Wednesday, February 15, 2012

contains content from, a site known to distribute malware. Your computer might catch a virus if you visit this site. wordpress Malware entry: MW:JS:69693 [FIXED]

Recently all our wordpress sites have being injected with js code in wp-content and wp-includes , to fix the issue you have to download all js files in these directories and search for the code in the end of the js files its a variable with hex like code

var _0x80d0=["\x64\x67\x6C\x6C\x68\x67\x75\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x6C\x6F\x63\x61\x74\x69\x6F...................

replace it and you are done , also change these old passwords just in case ;)

P.S This is temporary and doesn't clean the infection , after a while it gets infected again

working on it

P.S Update 
so far another infected file most probably to be part of the problem is wp-config edited with around 1500 empty lines with added REQUEST [3ioi23hri34ri34jrf34jibf] whatever and with 444 permissions , make sure you erase the code after wp-settings.php; that you haven't edited yourself and fix the permissions 

Also just downloaded and scaned localy one of my websites the infected js files are in these dirs.
  • wp-admin/js
  • plugins 
  • themes
  • wp-includes/js


Couple of hours after fixing the wp-config file and all js files so far the websites remain clean although Google safe browsing still shows the red screen  check shows that finally all of our websites are clean and save.

Hopefully it will stay that way. Apparently this fix works :

first fixing wp-config -> permissions and additional code after wp-settings.
second removing the 
(variable name could  be different ) var _0x80d0=
in my case around 200 to 300 files per website have being modified. 
!for every website the code in the js files was with different variable name.


Anonymous said...

thank you so much!!!

Amit said...

What do you mean by fixing the permissions on wp-config?
I have deleted the code and empty lines after (wp-settings.php);
How do you change the permissions on wp-config? Please help

Unknown said...

-> Ftp client right click change permissions to 640 .

-> Cpanel -> file manager -> right click change permissions to 640
