Support » Plugin: Wordfence Security - Firewall & Malware Scan » Injectscr & Injectbody

  • Resolved st.dangerous

    (@stdangerous)


    Just wanted to give others a heads up that a standard Wordfence site scan will NOT catch the injectscr and injectbody malicious plugins.

    You’ll need to change the passwords of ALL your Admin accounts first, then delete the 2 hidden plugins from your plugins directory. I then changed ALL my Admin account passwords again just to be safe.

    We got a call from a new client yesterday who needed a site save. They’d been hacked but didn’t know how. After some digging, I saw what was going on. So I removed the malicious plugins – injectscr and injectbody. However, I hadn’t changed the Admin passwords yet, and between the time it took me to remove the directories and go change the password for the ‘admin’ username (the client set it up that way – now changed), an automated bot had logged in and re-installed the malicious, hidden, plugins in the plugins directory.

    Sucuri details the infection here – https://blog.sucuri.net/2018/02/unwanted-popups-caused-injectbody-injectscr-plugins.html

    Ironically enough, Sucuri scans don’t find the malicious plugins either, even though they documented the technique!

    For anyone looking for details, Wordfence did alert me to the following, related, 6 malicious files as well:
    wp-content/wpspl-load-compat.php
    wp-includes/wpspl-load-compat.php
    wp-includes/wp-scachetop.php
    wp-includes/wp-sclouds.php
    wp-includes/wpclan-rss.php
    wp-includes/wpn-sops.php

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi @stdangerous,

    Thank you for bringing this to our attention.

    Can you confirm that you had all scan options enabled as outlined in our site cleaning guide?

    wfyann

    (@wfyann)

    Hi @stdangerous,

    It appears attackers are logging in and uploading a plugin which then injects JavaScript in “wp_head” and possibly other WordPress functions; this results in the (hex encoded) JavaScript code being loaded in pages.

    We have detection for this type of infection but we are adding some signatures to make the scan even better at detecting it.

    crazyivan85204

    (@crazyivan85204)

    Found another malicious plugin that appears to be related
    ‘antisp’ found it on the same site that I found ‘injectbody’ installed
    they appear to be the same thing

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.