JS Injection After WP 4.3.1 Upgrade

People please stop posting malicious code on the forums. If you want to share it use PasteBin. Otherwise the next time you’ll visit this thread, Google could have deemed the page unsafe. You know, the big red warning you get when you visit an “unsafe” website?

I did full scans of my computer using malwarebytes, defender, and spybot. My header file was still compromised. I am left wondering how they are getting in and hope someone gets to the bottom of that, fast. At this point, I’m thinking it is a vulnerability in WP itself.

One thing that I’m thinking about doing is renaming the actual header file and changing the redirect to point to the newly named file. I presume that this is an automated attack somehow and is not sophisticated enough to notice that I have changed the file name. Too bad this change might be over-written by any future WP updates.

Can anyone give any details if your windows machine has been infected? Stuff like Windows version, Java version?

I believe these posts about computers infecting their hosting accounts have it backwards. Visiting their infected websites has infected their computers, not the other way around.

I believe this problem is not related to a vulnerability in WordPress, but in cPanel. WordPress is just a platform that is infected because of this vulnerability.

The vulnerability copies “payload” files onto the root of the cPanel’s file structure that is then executed. Search your File Manager for “payload” and you might find .php and .txt.

I am using Genesis theme on all of my sites so index.php and footer.php weren’t affected, but the header.php file was always affected. I have been manually cleaning it.

I’ve ordered a manual virus scan from my web host, Bluehost, to see if they can find anything on my account. If they find anything, they’ll quarantine my account.

It could be that the problem is actually happening on someone else’s account that is infecting your account, but this is pure speculation at this point.

One thing I found for myself is that if I do a “Generate Full Backup” on HostGator and download the resulting tar.gz file onto my computer, then I can use Windows Defender to run a scan on that file. In my case the file is about 1.5GB in size and includes approximately 100,000 files, so it takes about 25 minutes to do a full scan. Windows Defender was able to detect the virus quite easily, and it was able to identify for me where it was located. Interestingly, it was mostly cached files that were infected, so when I deleted those and reset my caching plugins most of the infections disappeared.

I kept doing this until I was able to generate a clean backup on HostGator and assure myself that there are no more instances of the trojan on either my computer or my hosting service.

I think the mechanism for this trojan is as follows:
1. I go to a site that has the infection in one of its files. Nothing appears amiss when I visit this site.
2. I download something to my computer, where the trojan sees a “friendly environment” for operating.
3. At some point, I log into my HostGator account and the trojan recognizes the ftp connection. It uploads itself silently to my hosting service and modifies the files that it wants to modify. It can do this because it has access through my own credentials–even if it didn’t capture my credentials when I logged in.

I think all of this happened before Windows Defender became aware of the Trogan and updated its databases. Now, anytime I download something that has the infection, it is caught immediately.

Anyway, I’ve changed all my passwords and made them even more secure than they were before. I think I am out of the woods now, but I’m still on the lookout.

Good luck to everyone else.

Cheers,

David

Last week I removed the virus from the header.php and it came back today. I still don’t know how the header.php got infected. I removed the bad JavaScript line from the header and the virus is removed, for now. I am hosting the website on a XAMPP installation that’s running on a Windows 2003 Server.

Rednas_N, if all you did is clean up the header.php file, that’s not enough. That’s just the symptom, not the cause.

Were you running Jetpack? It had a cross-site bug that was fixed 6 days ago. That could have been what let the hack in.

My web host did a virus scan on my account, found malware, and locked my site down. The malware was in many, many files.

Rednas, you also need to look at your htaccess file for a malicious redirect.

I have run 4 anti-virus programs on my computer. Some things were found by the first three, but nothing serious. I put Windows Security Essentials on and it found some js injections in the cache of my firefox browser. I really don’t know if that is it, or not.

I believe it is fair to say that my own computer is involved somehow in bringing back the virus. But I am not convinced that there is not an exploit somewhere that needs to be identified.

In support of the FTP theory (David’s), though I run hundreds of WordPress sites, the only 2 that continually get infected are ones that are stored in the site manager of my Filezilla. If that is involved, it would actually help make sense of things a little, because I have changed the password numerous times, to no avail. But I updated it in Filezilla each time, too. ??

I already scanned with Symantec Endpoint Protection, no detections at all. I also build a simple program that scans every file for code like ‘var a=’. But no results yet..

