1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

identifying malicious script

Discussion in 'BlackHat Lounge' started by strawhat150, Aug 15, 2016.

  1. strawhat150

    strawhat150 Jr. VIP Jr. VIP

    Joined:
    Jan 29, 2014
    Messages:
    174
    Likes Received:
    45
    Gender:
    Male
    Occupation:
    bhw
    My client's site got infected with a malicious script, the script is located in the footer area but there is nothing suspicious in the footer.php

    My client's footer.php has only one code there <?php wp_footer(); ?>
    Other codes are just html

    I decided to remove <?php wp_footer(); ?> and the malicious script disappeared from the source code, once you put it back, the script comes back again.
    So basically the script is being hooked from somewhere to the footer.

    After checking many files and access logs for any suspicious activity or any codes, I did not find anything.
    Then I ran grep command with these patterns to find any encoded scripts
    base64_decode
    gzinflate(base64_decode
    eval(gzinflate(base64_decode
    eval(base64_decode

    Did not find anything.
    Also ran some rootkit scans, nothing came up.

    Any idea what I can do next?

    Thanks in advance
     
  2. mnunes532

    mnunes532 Supreme Member

    Joined:
    Jan 21, 2014
    Messages:
    1,438
    Likes Received:
    468
    Gender:
    Male
    Location:
    Portugal
    look for other places where "wp_footer()" exists. Should be something like this: function wp_footer(){

    I'm 99% sure the malicious code is inside that function.
     
  3. strawhat150

    strawhat150 Jr. VIP Jr. VIP

    Joined:
    Jan 29, 2014
    Messages:
    174
    Likes Received:
    45
    Gender:
    Male
    Occupation:
    bhw
    Also one more thing, he has another wp-includes folder named wp-includes_org is that norma??

    Nothing looks suspicious in that folder
     
  4. blogzandstuff

    blogzandstuff Elite Member

    Joined:
    Jan 1, 2015
    Messages:
    6,422
    Likes Received:
    2,999
    Occupation:
    blog creator
    Location:
    UK
  5. pasdoy

    pasdoy Power Member

    Joined:
    Jul 17, 2008
    Messages:
    786
    Likes Received:
    245
  6. miafoto

    miafoto Registered Member

    Joined:
    Apr 21, 2016
    Messages:
    93
    Likes Received:
    9
    PM me i will help free, i love doing these things
    :cool: