I was notified about a random div that is not supposed to be on a site I administer.
There was a div with a style of
and a bunch of random links (see image below).
Searching for anything that is in that div gave no results. So I decided to track down where it is being generated.
The first thing to blame were scripts… Using Network analysis tab in Chrome I refreshed the website and checked the first request that was made (it was for the html file). The response already had that div in the HTML code. This meant that the whole thing has to be happening on the server and it is not added later by a script.
I tracked down the place in the template where the div was located (it was in footer.php file) and found:
$c3RyX = “lFBQu3”;
Decoding the string in the eval function confirmed the suspicion:
This was definitely added maliciously and had to be removed.
After changing all the passwords and removing the previously mentioned php code bit the site is up and running as expected.