When a WordPress Plugin Goes Bad



Update March 7: The WordPress Directory team investigated and mitigated this issue by disconnecting the wooranker account from all plugins, reverting malicious changes in the CCTM plugin, and changing the version to WordPress should automatically update to this new clean version.

If your site was compromised during the timeframe while the backdoored version ( was installed, updating to is not enough to clean the site – Please check the Mitigation section at the end of this blogpost.


Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causing malvertising problems for websites that leveraged the plugin. When this plugin was removed from the official WordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin and uploaded SweetCaptcha as a “new version” of that plugin.

In the end of the SweetCaptcha saga, we gave this warning:

It’s quite a common scenario when criminals try to hijack or buy developer accounts of legitimate applications, or pay their developers to add some malicious code into their software, so some benign plugin or application may turn bad after an update — the only thing that protects you is the author reputation and the security screening and approval process in the repository.

This time we’ll tell you of another plugin that turned bad after an update.

Read More

Malicious Pastebin Replacement for jQuery

jQuery Pastebin

Website hackers are always changing tactics and borrowing ideas from each other. One of the challenges of website security is staying on top of those threats as they evolve. We wrote in the past about fake jQuery scripts and how hackers use Pastebin.com to host malware. This time, we will show you an attack that combines both of these techniques to spread malware using a fake jQuery Pastebin file.

Reversed URL Detected by SiteCheck

A couple of weeks ago SiteCheck began detecting WordPress sites with reversed JavaScript code in /wp-includes/js/jquery/jquery.js and /wp-includes/js/jquery/jquery-migrate.min.js files. As you can see, the URL is written backwards inside the payload.

Infected jQuery detected by SiteCheck

Infected jQuery detected by SiteCheck

When the code is reversed (e.g. war/moc.nibetsap//:ptth – is – http://pastebin.com/raw – written backwards), it injects external scripts that load code directly from Pastebin. Previously, we saw this trick used on infected Magento sites. There are strong signs that these two attacks are related, but this WordPress infection is interesting on its own, so let’s look closer at these Pastebin links.
Read More

jQuery.min.php Malware Affects Thousands of Websites


Fake jQuery injections have been popular among hackers since jQuery itself went mainstream and became one of the most widely adopted JavaScript libraries.

Every now and then we write about such attacks. Almost every week we see new fake jQuery domains and scripts that mimic jQuery. For example, one of the most prevalent malware infections of the last couple of weeks is the attack that injects fake jQuery script into the head section of WordPress and Joomla! sites.

Read More

Fake jQuery Scripts in Nulled WordPress Plugins


We recently investigated some random redirects on a WordPress website that would only happen to certain visitors. Traffic analysis showed us that it was not a server-side redirect, rather it happened due to some script loaded by the web pages.

A quick look through the HTML code revealed this script:

Fake jQuery script injection

Fake jQuery script injection

It was very suspicious for a few reasons:
Read More

The Dangers of Hosted Scripts – Hacked jQuery Timers

Google blacklisted a client’s website claiming that malicious content was being displayed from “forogozoropoto(dot)2waky (dot)com”.

A scan didn’t reveal anything suspicious. The next step was to check all third-party scripts on the website. Soon we found the offending script. It was hxxp://jquery .offput .ca/js/jquery.timers.js – a jQuery Timers plugin that was moderately popular 5-6 years ago.

Right now, the jquery.offput.ca site is hacked. The home page appears to be blank, but it contains a few hidden links, one of which leads to a pharma spam doorway on another hacked site:

Unmask Parasites report for jquery.offput.ca

Unmask Parasites report for jquery.offput.ca

All JavaScript files on the website contain malicious code.

Sucuri SiteCheck report: infected jquery.js on jquery.offput.ca

Sucuri SiteCheck report: infected jquery.js on jquery.offput.ca

The plugin script jquery.timers.js is no exception (note the first line of code):

infected jquery.timers.js code

Infected jquery.timers.js code

The Payload

The malware in the JavaScript files is quite interesting.

