JavaScript Obfuscation – How to remove it

Borbotron
(@computacion)

14 years ago

Well, this seems to be spreading very fast and growing to be one of the top threats this week, check it out: http://www.avgthreatlabs.com/webthreats/info/javascript-obfuscation/

AvgThreatLabs.com seems to be the only online scanner to detect it, alongside with Chrome browser and Google’s webmaster tools.

Ok, so here I pasted the malicious code output that you can see while looking at the page source: http://pastebin.com/2XfbytS4 but I still couldn’t find where it’s generated (not in index.php nor header.php, etc. so I’m thinking probably a .js file).

I had more than one infected site, so, I tried upgrading WordPress and the malicious code disappeared from the page, but Chrome and avgthreatlabs still identify the page as infected, I’m still not sure if it’s just that these tools haven’t updated yet or if there’s still an infection.

Any clues, insight or experiences appreciated, so maybe we can find a definitive solution.

Viewing 3 replies - 1 through 3 (of 3 total)

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

14 years ago

but I still couldn’t find where it’s generated

…

Any clues, insight or experiences appreciated, so maybe we can find a definitive solution.

Focusing on the obfuscation is just treating the symptoms and isn’t doing anything for your problem. The problem is that Very Bad People are able to compromise your site.

You need to start working your way through these resources:
http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked
http://ww.wp.xz.cn/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
http://codex.ww.wp.xz.cn/Hardening_WordPress
http://www.studiopress.com/tips/wordpress-site-security.htm

Thread Starter Borbotron
(@computacion)

14 years ago

Thanks, I know the drill 😉

I’m just trying to save some time, for me and for others having issues with this particular exploit. If we know where the malicious code is originated maybe we can find where did it came from and try to patch the vulnerability.

I’m still investigating but I’m pretty sure it’s a jquery vulnerability, any contributions appreciated, I’ll keep you updated.

Thread Starter Borbotron
(@computacion)

14 years ago

Well, it seems the vulnerability was in timthumb.php and the code was injected in every WordPress install thorough the shared hosting. The malicious code was located inside .php files in the wp-includes folder and sometimes also in the (current) theme folder, so basically you should upgrade or re-install core files, themes and plugins (just in case) before securing your site again, hope it helps if anyone goes through the same.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘JavaScript Obfuscation – How to remove it’ is closed to new replies.

JavaScript Obfuscation – How to remove it

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics