power Member

    Joined:
    Jan 15, 2013
    Messages:
    568
    Likes Received:
    392
    Oh and as another bit of information 'Marijuana' is the name of the theme.

    I can give any more info as requested, just ask!
     
  3. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    8,953
    Likes Received:
    7,567
    Occupation:
    ZLinky2Buy SEO Services
    Location:
    ⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩
    Home Page:
    Hi. Is there any way you can get this theme again from a clean source?

    JS files don't run on the server. If they're getting infected, there's something else infected and it's resident on the machine....they'll come back even if you clean them all unless you clean this resident malware
     
    • Thanks Thanks x 1
  4. sn0rt

    sn0rt Elite Member

    Joined:
    Jun 12, 2012
    Messages:
    1,705
    Likes Received:
    3,502
    Occupation:
    "Most obstacles melt away when we make up our mind
    Location:
    "Knowing is not enough; we must apply. Willing is
    Have you used TAC (Theme Authenticity Checker)?
     
    • Thanks Thanks x 1
  5. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,066
    Likes Received:
    2,872
    Gender:
    Male
    I don't see anything bad in it to be frank. I think it is triggering the warning because of the eval used. I can have a look if you post the whole scripts. It is impossible to tell like this.

    EDIT: By the way, different versions of jquery are called twice in your theme. So you might like to remove the older one (1.4.4) first.
     
    • Thanks Thanks x 1
    Last edited: Jul 16, 2013
  6. ArtVandelay

    ArtVandelay Power Member

    Joined:
    Jan 15, 2013
    Messages:
    568
    Likes Received:
    392
    Thanks to all who have chimed in so far!
    Probably not. It was uploaded to WPLayout as a free theme and in my (brief) searches for the keyword of the theme in other locations I couldn't find it.
    Yes! In fact I downloaded that plugin after seeing you endorsing it in another thread. It says the theme is 'OK', which quelled my concerns a bit.

    OK good to know. Yes - the 'eval' code was highlighted by the security checker plugin I was using (Ultimate Security Checker) with the description "Often used to execute malicious code."
    I will PM you the entire scripts (if I can - it's a lot of code).

    Thanks for letting me know about my redundancy - I'll delete the unnecessary stuff!
     
  7. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    8,953
    Likes Received:
    7,567
    Occupation:
    ZLinky2Buy SEO Services
    Location:
    ⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩
    Home Page:
    • Thanks Thanks x 1
  8. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,066
    Likes Received:
    2,872
    Gender:
    Male
    Hey, use pastebin to provide the code. Why don't you provide the code here instead of PMing me? By the way, eval has nothing directly to do with hacking or whatsoever.
     
    • Thanks Thanks x 1
  9. ArtVandelay

    ArtVandelay Power Member

    Joined:
    Jan 15, 2013
    Messages:
    568
    Likes Received:
    392
    Yes - thanks - I can verify that those are the theme.

    I downloaded mine from wplayout - can you verify that any of those are cleaner than any others? I'll go ahead and post the script to pastebin for people to look at, so maybe that will show that the theme is totally fine regardless.

    Better idea than mine - thanks.
    OK here's the /js/jquery-latest.pack.js
    http://pastebin.com/jwHrdbFr

    And here's /js/jquery-1.4.4.min.js
    http://pastebin.com/n0fbSdUE

    Since I deleted the 'Eval' code from the rest of the theme via the editor, do you recommend that I go redownload it from the sources bart provided? I suppose it would be hard to tell without viewing the code in that theme.

    I can post that as well, if requested. I'll just have to re-download the theme.

    Thanks again!
     
  10. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,066
    Likes Received:
    2,872
    Gender:
    Male
    • Thanks Thanks x 1