removing wordpress malware infecting js files.

A recent WordPress malware is targeting WordPress websites by injecting a piece of malicious code into every single JavaScript files (mostly libraries specially Jquery) which acts maliciously by redirecting the visitors to advertising affiliate sites.

Example injected code:

Well I came to know about this when a client approached me to clean his hacked website. after looking for this pattern within the files on his WordPress directory I came to find that over 600 Javascript files were injected with the code above.

I have gotten the above result by doing a grep in the public_html folder. following command was used to do a recursive grep looking for matching malicious variable name:

looking at the above commands result I found a file named db.php was uploaded to one of the plugins folder which a simple get request to that php file would case of that mass injection to all javascript files.

now lets get rid of the bad stuff in all files by using sed in combination of grep command as below:

This will remove the pattern from each single file that contains it.

 

Incoming search terms:

  • https://hazaveh net/2017/02/removing-wordpress-malware-infecting-js-files/
  • https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1835 CiGfGuU2ao40SDvubJnd7_lcxMapruAOWD5LCQYPHAV7Uc7AV5I4ZenAYXrIXHjv d0dfbc0346dbc9792fe15682ba7fe380cdb66c6a&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
  • var _0xaae8=[ \x6A\x6F\x69\x6E \x72\x65\x76\x65\x72\x73\x65 \x73\x70\x6C\x69\x74
  • \x34\x32\x2E
  • _0xaae8 database