Website Malware – SPAM Injections – HideMe – KickeMe

Every now and then you have to give thanks that attackers have a sense of humor.

For the past few weeks, maybe months, who keeps track of time anyway, we have been seeing this injection and it makes us giggle like school girls every time.

If you look a little harder you’ll usually find it’s accompanied by this JavaScript injection:



The KickeMe injection looks no different:

Again you want to make sure you find this script as well:

And if you use our free scanner SiteCheck you’ll see something like this:

Clean It Up

Here is the good news, it’s nice an easy to remove.

First, the JS injections is usually adjacent to the injection itself so they are usually very easy to detect. As always, if you’re not seeing it in the browser it’s very easy to understand why, just look at the images above and you’ll see they are being set to hidden. Easy way is to use the free scanner I mentioned above, SiteCheck, or use your handy terminal by using curl

Easy example:

# curl -D – -A “Windows” http://yourawesomecupcakesite.com

Second, you want to find the various instances of the infection. Here is the good news, as we have mentioned before, start with the files you know generate content on the browser. Good place to start is with the files in your theme / template files. Good place to start is always your index.php, header.php, home.php, footer.php, and other similar instances. These appear to be the most common instances.

Third, you’ll want to highlight and delete the injection. That’s it. Just be sure not to delete any other information, if you stick to the content in the images above you’ll be fine.

Fourth, you’re going to want to lock things down, you obviously have a vulnerability and it’s likely an access issue.

If you find this specifically on pages then you might want to log into your administrator panel, regardless of platform, and look at your articles, pages, posts, etc.. but look at them in code view (ie., HTML view). We’re seeing a lot of instances where they are being embedded right within the pages themselves and that won’t present itself on the core files.

Ok, hope this helps someone.


If you have any questions or concerns about this post leave us a comment or send us an email at info@sucuri.net. If you really could care less about cleaning this up yourself just sign up with our service and we’ll get you going.

About Tony Perez

Tony works at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. He spends his time giving presentations and writing content that everyday website owners can appreciate. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at Tony on Security and you can follow him on Twitter at @perezbox.

  • Koffe

    where is bug? wordpress,hosting, chmod 755?

Share This