Nasty javascript obfuscated redirect

  • Resolved prokops

    (@prokops)


    10 months, 1 week ago

    Hi there!

    My client site had this javascript inserted via plugin WP Code Light:

    https://codeshare.io/9O7MlV

    I ran a thorough Wordfence scan when I had the suspicion that something was going on. Nothing was found so conclude that Wordfence does not catch code inserted this way via snippets. The code snippet was set to hide from logged in users.

    My question is if Wordfence can catch this and under which conditions. If Wordfence free license is unable to detect this, then I need to find a solution that can.

    Cheers

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @prokops, thanks for bringing this to our attention.

    Sometimes threats or malware can be packaged in a way we haven’t seen before rather than be ignored due to the way it was included. Snippets of code or harmful URLs etc. in the database can still be seen during scans so it’s worth having this checked out by our team at samples @ wordfence . com.

    Any other relevant information you can include in the email is helpful, but they should be able to see if anything needs to be changed at our end and advise you from there.

    Many thanks,
    Peter.

    Thread Starter prokops

    (@prokops)

    Hi Peter

    I did some more digging and found out that Wordfence was set to:
    “Exclude files from scan that match these wildcard patterns (one per line): wp-includes/js/* “

    So a bad actor did exclude the js folder from scans and the infected file was placed there.

    My suggestion for you team would be to include on scan result page or web health summary that:

    “Warning: your wordfence scan options excludes these paths from scans: url1, url2 etc”


    • This reply was modified 10 months ago by prokops. Reason: Wording
    • This reply was modified 10 months ago by prokops.
    Plugin Support wfpeter

    (@wfpeter)

    Hi @prokops,

    I apologize, when I saw your reply I did forward your suggestion to the team but thought I’d let you know. All ideas such as this are discussed internally although we can’t update forum topics with progress. Our changelog is the best place to check specific updates in new plugin versions.

    If the excluded file wildcard was added by an attacker, you may need to update the passwords for your hosting control panel, FTP, WordPress admin users, and database no matter how you think they may have gained access.

    Our free site cleaning instructions may also have some useful steps to help prevent a problem going forward, although you may have already dealt with this side of things before contacting us: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Naturally, still reach out to samples if you find anything suspicious that Wordfence didn’t pick up.

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Nasty javascript obfuscated redirect’ is closed to new replies.