1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need HELP! These WP Hackers Just Got More Advance :|

Discussion in 'BlackHat Lounge' started by jiajilah, Nov 4, 2011.

  1. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    They used to make a small box at the footer with javascript loaded.
    I thought I clear them because no more suspicious code founded in my WP.

    Recently I notice the small box coming out again.
    And when you refresh or save it or view code, it went missing.
    I'm not sure how it works, randomly or by tracking IP, each only appear once.

    So the second time I met with the small box, I offline and save the file.
    The index html file cannot be saved but a folder was created. (When you save a page you usually get a html file and a folder)

    Inside the folder I found a html file which I pasted below:
    Code:
    http://pastebin.com/WQfSdULF
    Appreciate if any of you guys can give me some ideas how to stop this.
    Thanks!
     
  2. MakeLemonade

    MakeLemonade Junior Member

    Joined:
    Mar 30, 2009
    Messages:
    148
    Likes Received:
    67
    That's javascript. It can't actually do anything.

    Your WP install probably has a plugin that's insecure or a file that was uploaded somehow. IF you can get FTP to work, check file dates, files should NOT have changed since you first installed Wordpress. Only plugins and themes may have changed. Even then, a file with a new, different date then the others is a likely suspect.

    Also check into using .htaccess to secure your files/upload directory. Nothing uploaded there should be executable. I was just reviewing some code this morning and found that someone had used a plugin to upload a file. It wouldn't execute though - only graphics are displayed from uploads on my install.
     
  3. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    I disagree that "it can't do anything".

    As far as I know, these code install malicious links to your website usually links to .ru websites.
    Also when the code was triggered, insecure javscript plugin will pop up requesting for permission. (chrome and firefox browser)
    In this case it will affect the visitors that they are visiting an insecure website thus affect the website traffic.

    I have file monitor plugin installed and a few others security plugin.
    The problem is it seems like the code only appear randomly or based on certain algo.
    Even I check with securi scan, the website looks "clean".
    In fact, if I just refresh the website, the "script" will go missing.
     
  4. Black.Star

    Black.Star Junior Member

    Joined:
    Oct 4, 2011
    Messages:
    185
    Likes Received:
    1,028
    Occupation:
    IT security specialist
    Location:
    Europe
    Grab a paper and search for it manually...