In the last two weeks a new hack has made the rounds. This exploits a weakness in either the hosting or the security of a WordPress blog and adds code to every JavaScript file (.js). The code can vary a bit but starts like this (with a unique identifier).
/*3395379449f353892757e0b699dd2159*/;window[“\x64\x6f”+”\x63\x75″+”\x6d\x65”
and ends like this (with the same unique identifier) the identifier varies per site.
[\”\x31\x32\”]].join(\”\”);”));/*3395379449f353892757e0b699dd2159*/
As this gets spread to all the js files it’s pretty tricky to get rid of. To date the normal tools do not detect this (Sucuri), but I am sure with the next major update they will.
What causes this isn’t yet known, but most likely it’s due to out of date plugins which allow modification of files, once that is done the infection seeks out JavaScript files and adds on the code at the end of each.
Cleaning
Cleaning the files is not easy, in-situ it is almost impossible. If you have access to a Linux-based computer or a Macbook (based on FreeBSD) these instructions can help you clean up your site. You still should update the plugins and WordPress version to prevent re-infection.
Step 1 – backup
Download all your files, include everything, this will help make sure a complete eradication . Once downloaded compress into a zip file (keep a copy to work on, the zip is if you need to restore anything).
Step 2 – Clean
The easiest way to clean is to restore an old backup – if you have one upload it (overwrite existing files) and get hardening (see below).
If you don’t have a backup, or the backup was compromised as well then you can try using the sed command below (I don’t know of a windows equivalent) – FreeBSD (Mac OS) works slightly differently to Linux, I haven’t been able to test the Linux command, but I believe the version below the Mac one should work.
LC_ALL=C find /PATH_TO_YOUR_HACKED_FILES/ -type f -exec sed -i ” -E “s/(\/\*.{32}\*\/\;window\[.*\/\*.{32}\*\/)/ /” {} +
The LC_ALL means it will work on Mac’s with a non US locale. The expression looks for the starting Window string, and goes back to the comment – it then goes to the end bit (32) with the comment and removes all the bits in-between.
This could potentially hit something legitimate, however as the code is being obscured I wouldn’t trust anything you can’t read!
Linux users
Other linux flavours need a slightly different sed command. You can remove th LC_ALL = C and before the -E remove the ” (this is in because in FreeBSD you get backup copies otherwise which aren’t needed!
find /PATH_TO_YOUR_HACKED_FILES/ -type f -exec sed -i -E “s/(\/\*.{32}\*\/\;window\[.*\/\*.{32}\*\/)/ /” {} +
Step 3 – Upload & Hardening
Now upload your files, overwrite all that you have. You site is (for now) clean. To harden I recommend the following steps:
- Update your WordPress
- Update your themes (a more common vector for attack than most people realise)
- Update you plugins.
Finally install some security programs – these help prevent modifications, they also can warn you if someone logs into your blog and of other important changes.
I recommend Sucuri Security. It has a free version with pro additions, the free is good for now, but if your site makes you money I recommend considering the paid version.
The key thing to do, once installed, is go through the setup – enable as many features as you feel safe, especially directory protection.
My site stopped working after hardening.
Don’t panic, it’s usually that one of the plugins needed more access and it’s now locked out. Disable your plugins and then re-enable one-by-one. Once you find the one that isn’t working you can put an exception rule in place.
Hopefully this gets your site up and running, it’s worth a quick check over to see if you have any un-recognised directories or files if anything else has been compromised.