Rebots.php JavaScript Malware Being Actively Injected

Holy JavaScript malware, Batman! On August 11th we started seeing the Rebot JavaScript malware string injected on various websites. Since then, it has increased its appearances, and has variated the way it’s being included on the infected sites.


When you visit a compromised site, it will attempt to load an additional JavaScript, like one of these:

<script src=""..

<script; src=""..

What’s It Do?

From what we’re seeing now, not much. The domains being included by the script call are either 404 at this point, or loading broken code leading to dead links. For example:

if(navigator.javaEnabled()) {
	document.write(' src=""

The pages on a site you may find it will vary, and so will the files that are actually infected. Here’s a quick SiteCheck screen:


Note: Notice that SiteCheck shows the site outdated. This website was running WordPress 3.2.1 at the time of scan. This seems to be a common theme across the websites we’re seeing affected by Rebots.

Where to Find it

As mentioned, this will variate. Originally we were seeing the script called in theme templates. At first the script would appear above the HTML tags in the rendered source, and we were finding the offending code in header.php and/or index.php within the active WordPress theme.

Over the next few days, those instances were still happening, but we also started seeing the script called from functions.php and even stylesheets within the active theme.

Apparently this got old quick, next we started seeing the script appear in text widgets within WordPress.

Rebot in Widgets

Quick Info

We’re still researching numbers and hopefully it quits growing. So far, we have seeing infections with those URLS: - 98 sites infected with it - 357 sites infected with it - 497 sites infected with it

That’s only the ones that we scanned directly. However, if you go on Google and search for “” or “” you’ll see quite a few more sites being affected.

What Do I do?

First thing do check is that all the software on your server is updated. I’m talking applications, themes, plugins, and so on. If you don’t use it, get rid of it. Cross-Website Contamination happens all too often, so make sure to do some website garage cleaning ASAP.

Next thing to do is go scan your site with Sucuri SiteCheck. Seriously, it takes second, it’s free, and it will let you know if you’ve been struck by Rebots.

If you have been hit and you need a hand clearing it, we can get you cleared and will cover you for the year. Check our the Sucuri service plans today.

Have you seen the Rebots JS Malware? What’s your experience? Have you seen variations, or other domains affected? Feel free to email Sucuri, or leave a comment below.

About Tony Perez

Tony works at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. He spends his time giving presentations and writing content that everyday website owners can appreciate. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at Tony on Security and you can follow him on Twitter at @perezbox.

  • Kailey ʇɹǝdɯɐl

    Doesn’t seem related, but on the same site I cleaned up this Rebots hack yesterday I also found some unwanted gzipped files in /wp-content/plugins/ ( ). When downloaded, unzipped and looked at, they produced fake bank sign in pages ( and )

  • n00bs@uc3

    What’s it dropping?!

    • Andres Armeda

      At this point just the JS to those sites. It looks like most of those sites have been disabled. We did test it using various user agents and such to see if we could get anything elsqe out of it, nothing conclusive found.

  • Brett Dalbeth

    I got bit.. I needed an exsuse to build a new website anyways.

  • theGuruWithin

    thank you for these updates. I find this arena fascinating. Do you ever have any career opportunities?

  • sarabjeet singh

    Great post indeed and thanks for all the information, it was very helpful i really like that you are providing information on PHP and MYSQL with basic JAVASCRIPT,being enrolled in i was looking for such information online to assist me on php and mysql and your information helped

  • Pingback: 2012 Web Malware Trends Report Summary | Sucuri Blog()

Share This