Obfuscated Code Injected into includes/js

  • Resolved Jackie

    (@wordpressmacuser)


    10 years, 5 months ago

    Not sure how this is happening.. but it happens and Wordfence didn’t do anything about it.
    My server ended up sending out spam due to this.

    Not sure what is wrong because I’ve taken _every_ single precaution and fix I could

    At the time I had the following set up (all latest versions)

    1. Wordfence with Firewall and throttling on and most settings checked. 60 Day lock out
    2. WP Security – used as a tool only to check file permissions and other vulnerabilities.
    3. iThemes – with the firewall turned off. I used iThemes to shut down the admin panel entirely at certain times of the day. When this injection happened the panel was indeed shut down
    4. Clef for 2 factor
    5. GM Block Bots

    The domain in question was recently ripped apart and re-installed from scratch because it was hacked before.

    https://wordpress.org/plugins/wordfence/

    The wordpress access log has repeated post requests with the paste file to the /wp-includes/js/tinymce/plugins2 folder from various IPs around the world (Russia, The US, Germany etc). Agent/referrer was “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)” so it wasn’t blank. Not sure what else I could have done. No one should be posting to the admin panel at all.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author WFMattR

    (@wfmattr)

    10 years, 5 months ago

    Sorry to hear about the hack. It may be a new type of infection that we have not seen yet. Unfortunately, attackers are always finding new ways of changing or hiding their code.

    Since you said the site was recently reinstalled from scratch, that might mean there is a vulnerability in a plugin or theme you have, that the author has not fixed yet.

    We have a guide for cleaning hacked sites here, which includes using other options for more thorough scans that may make the scan take longer, as well as other methods for cleaning:
    How to clean a hacked site using Wordfence

    If you have multiple sites on the same hosting account, make sure the other sites are also updated, even if they are non-WordPress sites. Some infections will cross between sites once they are established.

    If you still have a copy of the files from the /wp-includes/js/tinymce/plugins2 folder, you can send them to me, and our team will check them out so we can add them to future scans. My email address is mattr (at) wordfence.com

    -Matt R

    Thread Starter Jackie

    (@wordpressmacuser)

    10 years, 5 months ago

    Hi Matt!

    Thanks for your response and the guide to cleaning my site.

    I will follow up with you shortly by email.

    Thanks again!

    Best regards
    Jackie

    Plugin Author WFMattR

    (@wfmattr)

    10 years, 5 months ago

    Thanks for the email. Feel free to reply here if you have any trouble cleaning the site or have any other questions.

    -Matt R

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Obfuscated Code Injected into includes/js’ is closed to new replies.