JS Injection After WP 4.3.1 Upgrade

You can see this problem for yourself at https://www.ilovemyshadow.com

Have you tried:

– deactivating all plugins to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s).

– switching to the default theme to rule out any theme-specific problems.

– resetting the plugins folder by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems.

– re-uploading all files & folders – except the wp-content folder and wp-config.php & root .htaccess files – from a fresh download of WordPress. Make sure that you delete the old copies of files & folder before uploading the new ones.

Tried all that.

Also tried uploading different versions of WP. I got a clean result at WP 4.2 then I upgraded my plugins and the trash started showing up again. Can’t seem to clear it at all now.

Clearing cache, history & cookies doesn’t resolve the problem. I can’t tell where this injected code is coming from. Also, Google doesn’t seem to be much help in telling me anything useful about https://kfc.i.illuminationes.com/snitch, which is one of the links that is being created.

I’m completely baffled by this. Sure would be nice if someone else was seeing this problem so I could have another set of eyes on it.

You need to reset the plugin folder again. Do not activate any plugins or themes until you are back to WordPress 4.3.1

I think I found the source of this problem. It took the better part of two days to figure out, but as I put together the whole sequence of events, it looks like the following happened:

1. My computer got infected with the Trojan:JS/Iframeinject malware. This was detected and eliminated by Windows Defender, but not before the damage was done.
2. While this virus was active, I logged into my HostGator account. The virus appears to have injected its script into every header.php file it could find. Very cleverly, the malware achieved this by doing the following:
a. It read the timestamp on the header.php file.
b. It inserted its script right after the <body…> tag and saved the file.
c. It then touched the file to reset the timestamp to what it was before the modification.
3. Every header.php file in my system was modified, and this is what caused the spurious changes to occur in my rendered html.

Once the virus was completely removed from my computer (which took several scan passes by Windows Defender and Malwarebytes), it was a relatively simple task to remove the offending script lines from all of the header.php files. I did all of that manually. I could probably have accomplished the same by just upgrading all my themes; however, I wanted to make sure that none of my other changes got overwritten.

The problem seems to be resolved now, but I leave this information here in case someone else runs into the same problem.

Cheers,

David

Hi,

I experienced the same issue with my site. Which plugins do you have installed? Maybe it’s some kind of security issue on one of the installed plugins.

They only infected this file: “D:\wwwroot\<sitename>\wp-content\themes\<theme name>\header.php”

Sander

I’ve had this infect my header file twice now. The first was the teaserguide URL. Today I noticed illuminationes. Wordfence does detect that the header file contains malicious code.

I am using a Themify theme, if that matters.

Other sites reporting on this issue:
https://blog.dynamoo.com/2015/09/tainted-network-kfciilluminationescomsn.html
https://sntjohnny.com/front/the-teaserguide-wordpress-hack/2683.html

I just noticed that this has infected two of my WP sites on my shared hosting account, but not a third one. Both infected sites use a Themify theme. Here is a list of the plugins common to both sites:

Just Writing by Greg Ross
ManageWP – Worker by ManageWP*
Wordfence Security by Wordfence*
WordPress Researcher by wordpressdotorg*
WPMU DEV Dashboard by WPMU DEV*

*denotes plugins ALSO present in the site that was not infected. Does this mean that Just Writing is the culprit? It was just updated five days ago.

Okay folks, this might not be a WP issue at all. I just found that the code had been injected into a drupal site I have on the same shared hosting.

Check ALL of your header.php files.

As you saw in my earlier post, this trojan seemed to operate from my home machine. When it saw that I had logged into my hostgator account, it somehow tagged along and modified every header.php file it could find. I’m pretty certain that the trojan CANNOT operate from within the Hostgator environment–which is a Linux/Unix environment (unlike my home machine which is Windows 10).

Anyway, once I eliminated the trojan from my system, using Windows Defender AND Malwarebytes, I was able to clean up the header.php files and the problem has not recurred.

I still don’t know how the malware got onto my machine in the first place–I’m sure that it can come from various sources on the internet–but I’m confident it is gone…for now!

As for my website structure, I use different themes and different plugins on different websites. This trojan didn’t seem to care about any of that; it just modified all header.php files indiscriminately. In particular, I don’t use any of the themes or plugins that you’ve listed here.

Get Malwarebytes working on your computer; another alternative is SuperAntiSpyware which I’ve heard good things about but I haven’t tried myself. My Windows Defender is doing its job!

Hope this helps.

David

David, thanks for the response.

I’ve only accessed my hosting control panel (Site5) from a work computer and a Chromebook. I assume Symantec Endpoint Protection is strong enough to detect if my work computer is infected. Can a Chromebook be?

My Windows Defender is set to scan my computer every day and it did not detect anything. Prompted by this thread, I ran Malwarebytes.

MB says it only found potentially unwanted files (PUP), which makes me skeptical of the idea that my computer was compromised, per se. However, many of these presented as FF extensions with this phrase in it: \[email protected]\ some of which were associated with js file names.

Too suspicious to leave, so I whacked them.

It will be interesting to see if I continue to have this problem, and a little sad that Defender didn’t do the job for me.

I discovered this problem because a visitor of the website contacted me about the problem. Kaspersky was detecting the ‘virus’ at their computer after visiting the website.

I was affected by this too. In fact, all of my sites on one particular server were affected. I followed the steps above to remove the malicious code, but I found some more code in files containing the terms “index”, “footer”, or “main” in their names.

The code looks like this:

[Code moderated]

foreach($files as $file){ echo 'Checking ' . $file . ' at ' . time() . "...\n";
    $content = file_get_contents('../' . $file);

    $content = str_replace($replace, '', $content);

    file_put_contents('../' . $file, $content);
}

echo 'Done at ' . time() . '!';

?>

To use it, run grep to generate a list of files containing the string “onfr64_qrpbqr”, then format that list as an array to insert in my script. You’ll also have to change the file paths in file_get_contents and file_put_contents so it makes sense for your directory structure.

Good luck!

In my case it was:

[Code moderated]

and it was only in the index.php of the templates.
In my case I just searched for the string “1Aqapkrv” and confirmed that it was nowhere else but there.