JS Injection After WP 4.3.1 Upgrade

I have this problem just with Host Gator with all themes… someone have this problem with another provider?

Cheers,

Came across same problem on my sites today. Seven sites were wordpress one was joomla but same exploit. Hacked header.php file. All hosted on hostgator.

Have scanned my personal pc with several different scanners and most definitely nothing on my end that could have been uploaded to my host.

Was an easy fix. Just edit out the script in header.php and problem solved. Changed all passwords to be sure but pretty sure this is a hostgator/hosting problem and not something that is being uploaded from personal PC’s.

Will update if problem re-occurs.

growstudiomx, no the problem is not just with HostGator, but seems to be associated with hosts that use cPanel. I use Bluehost, which also use cPanel, but my websites on 1and1 and Godaddy were not affected.

willf, header.php is where the symptoms show up, but the cause is elsewhere. Check all of these locations in your /public_html/[domain folder]/ for files:

.htaccess
/cgi/ <- look for a .js file here – this directory should be blank
/wp-admin/css/colors/ocean/sql.php
/wp-content/uploads/title.php
/wp-includes/default-filters.php
/wp-content/themes/[theme name]/footer.php
/wp-content/themes/[theme name]/header.php

Also check your / (root) folder (the folder above “public_html”) for “payload” files, consider deleting any backups created while you were infected, and consider clearing out any cache plugins you are using.

Hello guys,

I am begginer in wordpres and also got this problem.
I have 3 infected sites on nazwa.pl host.

Can You please tell me what lines of code and from where i should deleted?
Already scaned my computer and it was clean.

Guys you all made my day! Many thanks. Just willf told, i checked my header.php and deleted the lines on bottom.

But how this script could be installed, all addons and wordpress is on newest version.

[ Moderated, please do not post malware code here. ]

I do not agree with the idea that the infection was on your dev pc first. You probably got it after your WP site got infected.

However, it happened to one of my sites too. Looking at the server logs, this is what happened:

[06/Oct/2015:06:16:22 +0200] "POST /wp-login.php HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"

[06/Oct/2015:06:16:24 +0200] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 128092 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"

[06/Oct/2015:06:16:28 +0200] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200 123382 "https://www.nuapua.com/wp-admin/plugin-install.php?tab=upload" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"

So what happened?
– the intruder knew an admin user/pwd combination. How this happened is being investigated at the momen.
– he uploaded a plugin file called ‘options.php’.

An hour and a half later, he started to execute the uploaded file(s) and spread the infection:

[06/Oct/2015:07:42:59 +0200] "POST /options.php HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"

[06/Oct/2015:07:42:59 +0200] "GET /options.php?cookie=1 HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0" 

[06/Oct/2015:07:42:59 +0200] "POST /wp-content/options.php HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0" 

[06/Oct/2015:07:43:00 +0200] "GET /wp-content/options.php?cookie=1 HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"
[06/Oct/2015:07:43:00 +0200] "POST /wp-content/plugins/options.php HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0" 

[06/Oct/2015:07:43:00 +0200] "GET /wp-content/plugins/options.php?cookie=1 HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0" 

[06/Oct/2015:07:43:00 +0200] "POST /wp-content/themes/options.php HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0" 

[06/Oct/2015:07:43:00 +0200] "GET /wp-content/themes/options.php?cookie=1 HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"
[06/Oct/2015:07:43:01 +0200] "POST /wp-content/upgrade/options.php HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0" 

[06/Oct/2015:07:43:01 +0200] "GET /wp-content/upgrade/options.php?cookie=1 HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0" 

[06/Oct/2015:07:43:01 +0200] "POST /wp-content/uploads/options.php HTTP/1.0" 200 1 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0" 

[06/Oct/2015:07:43:02 +0200] "GET /wp-content/uploads/options.php?cookie=1 HTTP/1.0" 200 8 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"

I then ended up with a WP install with corrupted header.php of the active theme and a lot of modified plugin and core files.

Just reverting back the header.php IS NOT ENOUGH. There are going to be modified and additionally uploaded files everywhere throughout the whole WP install.

You need to find and repair/delete all modified files, otherwise your WP install will never be safe again.

You might one to try a plugin like WordFence to clean up you site and search for infected files.

If it’s the jsnitch problem – check with developer tools and look at the Network load – the problem is probably in your theme header.php.

Look at the code just above the ‘</head>’ tag.

Take out the two sets of ‘<!– ###: –>’ enclosed script and you’ll be right.

Worked for me anyway…..

Then get the Wordfence plugin.

@timcolman – That’s not a fix, you need to find and kill the source

We’re running about 60 instances on a shared server. For the most part, they run under a shared user account. What are everyone’s thoughts about unique user accounts? Will that, at least, stem the spread?

@farmerjohn2112 how to do it? i am not a pro developer just normal user.. can you help and explain how to find, where to look for?

Just had this email from Envato where I bought my theme.

We are getting in touch to let you know about multiple XSS security vulnerabilities in the Visual Composer WordPress plugin versions prior to 4.7.4 (releases prior to October 2, 2015). This plugin was included in items you’ve purchased (listed below).

We have been working with WP Bakery, the creators of Visual Composer, who have addressed all identified vulnerabilities and undertaken a code audit to ensure that it is as secure as possible. Theme authors whose items include Visual Composer have been instructed to make sure their items accommodate this upgrade. Items that include older versions of Visual Composer will be disabled from the market until this change is made.

Don’t know if anyone else is using Visual Composer??

I have the same problem to all sites – I just deleted the code and it works fine, but I still dont know how the code is inserted to all my header files as i am using three header files in my theme.

Please help me, if anybody got the solution.

*Looks, cleans up topic*

Please do not post malware code in these forums. That malware code 100% does not matter, it’s the fact that the code was able to be inserted is the real problem.

If your site is compromised then you need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
Hardening WordPress
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

Yes, it’s an intimidating list but can help you get a handle on your situation.

Now if anyone else if compromised, please per the forum welcome please post your own topic.

It’s the best way get support for your specific problem. As the original poster has indicated that his site is OK for now, I am closing this topic.