Malware Script generated by WP_HEAD() in Header File (20 posts)

  1. ScreenName
    Posted 4 years ago #

    Google informed me that my WordPress site contained a Malicious script in the template (google found it on a custom error page).

    After some digging I finally was able to get a page to trigger my WebShield so that i could inspect the HTML.

    The following script was pressent in the header.

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    Now that I could see the script I was able to determine the line of HTML code in the header file that was generating/returning the script to be discplayed....

    To my suprise the line was:

    <?php wp_head(); ?>

    before and after this line are links to stylesheets which also appear before and after the offending Jscript code in the error page...

    However, to make things more interesting, the javascript appears only SOMETIMES... usually on first visit to the website... then it does not reapear for some time. Cleaning Tempinetfiles and cookies has no impact.

    My question is simple... though the answer may be complex.

    How can i find the source of the offending code?

    I've run Scanner_2.6.php whihc returns a list of all files in the WP directory with Base64_Decode, Eval, Longtext, EMBED or IFRAME.

    There does not appear to be anything out of place.

    I have now also updated the WP install to the latest version and replaced all WP files.. so it is possible that I have overridden the source... only a new virus warning will reveal the truth.

    Any help finding the script generating the offending code would be very helpful.

  2. esmi
    Forum Moderator
    Posted 4 years ago #

  3. ScreenName
    Posted 4 years ago #

    Thanks esmi

    I was just coming back to update my post with a little more information...

    I have already:

      Visited both http://sitecheck.sucuri.net/scanner/
      and http://www.unmaskparasites.com/. bot hshow the site and pages as clean
      confirmed HTAccess files are all clean.

    I will continue to search, read, apply and report back.

    It seems though that none of the posts I can find are specific to the script appearing from within the wp_head()... most talk about base64_decode PHP, Iframes, and code injected stright into the header/footer.php files. this is different... its being generated somewhere deeper in the WP files.

    A complete reinstall might be the only way to fix... the source.. I may never know.

  4. redleg-too
    Posted 4 years ago #

    @ScreenName, Would really appreciate it if you would post the malicious code sample to pastebin or maybe just take a quick look at this post on Stopbadware


    and post back if the code is the same or at least similar.

  5. ScreenName
    Posted 4 years ago #

    Hi Redleg-too

    The offending script code on my site isalmost identical to the one on your post at https://badwarebusters.org/main/itemview/29055#itemblock-29059

    The bulk of the code is identical. Only the second half of the first param val/var ("en0no3mno3nia-sno3ndpno3rxrpno3rxen0d") is different.

    I've pasted a copy to Patebine for further review http://pastebin.com/JUVgBW5P

    I've also completed a base64_decode search of all files below are the results. Only 3 files in my domain folder(and subfolders) contains the base64_decode line.

    Only 3 files returned a match.

    The first two look legit... however the third (class-simplepie) I need to check against a fresh install of WP to confirm thsi file and all contents are delivered with WP install.

    [Code moderated as per the Forum Rules. The maximum number of lines of code that you can post in these forums is ten lines. Please use the pastebin]

    Would you like a report of files containing "EVAL"

  6. redleg-too
    Posted 4 years ago #

    @ScreenName, Thanks much for checking and confirming! There are 4-5 sites posting on Badware and 4-5 more on Google Forum and so far no one has been able to pin this one down. Would appreciate knowing the file names where you found the base64 stuff so I can pass then on in the other forums.

    There are some on line tools to decode base64 lines, I have one at http://redleg-redleg.com/base64/

    To use it you have to select the type of encoding using the radio buttons at the top and then paste the long character string into the box. If it is able to decode anything it returns the output as an image so it is reasonably safe to use.

  7. ScreenName
    Posted 4 years ago #

    Ahh... looks like the moderator pulled my list of files...

    Here is is again (condensed)

    * ./wp-app.php (Filename)
    -long_text - base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'
    -long_text - base64_decode(substr($_SERVER['REDIRECT_REMOTE_USE
    * ./wp-includes/class-IXR.php (Filename)
    -unknown - base64_decode( trim( $this->_currentTagContents
    * ./wp-includes/class-simplepie.php (Filename)
    -unknown - base64_decode($data

    I'll check out the tool you have suggested.

    I am encouraged that I am not the only one stupmed by this issue... and that there will be a host of people looking to solve this issue very quickly.

  8. I am encouraged that I am not the only one stupmed by this issue... and that there will be a host of people looking to solve this issue very quickly.

    I'm glad that you're encouraged, but the links that Esmi provided earlier really can get you out of this jam if you follow the advice there.

    The specific files really are irrelevant, the important thing is that an attacker was able to get in and modify them. You need to find and close the door that they got in via.

  9. ScreenName
    Posted 4 years ago #

    Agreed, and many of those steps are already taken... and will be taken again once the source is found.

  10. redleg-too
    Posted 4 years ago #

    @ScreenName Thanks!

  11. f0urfingeredfish
    Posted 4 years ago #

    Found the malicious code. It's in:

    very first line

    Now how did it get there ?

  12. ScreenName
    Posted 4 years ago #

    would you mind posting the line you found?

  13. redleg-too
    Posted 4 years ago #

    @f0urfingeredfish, Would greatly appreciate it if you would post the code in pastebin!

  14. f0urfingeredfish
    Posted 4 years ago #

  15. redleg-too
    Posted 4 years ago #

    Thanks very much!

  16. ScreenName
    Posted 4 years ago #

    OK, great, thanks. I'd done a search in my PHP files for hte same script (and portions of) and nothing is returned... however...

    If the location was the same for me (hidden in WP includes) then the upgrade on my sever from and older version of WP to 3.2.2 would have overwritten the file, thuse removed the virus.

    I'll need to resubmit to google and wait. Meanwhile I work on possible security issues that might have allowed the hacker access to the site.

  17. f0urfingeredfish
    Posted 4 years ago #

    Hmm. We just updated to 3.3.2 on May 2nd. And the malware isn't in the code before the update. I don't know how/when it got in there. But it produces the almost the same JS as yours:


  18. f0urfingeredfish
    Posted 4 years ago #

    it also appears to add a cookie named "lonly"

  19. ScreenName
    Posted 4 years ago #

    I would suggest the vulnerability in the server or WP is still present in the latest version. Allowing the hacker access. I upgraded AFTER notice of the virus (May 30).

    I run 5 websites. I did not upgrade them all... instead I upgraded only 1, then resubmited them all to google for a health review.

    Within hours all sites were listed as "clean"... but with 48 hours I had a new notice from google regarding TWO of the 4 sites not updated to WP 3.2.2.

    Since then I have updated these sites and resubmitted for Google HealthCheck.

    I'll need ot take a good look at how the hacker gained access to prevent this happening again. I'll post anything I find that might be useful for others.

  20. ScreenName
    Posted 4 years ago #

    Update: Its been 4 days since my last post. All sites are clean... no reports from google or site users otherwise.

    It would appear the malware code was injected into a WP_Include file, thus the update to 3.2.2 has over written the hacked file. If you are running 3.2.2 already you might try copying a fesh seto f WP include files ot your WP_Includes directory...

    As for "how" this attack happened, I am unsure - and we may never know... so for now I am tightening all security on the server to protect us as best as possible. I suggest other WP users do the same.

    Thank you to the community - especially those listed above for all your help and support.

Topic Closed

This topic has been closed to new replies.

About this Topic