WordPress virus, popads script added on wp_footer action

In my wordpress site script added in footer on wp_footer action.

//Virus Script, hook on wp_footer
<script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=1063894"></script>
  • Script show in all themes (including default themes) I have disable
    all plugins but still show.
  • I am using wp 4.7.3 so i replace wp-admin/wp-include folder with fresh downloaded files. (Problem not solved)
  • I replace twentyseventeen theme with fresh files, now virus script not show
    in default themes but showing in main theme.
  • I search in my theme, there is no eval(), base64_decode(), x64
    kinds of codes.
  • I print all list of wp_footer hooks but that’s not help me..
  • Install “simple show hooks” plugins, its also not work.
  • This virus script not work when admin/user is login, so i also try to find is_user_logged_in() function but nothing found.
  • I search in whole database “x64, eval(, base64, apu,etc” also not found in db.
  • Install Anti malware security but not working.
  • If i remove wp_footer() function, then virus script not show.

What should i do now?
How to find virus location/hook?

Is there any wp action/filter, that hook after each action /filter hooked??

Read more here: WordPress virus, popads script added on wp_footer action

2 thoughts on “WordPress virus, popads script added on wp_footer action

  1. i found this article after my site got infected with same kind of malware as this
    i downloaded completely site and searched for domain aotson.com and i led me to this article…
    my site is infected with this malware…
    as i say…this is the method hackers used to inject these scripts into a web site…
    it behaves strangely because when il loged in injected scripts dissapears just as is described in these post i collected on web in my researching on the nature of this injections
    follow the links on this page find afected files, delete some, on others delete some piece of injected code and strenghten your defence for next time
    i installed this lightweight plugin to monitor changed files and thats about it
    https://wordpress.org/plugins/file-changes-monitor/
    link to the malware analysis..
    https://medium.com/@cirku17/wp-vcd-malware-analysis-7c5dbaad89c3

  2. I have same problem with my website , Same as you Write in This post So Please can you Tell me How you Solve This Problem, Email Me on This My Email Adress
    Please help me i try every possible way but i am unable to find solution

Leave a Reply

Your email address will not be published. Required fields are marked *