During the last week we were attacked twice.
The symptom – our site redirects to advertisements. The tricky part is that after the first redirection the code saves a cookie which doesn’t trigger the redirection for several days.
How to detect such an intrusion?
If loading a page on your site redirects you to an ad then something is wrong, even if it loads fine on the second try.
How to find the infected files?
In my case all the .js files on the server where injected with this code:
After learning some system skills I connected to our server via SSH and used the following command to locate in which files the above code was inserted:
|
1 2 |
grep -rnw . -e '_0xaae8' grep -rl . -e '_0xaae8' (same as above but only shows filenames) |
This returned a long long list which could be fixed by:
1. Uploading a backup of the site (we edit content constantly so this was less favorable)
2. Run a script that removes the injected code
At first I tried running a removal script that was an exact match for all of the injected script, but that wasn’t returning hits. Eventually what worked was running the script with only the beginning of the script followed by “.*”
Here is the removal command:
|
1 |
grep -rl '_0xaae8' . | xargs sed –i 's/var\s_0xaae8.*//g' |
Two more things to remove:
1. After gaining access the malware left two php files that had the code for reinjecting the script again. In my case they were “404.php” and “title.php”
2. I had new posts in my blog advertising products and linking to ad sites
Finding the above was a manual process.
For no. 1 I checked for files with a recent date, indicating they were modified/created lately.
Number 2 is a matter of looking at the latest posts.
Solution
UPDATE WordPress and Drupal to the latest version
Remove the injected code and malicious .php files
Optional – delete “xmlrpc.php” from WordPress/Drupal
Backup your site and database in a clean state
Consider a security service such as Sucuri / CodeGuard
Hi I have a site, with them same malware, but no files with _0xaae8 But Bitdefender still stops the site looking for spam site at 134 .249 .116 .78 /jquery.js, I have look in the database since a fress install of WordPress Does not trigger the malware, but after a database it is back. I have looked after som Base64 decode string but I cant find any. I cant find any resource on the web to help me, do you have further experience searching in a sql dump?
PS the website is my trouble one, try to scan it with Sucuri.
For me the problem (until now at least) was in javascript files and more recently also injections of code to PHP files. Everything was encrypted and I found a helpful tool for decryption at: https://malwaredecoder.com/ (works only for some cases, but helped me find files related to the attack).
Regarding database infections – I would look at recent posts/comments and check the content. WordPress should not allow SQL injections into the database..
If you have additional info I will be happy to try and help.
Im trying to use it, but getting error:
sed: -e expression #1, char 1: unknown command: `▒’
I would assume that’s a syntax related problem – what is the exact command you’re using?
Try to take a look at: https://stackoverflow.com/questions/31781256/replacing-string-in-linux-using-sed-awk-based/31781410
Let me know if this helps and how you managed to proceed.
Good luck
I do the command you mentioned but appear me this message:
sed: -e expression #1, char 1: unknown command: `▒’
I would assume that’s a syntax related problem – what is the exact command you’re using?
Try to take a look at: https://stackoverflow.com/questions/31781256/replacing-string-in-linux-using-sed-awk-based/31781410
Let me know if this helps and how you managed to proceed.
Good luck
For those getting the following error
sed: -e expression #1, char 1: unknown command: `▒’
Copy the removal code in your notepad and replace the hyphens with the one on your keyboard
Its should work after that
nice blog
Basically, (I’m not familiar with commands) I have the same infection. I’ve tried the command from within cpanel replacing _0xaae8 with the one I have, which is sadadsf23, and I get a permission denied on the removal code (not the search code, that works fine).
Any idea how to overcome this? Is this possible from within WHM root for example?
Many thanks!!
Hello Mike,
There could be a number of reasons for your issue. I would explore the following:
1. Permissions issue – you are probably limited to reading files (searching), but not writing/editing files (removal code). This limitation is set by your hosting provider. Contact them with your issue and request them to run the code for you.
2. Syntax/command related issue. see https://stackoverflow.com/questions/31781256/replacing-string-in-linux-using-sed-awk-based/31781410 and try different ways to achieve the same task. Different commands might have different server setup.
Good luck