Website Malware – SPAM Injections – HideMe – KickeMe

Every now and then you have to give thanks that attackers have a sense of humor.

For the past few weeks, maybe months, who keeps track of time anyway, we have been seeing this injection and it makes us giggle like school girls every time.

If you look a little harder you’ll usually find it’s accompanied by this JavaScript injection:



The KickeMe injection looks no different:

Again you want to make sure you find this script as well:

And if you use our free scanner SiteCheck you’ll see something like this:

Clean It Up

Here is the good news, it’s nice an easy to remove.

First, the JS injections is usually adjacent to the injection itself so they are usually very easy to detect. As always, if you’re not seeing it in the browser it’s very easy to understand why, just look at the images above and you’ll see they are being set to hidden. Easy way is to use the free scanner I mentioned above, SiteCheck, or use your handy terminal by using curl

Easy example:

# curl -D – -A “Windows” http://yourawesomecupcakesite.com

Second, you want to find the various instances of the infection. Here is the good news, as we have mentioned before, start with the files you know generate content on the browser. Good place to start is with the files in your theme / template files. Good place to start is always your index.php, header.php, home.php, footer.php, and other similar instances. These appear to be the most common instances.

Third, you’ll want to highlight and delete the injection. That’s it. Just be sure not to delete any other information, if you stick to the content in the images above you’ll be fine.

Fourth, you’re going to want to lock things down, you obviously have a vulnerability and it’s likely an access issue.

If you find this specifically on pages then you might want to log into your administrator panel, regardless of platform, and look at your articles, pages, posts, etc.. but look at them in code view (ie., HTML view). We’re seeing a lot of instances where they are being embedded right within the pages themselves and that won’t present itself on the core files.

Ok, hope this helps someone.


If you have any questions or concerns about this post leave us a comment or send us an email at info@sucuri.net. If you really could care less about cleaning this up yourself just sign up with our service and we’ll get you going.

Scan your website for free:
About Tony Perez

I'm a technologist with a passion for the Information Security domain. I am especially interested in malware reverse engineering, incident handling and response as well as offensive counter measures. Catch my personal rants on tonyonsecurity.com and follow on twitter at perezbox.