3

I have a site, online shop.

A few days ago my antivirus began to issue warnings that some of the *.js files are infected.

I looked at this infected files and found that the following code appended at the end (showed only part of it):

/*! jQuery v1.11.3 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports? ...
...
/*95d84650ccbbad8b650fac933d031bf0*/
var _0xf19b=["\x6F\x6E\x6C\x6F\x61\x64","\x67\x65\x74\x44\x61\x74\x65", ... // and so on
/*95d84650ccbbad8b650fac933d031bf0*/

I checked my system by antivirus and it nothing found. 

clamscan -r --move=/home/USER/VIRUS /

I updated my WordPress and manually remove the code that was appended at the end of the *.js files.

Some time later, this code appeared again.

I tried to delete it, modify or make commented out. I tried to find the malicious code using grep, but did not find anything ...

Nothing helps. Time is passed, and all my *.js files now "infected". As a result of my site is blocked now...

How can I find a process that appends this is -

...
/*95d84650ccbbad8b650fac933d031bf0*/
var _0xf19b=["\x6F\x6E\x6C\x6F\x61\x64","\x67\x65\x74\x44\x61\x74\x65", ... // and so on
/*95d84650ccbbad8b650fac933d031bf0*/

at the end of each *js file?

  • 1
    You said it's a wordpress website, maybe it's a plugin you installed ? – Carlos2W Nov 05 '15 at 17:25
  • 1
    I'm sorry, but if any of those plugins had viruses, deleting theme won't change anything, since they already put hidden infected files. Best solution is to remove permitions of any files you don't know you made. – Carlos2W Nov 05 '15 at 17:30
  • 2
    As you cant say which php file is infected and responsible for the changes in the js code, it will be necessary to do a clean setup with a fresh and uptodate wordpress installation. – t.niese Nov 05 '15 at 17:32
  • 1
    @t.niese that would be long and painfull, but it may be the only viable solution. It's last resort :) +1 – Carlos2W Nov 05 '15 at 17:34
  • 1
    @Carlos2W sure it is long and painfull. But mostelikely someone used a vulnerability in wordpress to infect the installation and the changed js might only be one effect, in addition this script might open a backdoor to the server using it e.g. to send spam or as hosting for illegal downloads. So a clean setup is necessary or at least a diff check for all php/executable files. – t.niese Nov 05 '15 at 17:38
  • 1
    Use one of your clean backups after taking an image to find out how you got comprised – Ed Heal Nov 06 '15 at 19:26

4 Answers4

2

Search for infected files using below bash command:

grep -r ";document\[_" /path/to/www/folder/

And if you want to list only file names then add -l

grep -rl ";document\[_" /path/to/www/folder/

and change all folder permission to 755 using below command:

find /path/to/www/folder/* -type d ! -perm 0755 -print0 | xargs -0 chmod 0755

note: command will change directory permission to 755 if not.

Harikrishna
  • 438
  • 5
  • 8
0

Without inspecting the server, it is difficult to find out the problem.

How about changing the permissions to the files? Can you remove the write permissions?

S V
  • 570
  • 8
  • 21
  • 1
    Just try to see which php file you don't "trust". We can't say it for you, we don't have access to your server. – Carlos2W Nov 05 '15 at 17:36
0

The right and permanent solution to this problem -----

The .js files are getting infected again after some minutes or a particular time is because the hackers has configured a cron-job on your server to do so . So first remove that cron job by accessing the cron job functions of your server . After that no need to change the permission or all that moving to every single file, just install a plugin named wordfence scan your site with it (enable the plugin scan also) it will show you all the changes in the original to the current files then select all the repairable files and restore them to the original state .

The infection will not come back this time. To make sure scan the site again with wordfence the results will be positive .

Thanks.

0

I created a removal script for the specific one that infected my server here.

frazras
  • 5,928
  • 4
  • 30
  • 40