Malware Injection

  • Hi guys,

    google is identifying possible malware injection in the code.

    <script type='text/javascript' src='https://projetoescoladerock.com.br/wp-content/plugins/portfolio-gallery/js/portfolio-all.js'>

    And it has blocked the site. I did not find any visible problem in the file in question. Could check please?

    Page portfolio-all.js

    // SET THIS VARIABLE FOR DELAY, 1000 = 1 SECOND
var delayLength = 4000;

function doMove(panelWidth, tooFar) {
	var leftValue = jQuery("#mover").css("left");

	// Fix for IE
	if (leftValue == "auto") { leftValue = 0; };

	var movement = parseFloat(leftValue, 10) - panelWidth;

	if (movement == tooFar) {
		jQuery(".slide img").animate({
			"top": -200
		}, function() {
			jQuery("#mover").animate({
				"left": 0
			}, function() {
				jQuery(".slide img").animate({
					"top": 20
				});
			});
		});
	}
	else {
		jQuery(".slide img").animate({
			"top": -200
		}, function() {
			jQuery("#mover").animate({
				"left": movement
			}, function() {
				jQuery(".slide img").animate({
					"top": 20
				});
			});
		});
	}
}

jQuery(function(){

    var $slide1 = jQuery("#slide-1");

	var panelWidth = $slide1.css("width");
	var panelPaddingLeft = $slide1.css("paddingLeft");
	var panelPaddingRight = $slide1.css("paddingRight");

	panelWidth = parseFloat(panelWidth, 10);
	panelPaddingLeft = parseFloat(panelPaddingLeft, 10);
	panelPaddingRight = parseFloat(panelPaddingRight, 10);

	panelWidth = panelWidth + panelPaddingLeft + panelPaddingRight;

	var numPanels = jQuery(".slide").length;
	var tooFar = -(panelWidth * numPanels);
	var totalMoverwidth = numPanels * panelWidth;
	jQuery("#mover").css("width", totalMoverwidth);

	jQuery("#slider").append('<a href="#" id="slider-stopper">Stop</a>');

	sliderIntervalID = setInterval(function(){
		doMove(panelWidth, tooFar);
	}, delayLength);

	jQuery("#slider-stopper").click(function(){
		if (jQuery(this).text() == "Stop") {
			clearInterval(sliderIntervalID);
		 	jQuery(this).text("Start");
		}
		else {
			sliderIntervalID = setInterval(function(){
				doMove(panelWidth, tooFar);
			}, delayLength);
		 	jQuery(this).text("Stop");
		}

	});

});

    https://www.ads-software.com/plugins/portfolio-gallery/

Viewing 7 replies - 1 through 7 (of 7 total)

  • Thank you we will check this.

    Thread Starter rcriche

    (@rcriche)

    Guys,

    another file maybe have problem too, according to google: jquery.hugeitmicro.min.js

    Is there an update on this?

    Dan

    (@securitydan)

    Hi,

    I used Online CURL to grab the contents of the Javascript file (portfolio-all.js) you mentioned above. The first line of this file includes the malicious obfuscated code. The code appears to be related to the recent VisitorTracker campaign highlighted by Sucuri. If a browser is vulnerable and successfully goes through the infection chain, the re-direction goes to this malicious domain (dgdsgweewtew.cf) hosting an exploit kit. Most likely, they targeted a vulnerability in one of your plugins.

    For mitigation, you can try reviewing the timestamps of each webpage to identify which pages were modified recently and delete the exploit code. If you can search or grep across the server, you may try the keyword “eval(function(p,a,c,k,e,d)”. That is the beginning of the exploit code. It is highly likely there is more than one page that is impacted. Make sure to persistently check through all files under the website directory, update plugins and change passwords. I have copied the CURL output on the pastebin link as well as some helpful material by WordPress to move forward and take back your site.

    https://pastebin.com/5pe3WCHF
    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    Thanks, Dan!
    I’m not very familiar with these security issues.

    Is this a code which was implemented by the plugin writer?

    I used the search function of krusader (file manager) to search in the files of my website. The result was negative. However, I’m not sure if the search included file content.
    Unfortunately I can’t run grep as there is no root access to the server.

    Dan

    (@securitydan)

    Hey Hawthorne,

    The code was most likely injected into the webpages by a malicious party. It was not written by the plugin writer. They will usually find a vulnerability in a plugin and compromise hundreds of sites at once. Krusader has a search function that is very similar to grep. If you go to the General tab on KruSearcher at the bottom where it says “Containing text”, you should be able to enter specific text in there and it will perform a content search in the directories you specified. The CURL output that I received was based on rcriche’s website. It’s very possible there could be a different kind of exploit on your site, so you may need to search for a different keyword. I would also recommend downloading a reputable WordPress security plugin like Sucuri Security or Anti-Malware by ELI that can scan your site and flag malicious files.

    Here are some helpful links:

    https://www.krusader.org/documentation/krusearcher.html
    Anti-Malware and Brute-Force Security by ELI
    Sucuri Scanner

    Hope that helps.

    Thread Starter rcriche

    (@rcriche)

    Hi Dan,

    thank you for your post and sugestions…
    I have already another anti-malware, I desinstall and install Anti-Malware and Brute-Force by Eli.
    This plugin show me some files with problem and two of this files, marked with “Potential Threats”, are:
    …/portfolio-gallery/admin/portfolios_view.php
    …/portfolio-gallery/elements/jscolor/jscolor.js

    i deleted all files with Backdoor Scripts and Known Threats ..

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Malware Injection’ is closed to new replies.