1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to remove exit junction script from my website?

Discussion in 'Blogging' started by AnotherOne, Dec 20, 2012.

  1. AnotherOne

    AnotherOne Senior Member

    Joined:
    Nov 28, 2011
    Messages:
    919
    Likes Received:
    187
    Occupation:
    SQA
    Location:
    JMeter & Selenium
    Hi,
    So I was testing performance of my site and I saw that there are some entries that shows Exit Junction is running a script on my site. After searching for the script I find out that the script is a malicious one and it'll hurt my site reputation.

    I don't know how I got it because I have not installed any plugin other than Sneaky Affiliates (licensed one) on my website and enabled some apps in Cloudflare. I am on WordPress platform with some good security plugins.

    Any help in removing that script is highly appreciated.
     
  2. AnotherOne

    AnotherOne Senior Member

    Joined:
    Nov 28, 2011
    Messages:
    919
    Likes Received:
    187
    Occupation:
    SQA
    Location:
    JMeter & Selenium
    Anyone?
     
  3. Lorvija

    Lorvija Newbie

    Joined:
    Dec 25, 2012
    Messages:
    4
    Likes Received:
    2
    I got the excatly same problem. Noticed it by accident. It's not shown for every visit but most likely the first time one visits the page.
    I'm running LAMP2 configuration, wordpress 3.5 with wordfence security and some other security additions.
    Would be interesting if anyone has any idea how it's added.. Is it a script or a rootkit adding something to the http traffic or something else?

    -Lorvija
     
  4. ronegraT

    ronegraT Power Member

    Joined:
    Dec 29, 2010
    Messages:
    620
    Likes Received:
    101
    Occupation:
    sleeping
    Location:
    Sweden
    First of all exitjunction is a ad network
    To remove it just remove the codes in the files and you are done, then after a few days check the pages again to se if it has returned, if it have, just start to deactivate/remove plugins, or check the plugins for anything related to exit junction
     
  5. Lorvija

    Lorvija Newbie

    Joined:
    Dec 25, 2012
    Messages:
    4
    Likes Received:
    2
    Seems not to be that easy.. As I said for me it shows only randomly. Also I searched for the exitjunction string on my server in all text files but found none.
    So either the url is encoded somehow (would be quite weird...), it's being added straight to the http request, cloudflare is adding it or some of the wordpress scripts is pulling the address from somewhere and adding it...
     
  6. ronegraT

    ronegraT Power Member

    Joined:
    Dec 29, 2010
    Messages:
    620
    Likes Received:
    101
    Occupation:
    sleeping
    Location:
    Sweden
    Sounds like the problem i had once, someone had managed to place hidden iframes on my site, i found them by searching for height=0 width=0 , they where placed in alla index files if i remeber right

    But what you can do if you dont know what causing it and you cant find it in the source code, deactivate all plugins and change the theme, the try to reactivate the plugins one by one
     
    • Thanks Thanks x 1
  7. AnotherOne

    AnotherOne Senior Member

    Joined:
    Nov 28, 2011
    Messages:
    919
    Likes Received:
    187
    Occupation:
    SQA
    Location:
    JMeter & Selenium
    Which plugin/tool you'll recommend to do customized search in files?

     
  8. Lorvija

    Lorvija Newbie

    Joined:
    Dec 25, 2012
    Messages:
    4
    Likes Received:
    2
    If you have access to linux shell just use grep. Fastest and easiest :)
     
    • Thanks Thanks x 1
  9. AnotherOne

    AnotherOne Senior Member

    Joined:
    Nov 28, 2011
    Messages:
    919
    Likes Received:
    187
    Occupation:
    SQA
    Location:
    JMeter & Selenium
    I have SSH/Shell Access (it's showing in my cPanel). I would love to know more about the command you've quoted.

     
  10. Lorvija

    Lorvija Newbie

    Joined:
    Dec 25, 2012
    Messages:
    4
    Likes Received:
    2
    For example my websites are inside a folder /var/www on my webserver so use: grep -r "searchable text here" /var/www
    That will go through ALL of the files inside that directory searching for a string searchable text here.
     
    • Thanks Thanks x 1
  11. ronegraT

    ronegraT Power Member

    Joined:
    Dec 29, 2010
    Messages:
    620
    Likes Received:
    101
    Occupation:
    sleeping
    Location:
    Sweden
    i downloaded the files whit ftp to my computer and use the function "search inside files" whit total comander.

    Much easier if you have the files on your computer when you search then online.

    If i remeber correct, my problem was index files, index.html index.php and such that was where the files where hidden, then i looked in my theme and found a code which shouldnt be there ( i checked it whit the clean orginal that i had on my computer)
     
    • Thanks Thanks x 1
  12. AnotherOne

    AnotherOne Senior Member

    Joined:
    Nov 28, 2011
    Messages:
    919
    Likes Received:
    187
    Occupation:
    SQA
    Location:
    JMeter & Selenium
    Thank you guys. I'll use/test both methods and post the results later.
     
  13. vikram1985

    vikram1985 Newbie

    Joined:
    Jan 4, 2013
    Messages:
    1
    Likes Received:
    0
    I also noticed a exit junction being loaded on all the pages on my site.

    I have hostgator shared hosting, WP 3.5, cloudflare.

    I tried disabling all the plugins, changed the theme but still the script is being loaded.

    I am not a coder and would request simple instructions to find the problem and rectify it. Please help!
     
  14. AnotherOne

    AnotherOne Senior Member

    Joined:
    Nov 28, 2011
    Messages:
    919
    Likes Received:
    187
    Occupation:
    SQA
    Location:
    JMeter & Selenium
    Please read replies of Lorvija and rongraT on this thread and post your result whether you're successful in removing that script or not.