0

Hi,

I was recently hacked and looking all around throughout my code the only suspicious thing I could find is this chunk of code at the bottom of my source on the index page:

<script type='text/javascript'>
/* <![CDATA[ */
var thickboxL10n = {"next":"\u6b21\u3078 >","prev":"< \u524d\u3078","image":"\u753b\u50cf","of":"\/","close":"\u9589\u3058\u308b","noiframes":"\u3053\u306e\u6a5f\u80fd\u3067\u306f iframe \u304c\u5fc5\u8981\u3067\u3059\u3002\u73fe\u5728 iframe \u3092\u7121\u52b9\u5316\u3057\u3066\u3044\u308b\u304b\u3001\u5bfe\u5fdc\u3057\u3066\u3044\u306a\u3044\u30d6\u30e9\u30a6\u30b6\u30fc\u3092\u4f7f\u3063\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002","loadingAnimation":"http:\/\/mydomain.org\/wp-includes\/js\/thickbox\/loadingAnimationfuck.gif"};
/* ]]> */
</script>

is this present as default or its inserted by some hacker?

Thank you.

Cain Nuke
  • 2,515
  • 4
  • 35
  • 55
  • Could be from XSS. – Andrew Li Jun 22 '16 at 06:36
  • Yes it is malware. – Milap Jun 22 '16 at 06:36
  • At first I said "it most probably is", but on second glance it could just be code from a thickbox plugin. If you have one installed look at it's source code, otherwise take a look at the [My site was hacked FAQ](https://codex.wordpress.org/FAQ_My_site_was_hacked) – Gerald Schneider Jun 22 '16 at 06:37
  • Another post regarding CDATA and it's vulnerabilities [here](http://stackoverflow.com/questions/7092236/what-is-cdata-in-html) – Andrew Li Jun 22 '16 at 06:38
  • 1
    Looks like it is [valid code](https://plugins.svn.wordpress.org/auto-thickbox/trunk/auto-thickbox.php). – Gerald Schneider Jun 22 '16 at 06:39
  • Its related to thickbox but I dont understand why is it all scrambled like that. I would like to read what it says to determine whether or not its malware. – Cain Nuke Jun 22 '16 at 06:43

0 Answers0