So yesterday, I was browsing the source code of my clients websites and found something that shouldn’t be there.
Which was the below.
Crap! That’s not good! First off, just looking at the URL I could tell it was a Russian domain, which is something most people don’t smile about.
So I started looking in the standard places to locate where this code was inserted. I have worked on many hacked sites, and usually it is not hard to track this stuff down. First I fire up my FTP program and sort by date, then I start searching, examining files, looking for anything suspicious. In most cases this type of bad code is either at the beginning of the PHP file or at the end.
After hours of looking I have found nothing. So I hop over to Google, which returns (nothing really) on this (at the time). But I did find something interesting, it seems the code could be encrypted and being decrypted via javascript. So again I being my search, but after installing many plugin updates over the past week, it is just taking too long.
So I create a backup with cPanel and download the entire site locally to my machine. I rarely use Dreamweaver for anything useful, but whenever I need to search the contents of files, I have found it can be very fast and reliable. So after unzipping all 6GB of the home directory, I fire up Dreamweaver and start searching. And I am pleasantly surprised to find the little bit of code in a place I would have never looked!
wp-includes/js/swfobject.js
Tucked nicely at the end of the file is the following (screen shot)
Rather than just removing the code (which is what I usually do, I find a nice source code link at the top of the file. So I headed over to Google downloaded the original file (from 2009) and uploaded to my site, and of course I backed up the bad one first, just in case.
I go and look at my source code an again, and it’s still there. I then remember, that a couple months ago I added AWS cloudfront to all my websites, so I purged the file, refreshed and poof all good!
I am still not sure (see below) how the file got “infected”, but that fact that the file 404’d makes me think, it is something not in use yet. Or something the “hacker” plans to deploy at sometime in the future. If this were to occur, many WordPress sites would be hit simultaneously. Causing headaches for many, and possibly infecting people computers.
UPDATE: It looks like this hack is directly related to a security hole in the REVSLIDER plugin. The author of Revslider, patched this earlier this year, but since this is a paid plug-in, many websites, were not patched.
Removal
Since this is caused directly by the REVSLIER plugin, go to where you purchased it, either your WordPress theme or the authors website and get an updated version.
There are two files that need to be modified, the easiest and most secure way to fix them is to download a fresh install of WordPress and upload and overwrite the entire /wp-includes/ directory.
If you’d rather manually remove the infection, you’ll need to modify two files. The first is:
/wp-includes/template-loader.php
Locate the following lines at the top of the file, delete and save the file:
function FuncQueueObject()
{
wp_enqueue_script(“swfobject”);
}
add_action(“wp_enqueue_scripts”, ‘FuncQueueObject’);
The second is:
/wp-includes/js/swfobject.js
Remove everything after:
eval(decodeURIComponent
After you have done this make sure you clear all your caches, cdns, etc.
That’s it.
Prevention: To block this infection from occurring in the future, log into your cPanel File Manager locate the swfobject.js and change it’s permissions to 444 (shown below, this will prevent it from being modified in the future. But may also cause errors on future WP upgrades (not sure though).
Update 3: For even stronger protection browse to the following file via cPanel file manager
/wp-includes/js/
Then change the folder permissions to 0555, this will make the entire folder unwritable, so if an update to WordPress rolls out, make sure you change it back to 0755, before you upgrade.