Created
September 29, 2014 14:36
-
-
Save gmanfred/15fa9deabc6b7ba5bf6e to your computer and use it in GitHub Desktop.
Wordpress hacked with malicious general-template.php file. Check the solution here: http://coderpills.wordpress.com/2014/09/29/cleaning-an-hacked-wordpress-from-a-malware-that-shows-checking-your-browser-before-accessing-pastebin-com/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE HTML> | |
<html lang="en-US"> | |
<head> | |
<meta charset="UTF-8" /> | |
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> | |
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /> | |
<meta name="robots" content="noindex, nofollow" /> | |
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /> | |
<title>Just a moment...</title> | |
<style type="text/css"> | |
html, body {width: 100%; height: 100%; margin: 0; padding: 0;} | |
body {background-color: #ffffff; font-family: Helvetica, Arial, sans-serif; font-size: 100%;} | |
h1 {font-size: 1.5em; color: #404040; text-align: center;} | |
p {font-size: 1em; color: #404040; text-align: center; margin: 10px 0 0 0;} | |
#spinner {margin: 0 auto 30px auto; display: block;} | |
.attribution {margin-top: 20px;} | |
</style> | |
<script type="text/javascript"> | |
//<![CDATA[ | |
(function(){ | |
var a = function() {try{return !!window.addEventListener} catch(e) {return !1} }, | |
b = function(b, c) {a() ? document.addEventListener("DOMContentLoaded", b, c) : document.attachEvent("onreadystatechange", b)}; | |
b(function(){ | |
var a = document.getElementById('cf-content');a.style.display = 'block'; | |
setTimeout(function(){ | |
var t,r,a,f, FHmmKSN={"tzGUIgEnXAX":+((!+[]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]))}; | |
t = document.createElement('div'); | |
t.innerHTML="<a href='/'>x</a>"; | |
t = t.firstChild.href;r = t.match(/https?:\/\//)[0]; | |
t = t.substr(r.length); t = t.substr(0,t.length-1); | |
a = document.getElementById('jschl-answer'); | |
f = document.getElementById('challenge-form'); | |
;FHmmKSN.tzGUIgEnXAX-=+((+!![]+[])+(!+[]+!![]+!![]+!![]));FHmmKSN.tzGUIgEnXAX+=!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![];FHmmKSN.tzGUIgEnXAX*=+((!+[]+!![]+[])+(!+[]+!![]));FHmmKSN.tzGUIgEnXAX+=+((!+[]+!![]+[])+(!+[]+!![]+!![]));a.value = parseInt(FHmmKSN.tzGUIgEnXAX, 10) + t.length; | |
f.submit(); | |
}, 5850); | |
}, false); | |
})(); | |
//]]> | |
</script> | |
</head> | |
<body> | |
<table width="100%" height="100%" cellpadding="20"> | |
<tr> | |
<td align="center" valign="middle"> | |
<div class="cf-browser-verification cf-im-under-attack"> | |
<noscript><h1 data-translate="turn_on_js" style="color:#bd2426;">Please turn JavaScript on and reload the page.</h1></noscript> | |
<div id="cf-content" style="display:none"> | |
<img id="spinner" src="/cdn-cgi/images/spinner-2013.gif" /> | |
<h1><span data-translate="checking_browser">Checking your browser before accessing</span> pastebin.com.</h1> | |
<p data-translate="process_is_automatic">This process is automatic. Your browser will redirect to your requested content shortly.</p> | |
<p data-translate="allow_5_secs">Please allow up to 5 seconds…</p> | |
</div> | |
<form id="challenge-form" action="/cdn-cgi/l/chk_jschl" method="get"> | |
<input type="hidden" name="jschl_vc" value="b76c9a291b7a581012eb20b4b3915eaf"/> | |
<input type="hidden" id="jschl-answer" name="jschl_answer"/> | |
</form> | |
</div> | |
<div class="attribution"><a href="http://www.cloudflare.com/" target="_blank" style="font-size: 12px;">DDoS protection by CloudFlare</a></div> | |
</td> | |
</tr> | |
</table> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment