There seems to be a renewed infection of websites based on WordPress, Joomla and other popular website platforms, with some malicious javascript that has been around for awhile.

The code referred to starts with:

var _0xaae8=["","\x6A\x6F\x69\x6E"...

This is typically found in all .js files, but we’ve also been seeing it in some .php files as well.

In this one particular case, we went on with our root cause analysis and found the culprit.

First, the hackers worked at finding out the name of the admin user. There were a number of these in the logs:

“GET /?author=1 HTTP/1.1”

“GET /?author=2 HTTP/1.1”

“GET /?author=3 HTTP/1.1”

“GET /?author=4 HTTP/1.1”

…and continued on by incrementing the integer after “author=”

Apparently it worked as the customer had changed their username for admin.

Next in the logs we see this:

46.118.155.216 – – [31/Jan/2017:02:26:17 -0700] “POST /wp-login.php HTTP/1.1” 200 3959 “http://(sanitized-domain)/wp-login.php”
46.118.155.216 – – [31/Jan/2017:02:37:16 -0700] “GET /wp-login.php HTTP/1.0” 406 395 “-”
46.118.155.216 – – [31/Jan/2017:02:37:16 -0700] “GET /wp-login.php HTTP/1.0” 406 395 “-”
46.118.155.216 – – [31/Jan/2017:02:37:16 -0700] “POST /wp-login.php HTTP/1.1” 302 1111 “(sanitized-domain)/wp-login.php”
46.118.155.216 – – [31/Jan/2017:02:37:17 -0700] “GET /wp-admin/ HTTP/1.1” 200 60041 “(sanitized-domain)/wp-login.php”

There were only a few attempts at the password before the hackers had correctly used the password for a successful login.

From there they went to the often abused theme-editor:

46.118.155.216 – – [31/Jan/2017:02:37:23 -0700] “GET /wp-admin/theme-editor.php HTTP/1.1” 200 61861 “-”
46.118.155.216 – – [31/Jan/2017:02:37:27 -0700] “GET /wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen HTTP/1.1” 200 37939 “-”
46.118.155.216 – – [31/Jan/2017:02:37:29 -0700] “POST /wp-admin/theme-editor.php HTTP/1.1” 302 152410 “(sanitized-domain)/wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen&scrollto=0&updated=true”
46.118.155.216 – – [31/Jan/2017:02:37:29 -0700] “GET /wp-content/themes/twentyfourteen/404.php HTTP/1.0” 200 330 “-”

And added code that searches for all available .js files and injects malicious redirect code in the .js files. This code can be obfuscated or just plain PHP code. But until you find it and remove it, your websites will be re-infected over and over again.

This is one case. In this instance the hackers were able to find the admin username and guess the password. So, even though the owner took the step of changing the admin username, using an easily guessed password negates that.

The owner used a shared hosting account and had 51 domains on that one account. Hackers only needed one point of entry and they were able to infect all the websites on that cPanel account.

That’s one of the main reasons we don’t charge extra for the additional websites on a shared hosting account. You can’t just service one because you don’t know which one was the original point of entry.

We found proof during our root cause analysis.

We’ve seen this same malicious code but the point of entry for the cyber criminals was different. This just appears to be their “infection du jour”.

Let me know if you have any questions about this.

Thank you!

[fny id=”1″]