Malicious script on site not found – some info about it

Home Forums Support Forum Malicious script on site not found – some info about it

This topic contains 6 replies, has 2 voices, and was last updated by  Anti-Malware Admin 10 years, 1 month ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • December 1, 2015 at 9:27 pm #1318

    Caleb Chamberlain
    Member

    On my site (referenced in my registration profile), there is a malicious script that sometimes puts a big white div tag over the whole page, and then redirects to a site that tells the user their OS has crashed.  It checks the referrer and doesn’t always redirect, but the script is there – I’ve seen it on multiple computers in the page source.

    If you visit any page on the site (freebyu.org), and view the source in dev. tools, you can find the script under:

    <html>

    <body>

    <div id=”container”>

    <div id=”main”>

    <script>
    HERE’S THE HACK!
    </script>

    Any recommendations on  tracking this beasty down?  I’ve tried deactivating each plugin on my site individually, with no effect.  I want to avoid switching themes, but that’s the next step if I can’t find anything else to try.

    Thanks!

    December 1, 2015 at 9:32 pm #1319

    Caleb Chamberlain
    Member

    Oh, and I took the malicious script and reformatted it so that it is legible.  You can check it out as a text file on our website here:

    http://www.freebyu.org/temp/HackScript.txt

    December 1, 2015 at 9:54 pm #1320

    Caleb Chamberlain
    Member

    Sorry for the deluge, but here’s how to see what the exploit does to the site:

    Open a browser and turn on “private browsing” to disable cookies. Then Google search “FreeBYU” and click the any link that goes to freebyu.org. The page will be whited out, with a “checking your browser” message and a Continue button. Do NOT click the continue button…

    December 2, 2015 at 12:00 am #1321

    Anti-Malware Admin
    Moderator

    I have not seen this one before. Check the header.php in your theme editor. If it’s not there try the functions.php.

    I would be very interested to see the infected file if you find it. If you cannot find it I would be willing to look for it myself if you are willing to send me your wp-admin login.

    December 2, 2015 at 12:02 am #1322

    Anti-Malware Admin
    Moderator

    Also, check your footer.php, it looks like that is where the code is showing up.

    December 2, 2015 at 5:24 pm #1327

    Caleb Chamberlain
    Member

    Yep, found it in ‘footer.php’.  I saved the hacked file as footer.txt and put it in http://www.freebyu.org/temp/footer.txt

    You can have a look at it there if you want to see how they juked  you malware detector.  The malicious code is loaded from a different URL, in a chunk of code buried in the middle of a lengthy php comment.

    How in the world could they have gained access to the text of footer.php?  Could they have done that from the admin backend if they had a username?  Or would they have had to hack into the server filesystem itself?

    December 2, 2015 at 7:37 pm #1328

    Anti-Malware Admin
    Moderator

    Thanks for posting your findings, I have added this new variant to my definition updates.

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Comments are closed.