We all know Wordpress is not so safe, even if have many updates monthly with a strong community working very hard to keep this blog / CMS open source platform safe. In the last period, a WP vulnerability is out there.

var _0xaae8 - remove malicious line of code / malware from Wordpress

var _0xaae8 - remove malicious line of code / malware from Wordpress

A new Wordpress virus that inject malicious code on your .js files

Just today on one of my friend's installation using Wordpress an application was attacked by what is call "jQuery malware", this attack basically infect more than 1500 files with .js extension adding a few line of code that will redirect the user, when visiting the website to a malicious page, downloading malware and other EVIL files. But the attacker also installed a .php back-door using the API to come back anytime.

So if you notice that your Wordpress installation is starting having the strange redirect, is not your browser but is actually the website itself that is the problem.

Hosting scan all the files with a possible infection

Hosting scan all the files with a possible infection

How to resolve this issue? Scan your files and look for var _0xaae8 or similar

You can ask your hosting provider to scan for you all the files in your root folder, so you can see which are the infect files and understand which kind of attack has been made on your website.
Once you identified the malicious files check for the lines of code usually they look like:

//var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))//

So the easy way to remove all this is of course manually, but if you have too many files, I strong suggest to do a restore of your backup to the day before everything happen. So the restore and replace all the infect files with the healthy one. Of course to verified that also the old files are not infected, just check the date the last modification was made to these files.

After your backup is working and running well without the infected files, change all the password on all your application and check the security of each of them, this will prevent the onother attack.

Usually, this kind of attack are made to non-updated plugins, so remember always to update everything on your Wordpress website!

The script generating the var _0xaae8 - How to remove the malware

The script generating the var _0xaae8 - How to remove the malware

I use the grep comand to remove the line of code from every files

I personally used the grep command. You can learn more about it at:

http://www.tutorialspoint.com/unix_commands/grep.htmhttp://stackoverflow.com/questions/16956810/how-to-find-all-files-containing-specific-text-on-linux

The command, in this case, searches recursively, ignoring case distinctions, for the string btuan18.wrssurgxfw361wudgh, allowing there to be other characters/strings before and after it (this is what the * signs do). As you can see from the output, no files with this string were located. You can change the name of the string " btuan18.wrssurgxfw361wudgh" with your one you find, or firstly with the evil line of code "var _0xaae8= etc etc etc" so it will remove from every file on the public_html the line of code.

Of course, this will not stop the line of code to come back  because you need to find the .php file with the back-door and remove it. Anyway here below the command I execute:

[email protected] [/home/eternal8/public_html]# grep -Rli '*btuan18.wrssurgxfw361wudgh*'

[email protected] [/home/eternal8/public_html]#

I found also in a second time the infected files that generate this code around the WordPress files and in my case, these were the name:
file.php / pyfu.php (with a API rest infection) / enjoy (folder) with inside a .php file call mzzw.PHP, inside this file a simple redirect to an image 2 (inside the image an evil code)

var _0xaae8 What is doing to my Wordpress?

var _0xaae8  What is doing to my Wordpress?

This is a screen I did today during my visit to the infected website, as you can see this malicious line of code, it will try to redirect the original URL to their link with the malware to install on your computer.

YOUR REACTION?

Facebook Conversations