First of all, the obfuscated part decodes to:

<script src="hxxp://forogozoropoto(dot)2waky(dot)com/7"></script>

So, we know this is definitely the source of the problem.

Next, you may have noticed this construction:

if(/*@cc_on!@*/false){malicious code}

Most browsers ignore the comment and never execute the malicious code, taking it as:

if(false){malicious code}

Internet Explorer is different. It interprets the comment as a conditional compilation statement and considers everything between /*@cc_on and @*/ as executable JavaScript. In this case, IE will see the injected code as:

if(!false){malicious code} 

It will always execute the malicious code, due to the inclusion of the commented “!” character.

This IE-only, conditional compilation hack will prevent the forogozoropoto(dot)2waky(dot)com script from loading in non-IE browsers, even if using an IE User-Agent string. This means that if you are using, say, a Linux sandbox with a browser that pretends to be Internet Explorer, and then monitor the HTTP traffic — you will not see any requests to forogozoropoto(dot)2waky(dot)com.

One more interesting thing here is that hxxp://jquery.offput.ca/js/jquery.timers.js only contains the malicious code if you request it using an IE User-Agent. For any other browsers, it returns unmodified code of the jQuery Timers plugin. This looks like either a server-level infection that patches JavaScript responses on-the-fly for qualifying requests, or hackers changed the handler of JavaScript files, making them executable by PHP (e.g. using AddHandler and php_value auto_prepend_file in .htaccesss ).

What Happened to the jQuery Timers Plugin?

After the initial release and a few years of plugin support, the developer lost interest and abandoned the jquery.offput.ca site. The page says the plugin has moved to the official jQuery plugin repository, and all updates will be available there only:

jQuery timers moved

jQuery timers moved

However, the repository URL is redirecting to jQuery.com, and it can’t be found using the search function. I suppose that the plugin has been completely abandoned, only living in local copies on some websites, and as as the hacked original version on the jquery.offput.ca site.

The Risks of Using Hosted Scripts

This is neither the first abandoned script, nor the last. Thousands of developers create plugins for jQuery. Many develop their own libraries. Some of those libraries become really popular, but there is no guarantee that developers will remain committed to supporting their software forever.

Of course, when you find some cool new script, you might want to do some tests linking directly to the script on the developer’s website — it’s fast, it works on any computer, and you don’t have to worry about serving extra JavaScript files — just focus on your own code. However, what works during the test stage is not always a great idea for a live public site.

Consider these potential situations and outcomes:

  • The plugin site is temporarily down (e.g. maintenance or server problem) — your site is broken.
  • The plugin author updated the .JS file with a buggy or incompatible version of the plugin – your site is broken.
  • The plugin author abandons the site (the domain expires) or moves the plugin to a different domain — your site is broken.
  • The plugin site gets hacked and some malicious code is injected into the plugin file — your site is spreading malware to your visitors.

There are plenty of risks connected to using scripts from third-party websites. As a web developer, you should generally avoid this practice. The only reasonable exception is using JavaScript libraries from trusted CDNs (e.g. Google Hosted Libraries). You can be sure that the CDN will guarantee integrity and availability of the files you need for a reasonably long time. All the rest should be hosted on servers that you control.

Please review your site code. If it still uses the jQuery Timers plugin, make sure to use a local version (you can get a clean version here) and don’t link to the infected jquery.timers.js file on the jquery.offput.ca site.

If you see any other scripts linked directly to third-party websites, you might want to consider serving those scripts directly from your site, or from a trusted CDN. This will prove to be a more reliable and secure solution.

Fake jQuery Website Serving Redirection Malware

This just in, hot off the press, careful with the jQuery libraries you’re using on your websites.

We received word from @chris_olbekson via Twitter about some hacks being reported on the WordPress forums:


Read More