Unknown Script running in the head of my website

Question

My website is running on Wordpress on a Nginx/Ubuntu server. Recently I tried to make some ads on Google but it prompted me with a policy violation on Malicious or unwanted software. I got in contact the the Google team and they gave me some links that appear on my webpages. These are:

https://staleshow.com/v2/0/fovR3B4fjiQSgtNFpGy....

https://staleshow.com/v2/0/gemRIkJ9djEBOXuetqaLkIOcy.....

https://staleshow.com/v2kzbtsxmzq-clIED28ZJ-mROoqs5UKBLIXem7WuN....

https://staleshow.com/v2vgtikD8J6e0uNhC1Rgy5NIHONmkM-LSTIbr_enq_ckOqCgI....

When inspecting my website with dev tools I can see that a script is running in the head tag. Follows:

<script async="" src="https://staleshow.com/v2/0/fovR3B4fjiQSgtNFpGy...."></script>
How can I delete this line? Where is it's origin?

Tony · Answer

I would try to install one of the security scanner plugins for Wordpress. It appears you may have a rogue plugin installed that is injecting this script into your site code. That or review your plugin list and see if there are any that you do not specifically want installed. If none of that finds anything, I would go through each plugin one by one and uninstall, refresh, and see if the injection is still there. Those links that Google gave are going to always come back with a 404 response due to how that staleshow.com website is used.

Tony · Answer

My guess without knowing Wordpress well would be that you have an unwanted plugin installed on Wordpress that is adding this. I’d use one of the security scanners that Wordpress has or review your plugins to see if there are any that are there that you do not want there. This site has some info about Wordpress security scanner plugins https://www.wpbeginner.com/wordpress-security/

Shiroka Arukas · Answer

Hi @threepixelslab , Traditionally,you can find this file in the functions.php and page.php file in your custom theme.You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.And,search keywords in your origin code to find if there are other malicous virus.Or,you can check your edit module in your admin page,use text edit mode to find strange links.If you can login your phpadmin page,you can execute this MySQL command: UPDATE wp_posts SET post_content = replace(post_content, 'COPY THE VIRUS CODE HERE',''); This is to replace the malicious links to blank.But you must execute this for each link.Just like: UPDATE wp_posts SET post_content = replace(post_content, '<^>https://VIRUS DOMAIN/v2/0/fovR3B4fjiQSgtNFpGy....<^>',''); UPDATE wp_posts SET post_content = replace(post_content, '<^>https://VIRUS DOMAIN/v2/0/gemRIkJ9djEBOXuetqaLkIOcy...<^>',''); (Remember to substitute the VIRUS DOMAIN to the real one) After i search for this,i wonder if your addon’s name is Ultimate Support Chat.It has been reported so you should delete it as fast as you can.However,I didn’t find any other records that related to the link you mentioned.I suggest you reinstall your wordpress,and use other theme.This is a better way. Kind regards,Shiroka

Related

Question

Unknown Script running in the head of my website

Related