I believe this problem is possibly cPanel related. Both ddmcleod’s Hostgator and my Bluehost account use cPanel, but my other hosts, 1and1 and Godaddy, do not.

It could be that the cPanel login is getting exposed through some vulnerability. Jetpack had a cross-site vulnerability they patched 6 days ago. I’m not sure.

Here is the first indication I’ve found of a Cpanel connection.

A server that I had already scanned came up again with this entry in the virus scan:

.fantasticodata/language.php {HEX}php.brute.bf1lic.187.UNOFFICIAL

I don’t have any idea if this is connected.

Here’s an update from the cleanup service at my webhost:

Here are some examples of files that were removed or cleaned:

/public_html/[domain directory]/wp-admin/css/colors/ocean/sql.php
/public_html/[domain directory]/wp-content/uploads/title.php
/public_html/[domain directory]/wp-includes/default-filters.php

Hope this helps other people clean up their systems.

And to others point that it may be a local computer malware infection problem, they also said, “I would also suggest to check any PC that connects to your account here for malware, such as password stealing keyloggers or other malware and to change your main Cpanel password as well as those for any FTP accounts you have created and to remove those you are no longer using from within your cpanel.”

Here’s an update from my end…

After I removed those first infected files I found, I received an email from my host saying they received reports of spam originating from my account. They ran a virus scan for me and found quite a few more infected files.

I cleaned those up by hand, then ran a virus scan from cPanel and found even more compromised files. I cleaned those up too, then repeated the process until I couldn’t find any more.

The next morning, I scanned the file system and found infected files again; so the cPanel virus scanner obviously didn’t catch everything. From there, I grep’ed for some common elements in the malicious code, then cleaned up whatever I found.

I think I got everything at that point, but for good measure, I did what ddmcleod described and downloaded and scanned backups of my server file system using Windows Defender and Malwarebytes. These scans came back clean, and subsequent cPanel scans over the past three days have also been coming back clean, so I think I’m safe for now.

I also updated all installations of WordPress, updated all themes and plugins, disabled all but one FTP account, and changed all passwords, including my cPanel password. I ran at least half a dozen scans of my local machine, but I was never able to find any evidence of an infection there.

I still don’t know exactly how the server was breached, but I’m fairly confident it wasn’t through a local virus/trojan. I suppose it could’ve been due to a cPanel vulnerability, but I don’t see any evidence of that, and I haven’t seen any recent vulnerability alerts. I’m hoping the problem was caused by a weak password, a recently patched WordPress security flaw, or a combination of the two, as both of those issues have been addressed now.

Good luck!

I found:

[ Moderated, please do not post malware code here. ]

on wp-blog-header.php, header.php and footer.php

Guys…just listen to ddmcleod if you want to resolve the issue. I too was dumbfounded, thinking that I was being hacked, but it actually is a local trojan on the pc…i eventually used supermalware and windows defender (both free) to remove it before cleaning files on the server – there is no point in cleaning the server and not sorting out your local machine first.

I would suggest you do this before you too get blocked by your host (i.e. hostgator) and have to explain why you were “sending spam from your server”, which i think was the ultimate purpose of this program.

quote from ddmcleod (2 weeks ago)

I think I found the source of this problem. It took the better part of two days to figure out, but as I put together the whole sequence of events, it looks like the following happened:

1. My computer got infected with the Trojan:JS/Iframeinject malware. This was detected and eliminated by Windows Defender, but not before the damage was done.
2. While this virus was active, I logged into my HostGator account. The virus appears to have injected its script into every header.php file it could find. Very cleverly, the malware achieved this by doing the following:
a. It read the timestamp on the header.php file.
b. It inserted its script right after the <body…> tag and saved the file.
c. It then touched the file to reset the timestamp to what it was before the modification.
3. Every header.php file in my system was modified, and this is what caused the spurious changes to occur in my rendered html.

Once the virus was completely removed from my computer (which took several scan passes by Windows Defender and Malwarebytes), it was a relatively simple task to remove the offending script lines from all of the header.php files. I did all of that manually. I could probably have accomplished the same by just upgrading all my themes; however, I wanted to make sure that none of my other changes got overwritten.

The problem seems to be resolved now, but I leave this information here in case someone else runs into the same problem.

Cheers,

David