document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]));document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]));

This is some code that you can find in your js files leading visitor redirects to other websites.

Probably you have been hacked and somebody inserted some code in your wordpress installation.

Here you can find more information about the hack – https://www.polaris64.net/blog/cyber-security/2017/wordpress-hacks-jquery-js-script-injection

Here are some instructions that have to be done to fix the problem and to be clean:

  1. A lot of your .js files have inserted code like that from the beggining of the post.If you don’t have backup without injected code you have a lot of dirty job to do :(.
    1. Search all files containing the code, the bad thing is that it is possible that the injections script probably deleted real files content
    2. If you succeed to somehow restore all your changed files and remove injected code don’t forget to check for inserted .php files (check for db.php)
    3. Tip for faster find of unwanted code is to look file dates and check all newly edited files
  2. If you have backup, but it’s old and there are some changes which you’ve made after the backup i suggest to look again in the file dates and to compare only newly edited files. Check them one by one and fix them
  3. If you have current backup version dont just drag files to be overitten!!! Because in these case if there are newly added files you will leave them there.You can download your injected version for backup and to upload your backup.

Don’t forget to do these things when you clean your wordpress installation:

  1. change your passwords (user, db, email (smtp if you saved in some file on the server), external services account information if container in files on the server
  2. ask if there are another user accounts to do same or just change all user passwords!
  3. download all files again and check for injected code again if some file was missed
  4. if you use shared hosting services and there are other websites in the same accout, it is possible to be injected too. Check them too and if there is problem make the same as above for every website (even if it is not wordpress based project)
  5. if you use some caching plugins, scripts or systems you can invalidate the case, because it is possible to keep old version with injected code

Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.