Related

Tool NGINX Config Generator Tool
Running a web-based video game on a droplet Question Question
my site i down please see http://www.cheri3a.com/ Question Question

Question

Unknown Script running in the head of my website

Posted February 21, 2020 369 views
NginxWordPressJavaScript

My website is running on Wordpress on a Nginx/Ubuntu server. Recently I tried to make some ads on Google but it prompted me with a policy violation on Malicious or unwanted software. I got in contact the the Google team and they gave me some links that appear on my webpages. These are:

https://staleshow.com/v2/0/fovR3B4fjiQSgtNFpGy....

https://staleshow.com/v2/0/gemRIkJ9djEBOXuetqaLkIOcy.....

https://staleshow.com/v2kzbtsxmzq-clIED28ZJ-mROoqs5UKBLIXem7WuN....

https://staleshow.com/v2vgtikD8J6e0uNhC1Rgy5NIHONmkM-LSTIbr_enq_ckOqCgI....

When inspecting my website with dev tools I can see that a script is running in the head tag. Follows:

<script async="" src="https://staleshow.com/v2/0/fovR3B4fjiQSgtNFpGy...."></script>
How can I delete this line? Where is it's origin?
Add a comment
threepixelslab
By:
threepixelslab
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers
Shiroka February 21, 2020

Hi @threepixelslab,

Traditionally,you can find this file in the functions.php and page.php file in your custom theme.You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.And,search keywords <scripts> in your origin code to find if there are other malicous virus.Or,you can check your edit module in your admin page,use text edit mode to find strange links.If you can login your phpadmin page,you can execute this MySQL command:

UPDATE wp_posts SET post_content = replace(post_content, 'COPY THE VIRUS CODE HERE','');

This is to replace the malicious links to blank.But you must execute this for each link.Just like:

UPDATE wp_posts SET post_content = replace(post_content, 'https://VIRUS DOMAIN/v2/0/fovR3B4fjiQSgtNFpGy....','');

UPDATE wp_posts SET post_content = replace(post_content, 'https://VIRUS DOMAIN/v2/0/gemRIkJ9djEBOXuetqaLkIOcy...','');

(Remember to substitute the VIRUS DOMAIN to the real one)

After i search for this,i wonder if your addon’s name is Ultimate Support Chat.It has been reported so you should delete it as fast as you can.However,I didn’t find any other records that related to the link you mentioned.I suggest you reinstall your wordpress,and use other theme.This is a better way.

Kind regards,
Shiroka

Reply Report
  • threepixelslab February 22, 2020

    Hello

    Thank you for the detailed reply. I analyzed the js code that was running and I concluded that “AdBlocker Notify Lite” from Admiral was causing this problem. I deactivated and got in touch with their support so they can solve the issue.

    Reply Report
pantsme February 22, 2020

My guess without knowing Wordpress well would be that you have an unwanted plugin installed on Wordpress that is adding this. I’d use one of the security scanners that Wordpress has or review your plugins to see if there are any that are there that you do not want there. This site has some info about Wordpress security scanner plugins https://www.wpbeginner.com/wordpress-security/

Reply Report
  • threepixelslab February 22, 2020

    I did install some security plugins but they couldn’t detect the issue. I had to do it manually. The plugin “AdBlocker Notify Lite” was causing the issue. When I deactivated the code wasn’t running.

    Reply Report
pantsme February 22, 2020

I would try to install one of the security scanner plugins for Wordpress. It appears you may have a rogue plugin installed that is injecting this script into your site code. That or review your plugin list and see if there are any that you do not specifically want installed. If none of that finds anything, I would go through each plugin one by one and uninstall, refresh, and see if the injection is still there. Those links that Google gave are going to always come back with a 404 response due to how that staleshow.com website is used.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help